Analysis Overview
SHA256
3d966ba83a832ae1c76ff14716925e6895777001064d42404fb86494571309ce
Threat Level: Likely malicious
The file 90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Sets DLL path for service in the registry
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:59
Reported
2024-06-03 06:02
Platform
win7-20240221-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\DRIVERS\SET28A6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET28A6.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\teamviewervpn.sys | C:\Windows\system32\DrvInst.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\usbhubsvc3\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll" | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "\"C:\\Windows\\SysWOW64\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll\" C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\SkypeC0SvcService.exe" | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279E.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279D.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\INFCACHE.0 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\teamviewervpn.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstor.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infpub.dat | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\infstrng.dat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279F.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{6b033eee-8b83-519c-2d69-b549838b9c51}\SET279F.tmp | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev2 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth." | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network." | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp" /SL5="$400F4,3400720,135680,C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe" /verysilent /password=none
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
"C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe"
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe install C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf teamviewervpn
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MsHubSvc -svcr C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{11564226-9660-62d6-6a23-3f1e3d76f239}\teamviewervpn.inf" "9" "6b0706d3f" "0000000000000524" "WinSta0\Default" "0000000000000384" "208" "c:\users\admin\appdata\roaming\abodeupdate"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "teamviewervpn.inf:teamviewervpn.NTamd64:teamviewervpn.ndi:2.10.0.0:teamviewervpn" "6b0706d3f" "0000000000000524" "00000000000005B8" "00000000000005BC"
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe restart teamviewervpn
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 255.255.255.255:67 | udp | |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| DE | 213.227.168.190:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master3.teamviewer.com | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 213.227.168.190:5938 | ping3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
Files
memory/1848-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1848-2-0x0000000000401000-0x0000000000412000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-BJH3D.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
| MD5 | 86c17be77f3ea314eb1c43fb46ec2ee9 |
| SHA1 | 57e664459585cb739e1ee278ff62ac25bd0fe0c0 |
| SHA256 | 67668d64d65f1f39d37f9f02643ef07e0f1da8599a48796967a9ebbbcee9efa2 |
| SHA512 | 320c17430584ee127c50ba3d8618dde649f97abea550f3f213a6637d48ffd21ce83103ed34c9ac2e5eb769b839293ddcb6e465d16a8ff876bae3a8bd58b2d787 |
memory/2876-8-0x0000000000400000-0x0000000000530000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-5O9VU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
| MD5 | f5fe906f801d99fafa8a9e0584a37008 |
| SHA1 | a80175b91e3f9606e63dd0d9a9271e23bbe10321 |
| SHA256 | 10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b |
| SHA512 | ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de |
\Users\Admin\AppData\Roaming\AbodeUpdate\msimg32.dll
