Malware Analysis Report

2024-09-11 03:41

Sample ID 240617-ngx7kssdrr
Target b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118
SHA256 a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de
Tags
discovery evasion exploit persistence spyware stealer upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a21b719d48905fd06b2281a4a47bfa8605e895e1ad7812963d249f87368c42de

Threat Level: Likely malicious

The file b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit persistence spyware stealer upx

Nirsoft

Sets DLL path for service in the registry

Modifies Windows Firewall

Drops file in Drivers directory

Possible privilege escalation attempt

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

Executes dropped EXE

Allows Network login with blank passwords

Checks computer location settings

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Remote Services
T1021
Remote Desktop Protocol
T1021.001
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 11:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 11:22

Reported

2024-06-17 11:25

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DRIVERS\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET6B22.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\DRIVERS\SET6B22.tmp C:\Windows\system32\DrvInst.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\System32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%SystemRoot%\\system32\\rdpwrap.dll" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Allows Network login with blank passwords

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regsvr = "C:\\Users\\Admin\\AppData\\Roaming\\INT\\regsvr.exe" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\sys = "0" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File created C:\Windows\System32\rdpwrap64.dll C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69CC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69DC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\INFCACHE.0 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File opened for modification C:\Windows\System32\sethc.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69CB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infpub.dat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\sethc.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69CB.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstrng.dat C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File opened for modification C:\Windows\System32\DriverStore\infstor.dat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69CC.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{0f362de2-f297-4cda-d4da-9d555a06255e}\SET69DC.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\rdpwrap.ini C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev2 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File opened for modification C:\Windows\INF\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services." C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32008 = "Allows you to securely connect to a private network using the Internet." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks." C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec
PID 2332 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec
PID 2332 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec
PID 2332 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec
PID 2332 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2332 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 2972 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 2972 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 2972 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 2972 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 540 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 3060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 3060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 3060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 3060 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 2836 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 580 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 580 wrote to memory of 444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 580 wrote to memory of 444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 580 wrote to memory of 444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 2836 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 2836 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 2836 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2836 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 1820 wrote to memory of 1300 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1820 wrote to memory of 1300 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1820 wrote to memory of 1300 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2836 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\takeown.exe
PID 2836 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\takeown.exe
PID 2836 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\takeown.exe
PID 2836 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\takeown.exe
PID 2836 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\icacls.exe
PID 2836 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\icacls.exe
PID 2836 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\icacls.exe
PID 2836 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\icacls.exe
PID 2836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 2836 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec

"C:\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec" x -p6882ED8CBCB8B4F40D87E7AD947AB99E "C:\Users\Admin\AppData\Local\Temp\xhzrnnqqwhhdmt8cm99didtx.jpg" "-oC:\Users\Admin\AppData\Roaming"

C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn

"C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn" wait 20000

C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn

"C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn" shexec "" "C:\Users\Admin\AppData\Roaming\INT\regsvr.lnk"

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

"C:\Users\Admin\AppData\Roaming\INT\regsvr.exe"

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe -r install C:\Users\Admin\AppData\Roaming\INT\x64\TeamViewerVPN.inf teamviewervpn

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{43a23f89-a467-5d93-89e9-23211d864a0c}\teamviewervpn.inf" "9" "6b0706d3f" "000000000000049C" "WinSta0\Default" "00000000000004A4" "208" "c:\users\admin\appdata\roaming\int\x64"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "teamviewervpn.inf:teamviewervpn.NTamd64:teamviewervpn.ndi:2.10.0.0:teamviewervpn" "6b0706d3f" "000000000000049C" "00000000000005BC" "00000000000003A8"

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe restart teamviewervpn

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

C:\Windows\System32\net.exe

C:\Windows\System32\net.exe stop TermService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TermService /y

C:\Windows\System32\netsh.exe

C:\Windows\System32\netsh.exe advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\System32\sc.exe

C:\Windows\System32\sc.exe config TermService start= auto

C:\Windows\System32\sc.exe

C:\Windows\System32\sc.exe config DcomLauch start= auto

C:\Windows\System32\net.exe

C:\Windows\System32\net.exe start TermService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService /y