| MD5 | 7be8e8b6eb0a7b3e4d02bd1e1c0694d3 |
| SHA1 | e8eab9de90873e267d63636fd269561ea7fb6d77 |
| SHA256 | e89d182578568985c7524f1a0c221a1b46b515ac3036de356f5066d9f7a41b90 |
| SHA512 | ed08a7ba3cbd974898577ed9ca9a6eab90dfdd124d0b2321a5e02ed40c3e47c2bd57f2c132ed7cb5b55e8f5b7036e7fa733dbb4049226a8dc4ec5d1154bb9cd4 |
memory/1848-48-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2876-46-0x0000000000400000-0x0000000000530000-memory.dmp
memory/2492-49-0x0000000010000000-0x0000000010026000-memory.dmp
memory/2492-54-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tvr.cfg
| MD5 | c355c34a3f8e355aa20eaaaa9bbdffe5 |
| SHA1 | 3b13ae21d7cdbe427a9367761b590bfb3a1e04c0 |
| SHA256 | 5fca1c7124684f5c3a8a2ce9caab53da751c76d0db8b538cc0b812d7f8dda110 |
| SHA512 | b665b65c1023b5f9f255388963245f0efa913d5b89024fa2eb03d164eb63d5334addf1a67b9db1a6ad8ef685c3d614d87225db1ec59b9c99459bc5f0b81d29ad |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn86.cab
| MD5 | c7549d78f082a6cf81ba2c27f6c6a38f |
| SHA1 | ea39fbc80cc62c11ace1ef495c856f3bc6c775a7 |
| SHA256 | 240b9ee414817f500c18bffaba787c6f7b5e67a0e46d82cbbce02cb956073be3 |
| SHA512 | ffa75d64446b227642af964c6d5a8e1a14493b56d598b52cbd842cf22a9396eddde716effc431d25b21a26741bdaf9e2b509821099a5eb3e01bfc2343816fc2f |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn64.cab
| MD5 | d4fe3ae6d05b2d4cb52484e2718ab390 |
| SHA1 | 8da95d697c578c8d12e02c53fb185cb5825c4f63 |
| SHA256 | 0fc7396c9eb14f764b18400f95c66fd168ec0626d455b48167119227b3b98c1e |
| SHA512 | 03a253bbc1663b7c03632c4a265195e2d668da5a0b3c6144ed2006fdffe50e131bb2a589aa41304e20979fa9a27e2acdbe8860916219d8ee265ebc185ef60fdd |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.exe
| MD5 | 8e50a67752bd070fec717216b9376a7f |
| SHA1 | 19c776fd0fe89d6cb3f372d89cac4adf65dabe24 |
| SHA256 | f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b |
| SHA512 | be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46 |
memory/2492-67-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.dll
| MD5 | 6f68147027ba59a8af86ffe1b8fc6899 |
| SHA1 | 99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458 |
| SHA256 | 07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6 |
| SHA512 | 5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.exe
| MD5 | c16719e5c670b7c18aab69dea8ea8c66 |
| SHA1 | 95c9c3b44dcca278b42cb20b1e27d88ae4006f39 |
| SHA256 | c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689 |
| SHA512 | 9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.dll
| MD5 | 55b4875e6dd84b1a547a91a789515dfb |
| SHA1 | ad598670ced636134f85c744f6283a16e3766d1f |
| SHA256 | a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9 |
| SHA512 | d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_StaticRes.dll
| MD5 | 4202e46ac536822fd7043c38e66d0ec8 |
| SHA1 | c8908477b539931168e9437d4e17e7c33fb10141 |
| SHA256 | 542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4 |
| SHA512 | 20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Resource_en.dll
| MD5 | 5850b0e30cb6493170ea8d073f34766c |
| SHA1 | d80b0181edca5be738f8c1c4355c4785d0360d06 |
| SHA256 | 97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda |
| SHA512 | a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Desktop.exe
| MD5 | 36738935b6eadbdf570002ee44990360 |
| SHA1 | 2621f86a0307a6be7032266db868c7af981bc016 |
| SHA256 | 46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c |
| SHA512 | 5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14 |
\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
| MD5 | 112b0c8b6b0c0a6c24f90081cc8a77d0 |
| SHA1 | 1776a73316baeeb818884196a54f49d1385c06c8 |
| SHA256 | f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163 |
| SHA512 | 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf
| MD5 | 447fc733747db11cd4492ae01c5652fe |
| SHA1 | 2a70dcd391464cb8d3736322e07e966e105d396e |
| SHA256 | a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3 |
| SHA512 | 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5 |
\??\c:\users\admin\appdata\roaming\abodeupdate\teamviewervpn.cat
| MD5 | 5cffe65f36b60bc151486c90382f1627 |
| SHA1 | f2a66eae89b4b19d4cab2ac630536af5eeeef121 |
| SHA256 | aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851 |
| SHA512 | 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b |
\??\c:\users\admin\appdata\roaming\ABODEU~1\TEAMVI~1.SYS
| MD5 | f5520dbb47c60ee83024b38720abda24 |
| SHA1 | bc355c14a2b22712b91ff43cd4e046489a91cae5 |
| SHA256 | b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0 |
| SHA512 | 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66 |
C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF
| MD5 | 9b4fad40d315b21af46a49f511b78265 |
| SHA1 | 670ad6753fc5323959d72a046abbd249e390edc7 |
| SHA256 | b9638e8d344bb3810d0890ec3565c0a92d7ee99b9f6da10db25c5c6ef9e2dd75 |
| SHA512 | f4c67626c7964239e98622bb11cf67e9d9a1f897d63b174a69ad27d469ae7a70bf49725b04944b0ac21d3d8a0c5739f276914ac389eefab38a5f498d2ea14251 |
C:\Windows\System32\DriverStore\INFCACHE.1
| MD5 | 5af9ef18c2e552db86e52c4e7de3eda3 |
| SHA1 | 962245763d189c29916f0e5b51115f6b08db7a97 |
| SHA256 | f90d8fcb0931fe82326608ccf680c4d3ca110d0df0b13b95aa3bc2cd21ec2e8d |
| SHA512 | 6b095bf73e1eb6f3b79a06b0ea2f66565e7823ef2e40ff05bf21a5647c42d9163aa79eb1d50e5df42a0eaebe5699e26463043719b5d78f160b18dd20a2f96467 |
C:\Windows\inf\oem2.PNF
| MD5 | 34bd933808aa2bcb35f3b6d3cfa37427 |
| SHA1 | 176b2193c74f647fa034407dfe637896f5e1ffa0 |
| SHA256 | 689d08a1e8dfeb2e74d8265c03b5f0dc678245e952abc2ec67beb531ea64a0f2 |
| SHA512 | 1b52ad9735b4fe9d5306597c37ea6bc988356a3d8f9bf4ac5349686e844dd89737569595ebe8947979707c1dd79b26a4e0552046d1a4fb4b52193af0f7860197 |
memory/2688-169-0x0000000001140000-0x0000000001166000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar2EC3.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Cab2E91.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer.ini
| MD5 | 8fc2e199aa5721f837d2ce2766a5860d |
| SHA1 | 3a09dfa5e28a2044cd99388bf1265927c1444a94 |
| SHA256 | 044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5 |
| SHA512 | a8ca2f66f7b8cfb7ff67cfcec35848c7c2f29bc8b26d1239622a61a779b67d7af829699207f18dab8c9294dd9226943dac47ef8aeedfd90dfb733c13f1f218b5 |
memory/2492-232-0x0000000010000000-0x0000000010026000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:59
Reported
2024-06-03 06:02
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\SET1BFF.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET1BFF.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\teamviewervpn.sys | C:\Windows\system32\DrvInst.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbhubsvc3\Parameters\ServiceDLL = "C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll" | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Manager.lnk | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SkypeC0SvcService.exe = "\"C:\\Windows\\SysWOW64\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\MSIMG32.dll\" C:\\Users\\Admin\\AppData\\Roaming\\AbodeUpdate\\SkypeC0SvcService.exe" | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815} | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\drvstore.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1635.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1623.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\teamviewervpn.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.PNF | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{3cac4235-2e78-bf45-bd7c-9f67e2e81815}\SET1624.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.inf | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp" /SL5="$90030,3400720,135680,C:\Users\Admin\AppData\Local\Temp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.exe" /verysilent /password=none
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
"C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k MsHubSvc -svcr C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe install C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf teamviewervpn