C:\Windows\System32\takeown.exe

C:\Windows\System32\takeown.exe /f C:\Windows\System32\sethc.exe

C:\Windows\System32\icacls.exe

C:\Windows\System32\icacls.exe C:\Windows\System32\sethc.exe /grant *S-1-5-32-544:F

C:\Windows\System32\netsh.exe

C:\Windows\System32\netsh.exe firewall set service type=ALL scope=ALL profile=CURRENT

C:\Windows\System32\netsh.exe

C:\Windows\System32\netsh.exe firewall set service type=ALL scope=ALL profile=DOMAIN

Network

Country Destination Domain Proto
US 8.8.8.8:53 ping3.teamviewer.com udp
DE 217.146.23.141:5938 ping3.teamviewer.com tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
FR 213.227.162.114:443 ping3.teamviewer.com tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
IE 37.252.231.135:80 ping3.teamviewer.com tcp
US 8.8.8.8:53 master9.teamviewer.com udp
DE 185.188.32.9:80 master9.teamviewer.com tcp
DE 185.188.32.9:80 master9.teamviewer.com tcp
DE 185.188.32.9:80 master9.teamviewer.com tcp
N/A 127.0.0.1:49380 tcp
N/A 255.255.255.255:67 udp
DE 185.188.32.9:80 master9.teamviewer.com tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
N/A 127.0.0.1:49505 tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
DE 213.227.168.148:443 ping3.teamviewer.com tcp
DE 213.227.168.148:80 ping3.teamviewer.com tcp
US 8.8.8.8:53 master12.teamviewer.com udp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp
DE 185.188.32.22:80 master12.teamviewer.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\Crypto.dll

MD5 5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 4686ade71a45feb36f5f5f48e78bd673f60e45b5
SHA256 b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
SHA512 b407eb19db8967fc7eeea8d5576cbb909c89195a0ae2f2382b79ecc13f04d984ec46d014b7f8e2124c8fe6088097cdc8203e4258cdd36a38db94c7cb4a929fd0

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\blowfish.dll

MD5 a0a4fc162c9876660aae6d06008aa0a2
SHA1 c2bb69b4960660ebf8b8bafcad20a5eeb859a17b
SHA256 52b8e1f958fd0a352b7a9192d73a72d1c32711ff1740ded3e80009eb44d48575
SHA512 426f2c1cd52b1f0619f85c476f790b30ced912e31740fe7450dab9ed189d840b635e67ab05310269b1534d02be4afd885f952d4a231df6c232bae4313503c4ea

C:\Users\Admin\AppData\Local\Temp\f1m2fsqizv9lb

MD5 e8912822fc1e9efa844af889919fdcca
SHA1 79ea8febf0103cf8a05f62b1f1455519aded75a6
SHA256 abb006b464385a32220725b4ce67341c62204bf7d83aae8f9ebdc03a7d4b3697
SHA512 f80925f477e8eb53415581e6ceae2924d84adcd82a20b9acb0d76da4e2ad6e25dfc99bd30338379712ae1f0c135d99f2bf6320c7498cabfdaf7d8a761f7dd66f

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\nsExec.dll

MD5 1f49d8af9be9e915d54b2441c4a79adf
SHA1 1ee4f809c693e31f34bc6d8153664a6dc2c3e499
SHA256 b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782
SHA512 c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\2us6otf8rec

MD5 e3c061fa0450056e30285fd44a74cd2a
SHA1 8c7659e6ee9fe5ead17cae2969d3148730be509b
SHA256 e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa
SHA512 fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

C:\Users\Admin\AppData\Local\Temp\xhzrnnqqwhhdmt8cm99didtx.jpg

MD5 ab84da981e287e44d11648d29cdbb882
SHA1 df014a3743b9a2e24a4cec5b010a42228226e7fc
SHA256 b081c56d67dcf29c0edf5623756a58a1bb8ad834b42e0c79390db5336db86280
SHA512 03205afed55dc7f771bae1b1d4eaf76f508f45433f8480a655d5667b4a30eb1a49bfbc33e6263915fd6d141a4e6338313f1c9219a11ad3c46a9c6c79f4f07109