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{47e8e878-4cc8-304f-be08-8b37cf2bb6e9}\teamviewervpn.inf" "9" "4b0706d3f" "0000000000000154" "WinSta0\Default" "0000000000000164" "208" "c:\users\admin\appdata\roaming\abodeupdate"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:teamviewervpn.ndi:2.10.0.0:teamviewervpn," "4b0706d3f" "0000000000000160"
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe restart teamviewervpn
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4008 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ping3.teamviewer.com | udp |
| SG | 188.172.203.62:5938 | ping3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | master3.teamviewer.com | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 62.203.172.188.in-addr.arpa | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 3.32.188.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| DE | 185.188.32.3:5938 | master3.teamviewer.com | tcp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/1844-0-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1844-2-0x0000000000401000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-R5QBO.tmp\90c1ca96660786fb2a12b5b07d4c8fd9_JaffaCakes118.tmp
| MD5 | 86c17be77f3ea314eb1c43fb46ec2ee9 |
| SHA1 | 57e664459585cb739e1ee278ff62ac25bd0fe0c0 |
| SHA256 | 67668d64d65f1f39d37f9f02643ef07e0f1da8599a48796967a9ebbbcee9efa2 |
| SHA512 | 320c17430584ee127c50ba3d8618dde649f97abea550f3f213a6637d48ffd21ce83103ed34c9ac2e5eb769b839293ddcb6e465d16a8ff876bae3a8bd58b2d787 |
memory/2344-6-0x0000000000400000-0x0000000000530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-0RPST.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\SkypeC0SvcService.exe
| MD5 | f5fe906f801d99fafa8a9e0584a37008 |
| SHA1 | a80175b91e3f9606e63dd0d9a9271e23bbe10321 |
| SHA256 | 10b12825603dc3f1946bfd4e7cbebda5885fe4fccaeb0df8b6e862ad3dad720b |
| SHA512 | ae149680b212cf0b7f11d841cede275d8e510d3af86c96d75ff75802a8543773a5b7fc9d4c84d4d5fa486d2ddf27129cc42e70d0ea34ca2624f14152ba7497de |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\MSIMG32.dll
| MD5 | 7be8e8b6eb0a7b3e4d02bd1e1c0694d3 |
| SHA1 | e8eab9de90873e267d63636fd269561ea7fb6d77 |
| SHA256 | e89d182578568985c7524f1a0c221a1b46b515ac3036de356f5066d9f7a41b90 |
| SHA512 | ed08a7ba3cbd974898577ed9ca9a6eab90dfdd124d0b2321a5e02ed40c3e47c2bd57f2c132ed7cb5b55e8f5b7036e7fa733dbb4049226a8dc4ec5d1154bb9cd4 |
memory/2344-42-0x0000000000400000-0x0000000000530000-memory.dmp
memory/5072-44-0x0000000010000000-0x0000000010026000-memory.dmp
memory/1844-49-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5072-50-0x0000000075880000-0x0000000075881000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tvr.cfg
| MD5 | c355c34a3f8e355aa20eaaaa9bbdffe5 |
| SHA1 | 3b13ae21d7cdbe427a9367761b590bfb3a1e04c0 |
| SHA256 | 5fca1c7124684f5c3a8a2ce9caab53da751c76d0db8b538cc0b812d7f8dda110 |
| SHA512 | b665b65c1023b5f9f255388963245f0efa913d5b89024fa2eb03d164eb63d5334addf1a67b9db1a6ad8ef685c3d614d87225db1ec59b9c99459bc5f0b81d29ad |
memory/5072-51-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Desktop.exe
| MD5 | 36738935b6eadbdf570002ee44990360 |
| SHA1 | 2621f86a0307a6be7032266db868c7af981bc016 |
| SHA256 | 46aa5507bf0866d924a7974e7dc9255db21efb8ba5dc15e3c1a19c5b408ad29c |
| SHA512 | 5737edd344008832b1925972913cb2ba49d1e177a331a5419c5f6cb966f7da735fff1722acf59d5514cf63c2834a5f49d9784b70996fb0186cbbab6de3835f14 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn86.cab
| MD5 | c7549d78f082a6cf81ba2c27f6c6a38f |
| SHA1 | ea39fbc80cc62c11ace1ef495c856f3bc6c775a7 |
| SHA256 | 240b9ee414817f500c18bffaba787c6f7b5e67a0e46d82cbbce02cb956073be3 |
| SHA512 | ffa75d64446b227642af964c6d5a8e1a14493b56d598b52cbd842cf22a9396eddde716effc431d25b21a26741bdaf9e2b509821099a5eb3e01bfc2343816fc2f |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\vpn64.cab
| MD5 | d4fe3ae6d05b2d4cb52484e2718ab390 |
| SHA1 | 8da95d697c578c8d12e02c53fb185cb5825c4f63 |
| SHA256 | 0fc7396c9eb14f764b18400f95c66fd168ec0626d455b48167119227b3b98c1e |
| SHA512 | 03a253bbc1663b7c03632c4a265195e2d668da5a0b3c6144ed2006fdffe50e131bb2a589aa41304e20979fa9a27e2acdbe8860916219d8ee265ebc185ef60fdd |
memory/5072-64-0x0000000010000000-0x0000000010026000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.exe
| MD5 | 8e50a67752bd070fec717216b9376a7f |
| SHA1 | 19c776fd0fe89d6cb3f372d89cac4adf65dabe24 |
| SHA256 | f7b239c4101db7c974eef31ba2dd42fba0e898cfa762b1e969f76a7a37aa3d8b |
| SHA512 | be16f2fc675d1231275fd618ea101bfafa71c31b2cea92c5fb1197384bd0ea764e4567350bc1309d9d83439a977ed7600c57c4f5be81bf7170b2d5e59fe1ef46 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_x64.dll
| MD5 | 6f68147027ba59a8af86ffe1b8fc6899 |
| SHA1 | 99bb32e1d752a2b93bcd9db36b8a4f3c01ba6458 |
| SHA256 | 07413a73f7566173b462d7a4de2ca74d211f0872682160afafa618e656cfe9e6 |
| SHA512 | 5011e05ebcf6e86a988ba79e3f0aec2f240b14c5a602260edc53fa1c4b11c23495171213fe30ab8bf53f9e0c15e6dffa6a463105d1d558a3def50fdc28e571d2 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.exe
| MD5 | c16719e5c670b7c18aab69dea8ea8c66 |
| SHA1 | 95c9c3b44dcca278b42cb20b1e27d88ae4006f39 |
| SHA256 | c23d33f637c3c90ce0e3fc366fce034c5592dd80b660f469619e38b255532689 |
| SHA512 | 9bae42f6e6ace1e1f0d923894399817a017a1e52e2b01bb780d2a7be20f82ac341b1c9f6de680f16a0b8d5532c0f77f495dde2ad0c95ff85118021785dcd3b3b |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\tv_w32.dll
| MD5 | 55b4875e6dd84b1a547a91a789515dfb |
| SHA1 | ad598670ced636134f85c744f6283a16e3766d1f |
| SHA256 | a0791b2f732fdd0c26483d9ef2d77e720d9ba267f887eccadff227bcf247a0a9 |
| SHA512 | d9dc737c25a56503bba8f3a2fa030c3dc1fe62f4313cb307203cdcac164fd6bb2fa2ab87be6806d4cf3d1ed1ec880a1c7f3d866e61c3a6005ca400ff9f99459a |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_StaticRes.dll
| MD5 | 4202e46ac536822fd7043c38e66d0ec8 |
| SHA1 | c8908477b539931168e9437d4e17e7c33fb10141 |
| SHA256 | 542075ba11aaa6c1961985818dc4bb9e1a13afffeaef3514389444db18938fb4 |
| SHA512 | 20210b8dd54b7ca527e69699ae02d6b1c1733e8e3c8ae797994d24b2134e91d4dbc8345b9a4757ded6a34f460d9ec88b1c133202718e342c9045c77de2bd784d |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer_Resource_en.dll
| MD5 | 5850b0e30cb6493170ea8d073f34766c |
| SHA1 | d80b0181edca5be738f8c1c4355c4785d0360d06 |
| SHA256 | 97f8b0f6307156c0c74f3309195c376e5d816b3dbd65048c241a8b7e9233eeda |
| SHA512 | a1a8ee334ef763a78214fbc6a915e9adbf0cdbafb6694fac6e70cb68f2aacfcad945c7b4629bf3b729e8b9b3fcd7956c04a63c89fb6bda7111f41f9c8cb96144 |
memory/5072-65-0x0000000075860000-0x0000000075950000-memory.dmp
C:\Users\Admin\AppData\Roaming\AbodeUpdate\svpn.exe
| MD5 | 112b0c8b6b0c0a6c24f90081cc8a77d0 |
| SHA1 | 1776a73316baeeb818884196a54f49d1385c06c8 |
| SHA256 | f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163 |
| SHA512 | 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewerVPN.inf
| MD5 | 447fc733747db11cd4492ae01c5652fe |
| SHA1 | 2a70dcd391464cb8d3736322e07e966e105d396e |
| SHA256 | a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3 |
| SHA512 | 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5 |
\??\c:\users\admin\appdata\roaming\abodeupdate\teamviewervpn.cat
| MD5 | 5cffe65f36b60bc151486c90382f1627 |
| SHA1 | f2a66eae89b4b19d4cab2ac630536af5eeeef121 |
| SHA256 | aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851 |
| SHA512 | 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b |
\??\c:\users\admin\appdata\roaming\ABODEU~1\TEAMVI~1.SYS
| MD5 | f5520dbb47c60ee83024b38720abda24 |
| SHA1 | bc355c14a2b22712b91ff43cd4e046489a91cae5 |
| SHA256 | b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0 |
| SHA512 | 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66 |
C:\Users\Admin\AppData\Roaming\AbodeUpdate\TeamViewer.ini
| MD5 | 8fc2e199aa5721f837d2ce2766a5860d |
| SHA1 | 3a09dfa5e28a2044cd99388bf1265927c1444a94 |
| SHA256 | 044f6e06ced9cdaff36795408e5e3046b290367bc88f0708b2b5bd1b91bfbad5 |
| SHA512 | a8ca2f66f7b8cfb7ff67cfcec35848c7c2f29bc8b26d1239622a61a779b67d7af829699207f18dab8c9294dd9226943dac47ef8aeedfd90dfb733c13f1f218b5 |
memory/5072-164-0x0000000004850000-0x0000000004877000-memory.dmp
memory/5072-168-0x0000000010000000-0x0000000010026000-memory.dmp
memory/5072-170-0x0000000075860000-0x0000000075950000-memory.dmp