C:\Users\Admin\AppData\Roaming\INT\pqb3w3

MD5 54b108d7a3882812e5f9cb5d3275ce5c
SHA1 44a9ea2494b3e8ad2dfa7d9f4d2fe7748b978974
SHA256 b74e873f8604997e444b01a97a024bd56d005f136dfdae9e060b981cd7d0b571
SHA512 e1159a636d10a86f5d2fddd2b4b05a63f4bd10d8dd782e060287c97af597061aa3782429ed43d0023c31498fd800d6ed66eb5daee28455a8d0393263b9821774

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

MD5 28c4c35aed7949277a9c68a04a113114
SHA1 2a845df5253b3f5becb9c83527c9bfd3113be092
SHA256 5c80b0ced982b868d7e2ba6269509f597a05704fa6d86a30e8d51bf5687c3361
SHA512 ed4ca23c7efd4fbf39ae50dc14020aead7d515e27b002aa2dd7a5417ba63c550d19120f84ef7058147035dfbc55f937debbde61bcd1af2e2070ae6b04b786618

\Users\Admin\AppData\Local\Temp\nsy1180.tmp\ShellLink.dll

MD5 aad75be0bdd1f1bac758b521c9f1d022
SHA1 5d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256 d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA512 4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

\Users\Admin\AppData\Local\Temp\sv0e6tcmn

MD5 84d499f558570c32f4cb100a9124890b
SHA1 9adfc7ab66348d84ebdd9c1e8093cad4cc8485ef
SHA256 31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5
SHA512 560aaadebcbd425d35fc3a567c987a5f15a5f091962328f0479c1ec2378c732cca892eb3252179c8895413b0f3d08f44fbcf8c9d2375877c81622f42e6549c86

memory/2332-107-0x00000000006A0000-0x00000000006BB000-memory.dmp

memory/2936-114-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2332-113-0x00000000006A0000-0x00000000006BB000-memory.dmp

memory/2332-128-0x00000000006A0000-0x00000000006BB000-memory.dmp

memory/2972-130-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2332-129-0x00000000006A0000-0x00000000006BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\regsvr.lnk

MD5 a19c1d63b980479ac7627e268582fea2
SHA1 db5f026fed805f4989c3717005f34bf125b31b4b
SHA256 3ecf9efb2f28e92694a731b42a8390e6408849ad845a382ed851b2cb1a887590
SHA512 afc0fa8d19f0a768fdb8b871504fd42ef233334464acea107933cbb7bd813e0b0082ac20c0c24ca43cdd8309a3960a45f69f151c64d811ae0dab7c667a000b28

memory/3060-138-0x0000000007000000-0x0000000007011000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\tv.cfg

MD5 60f9c16fa34611bbe39715b43855e17c
SHA1 25ee87d27f47f6b10ce1ed3b2839dfbd612ee6c5
SHA256 dd0731cea712f02d17e2f69a5963d37c8dc8ab539a2ca83469f0402cd8642314
SHA512 27176d4d6d4e6ec55e3052b52bf270f9e610d0a6a82573adb331731f6a61dfdc99511ff21a2003973a070941cd36e90498a9363109e55596864d46be80226db5

C:\Users\Admin\AppData\Roaming\INT\h7we97gmledmz9.jpg

MD5 351cf626f899fbf851ed9bc15bcfe4e3
SHA1 c108746906bd01f5b6a1a22d41184528c91d6c99
SHA256 3d4820e1178605a257851fc7ddd33f12e9b9d49a134e5c1abbc2b624e5859c3a
SHA512 c4aa0855ca081ad38499e22c10e9854b63e8e98eae84d92a11c2c4efcd74c73118b1e544c8d780490aa2c58f6b89834ac60adea23c8d362ceae9bd33ffb46218

C:\Users\Admin\AppData\Roaming\INT\TeamViewer_Resource_en.dll

MD5 97878dceaf0632f49b75601e998c53e1
SHA1 ee60be147721e2c4ef5d7d6860fce8645b2088e6
SHA256 a40088e36440f9de74bbd2d6e5cf969ab42ff629cea6d685cc9d8300b91b5028
SHA512 9691057e6f0aefeac2c4275c278ac8cbe5ac95d820bd92b2e65c0d8aee6768241b4832b31db7df2e0b203c77b2c486662bdd31c66892b84bb2a49edabda9abf7

C:\Users\Admin\AppData\Roaming\INT\TeamViewer_Desktop.exe

MD5 95b5331ae88259d3a9dda90f2a29905c
SHA1 3df3d52c6fc9e1811954a0b66c0e29f52f844a8e
SHA256 9fe4685f1d76b3c0ff80e2b9348d5f1b5a7856d472ae4be4b0fe9d9c08d32669
SHA512 e9e67334758f2261131310b1ecf9dd9f6d70a123b3519110ec781d3dd26b7832734cee45c6643809b741d74b0c9d9f3b3abddefb427a4d691a31a9cef81848db

\Users\Admin\AppData\Roaming\INT\tv_w32.dll

MD5 d1cae98656bc6703e21f4580b8830dfc
SHA1 d0c1f9219380ae73c5b151e5c7afa9e11c07bd97
SHA256 d2b39bcf9ca3888887fb84a0897fcb80dccacc5ccfb5a66357e3dbdcafee3904
SHA512 1270c00a01be2d8e27dc31a3e355eee8e5f56330674ec9776e2a5c6ba7990c3a4d4eccc501675e83e4baed977ea94dde2c857f63400564b85a27a94910d07cae

C:\Users\Admin\AppData\Roaming\INT\installvpn.pg

MD5 1dbcbc0aeefbef5a941ecee7568bb7d1
SHA1 9061ff9830499ccd2df0d20afd73373f766659de
SHA256 36c60f63fb12f9df18afb3e255b44d96ead54c9d48dcb4638e12b1a54475d0c2
SHA512 3b0adc6e7adac47e217f5a77bdbb35e2f633b47e661598163f6b1832e05ce064c8b7bff10710f13fd771673aff3cf7da804508fb5a72e28a8b50d28a43e54e91

C:\Users\Admin\AppData\Roaming\INT\rdw.pg

MD5 1b8ca0bc04d94d0bf2fbc128d49a3c44
SHA1 34512c7376ac65ace1693b8fe5833c9f6672eb1b
SHA256 d9a301684e39a64c68f8a17374bf67acdc98fd17e7be79b610eda0ac09446e2e
SHA512 c23334942a5d1ea5ef6575a77d6bd8e813d1ef165ffdb246a1970cbb6f42bb6b80851c40ffa4d00093a5470e74b0555c458c5f209a6987fae7a632e6d653a475

C:\Users\Admin\AppData\Roaming\INT\scankey.pg

MD5 b65ee713a834f3e0712cc5d0f494f8cc
SHA1 231ce0ffd58502dca27eaa5653d07b7cfda76b36
SHA256 7fd3d650ffea9a2c4bb43770985a39d393d100c01569fd06fa67ff45f6403566
SHA512 bd60aa037901fe5b721d3637037b7aa5a01522912683c0274a16665c66f99cae01ed59cdc7f8a78b1674a1fd08f759f9c6edec3bc4b61b3ea6bf2f9f3e5e4be7

memory/3060-171-0x0000000006790000-0x0000000006793000-memory.dmp

\Users\Admin\AppData\Roaming\INT\x64\install64.exe

MD5 112b0c8b6b0c0a6c24f90081cc8a77d0
SHA1 1776a73316baeeb818884196a54f49d1385c06c8
SHA256 f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163
SHA512 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585

memory/3060-177-0x00000000061A0000-0x000000000620B000-memory.dmp

memory/3060-175-0x0000000006150000-0x0000000006153000-memory.dmp

memory/3060-173-0x0000000006150000-0x0000000006153000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\x64\TeamViewerVPN.inf

MD5 447fc733747db11cd4492ae01c5652fe
SHA1 2a70dcd391464cb8d3736322e07e966e105d396e
SHA256 a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3
SHA512 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5

\??\c:\users\admin\appdata\roaming\int\x64\teamviewervpn.cat

MD5 5cffe65f36b60bc151486c90382f1627
SHA1 f2a66eae89b4b19d4cab2ac630536af5eeeef121
SHA256 aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851
SHA512 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b

\??\c:\users\admin\appdata\roaming\int\x64\teamviewervpn.sys

MD5 f5520dbb47c60ee83024b38720abda24
SHA1 bc355c14a2b22712b91ff43cd4e046489a91cae5
SHA256 b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0
SHA512 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

C:\Users\Admin\AppData\Roaming\INT\tv_w32.exe

MD5 7d90bdf0f9c2d9224d8b4d5d2f195506
SHA1 aa1bef60878b8c43c6fd763a0bf83b65a488ba81
SHA256 c96ed3b60727973d746834eaec3df520447a039dc447f717f6cd32335e2dc1d0
SHA512 4b08e6b4da089d46ce806baa1c3896d46bf9aa3598141502c3dd62683d97a50e560e48c1060bde0e959b3e33f05b1fc43056cf99b2252a9a1a0099294bd6a5b6

C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_neutral_5e1dcb6f86e23dcd\teamviewervpn.PNF

MD5 cf5ea1f06d58896f989a2003dd7cb45e
SHA1 66b1e1d46570fd735d0dc8f564804c1d60160ce1
SHA256 858f9da1de162078439d2f73df81030898bc2e3a9ac7b418b46431065e696d52
SHA512 bc0cd98080350d0cae27a3d5f0eaf84a0031cd31db78bb91aec2c7090abd2c9144e621eebce02444717c17039c69e9f0d281b8afade650125439f75826926bae

C:\Windows\System32\DriverStore\INFCACHE.1

MD5 c0b0fa1f35f7819ba89abe79e89b9832
SHA1 549f4e3f5f066124af8a9e8f2c7797b4397228d0
SHA256 4b7b793428797559c5d8510f885f90931162790f7c78bd7775811824221966ce
SHA512 ff9f5457000432272ae360c9f254cca577dd1b319798fb411ee936a8da9598e045170b7430d46c02703085ade6707cf749a35e058af642541e316fbfc7c6e130

C:\Windows\inf\oem2.PNF

MD5 c409f2efad3f2ef98f28cd874112c69e
SHA1 6cffd5d877affd5b16a3123d21661de78a86c7c2
SHA256 3f4cf336daae1a144c130fa578423edfbf48094cb1ec7c33fc7793635688ad09
SHA512 344d1ef456fea9f33044629c31685bd8b88f71446b5692907db12937e2d2ad75e782c969261cea7c424c3aaf11d88f6ea9547eec299b98ebf2b15b9fbb6cfebc

memory/2384-263-0x00000000004B0000-0x00000000004D6000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\tv_x64.exe

MD5 e0331b54a56e7aa48f97b4956bcef769
SHA1 2907cf777d6cf92656c8de211093751e12ddf9c4
SHA256 7a487c2cba93e7d6963930c5734f14d6cf17e85fc2316d6aeccd617100a1ff9f
SHA512 dc423898519ac48ca0b12e72076e7e9441e35f0fbc409af95b90288f3fefe23a2cd4a4b9c83e1a3dc123b0fcd2ea4f8ca981bb667be56be2cdcf8ad4df047aaf

C:\Users\Admin\AppData\Roaming\INT\tv_x64.dll

MD5 dcd8cda46bb20ff09c8c8be8be2f3098
SHA1 f39483343c5f95011131048cc0326ab1d034ef29
SHA256 a21dafab3d25f88d7001de9437f0a01c72d66db0c1a190dd5acdb2cc38ea9513
SHA512 9d28691f3532f8126429940623872503560c3244d111b64d3e598e08d961f8bb05efc87247d5f78b288506d8e77e08a9ce20c76cc8ac14b28a84d26f2d8f8565

memory/2836-273-0x0000000007000000-0x0000000007011000-memory.dmp

memory/3060-271-0x0000000007000000-0x0000000007011000-memory.dmp

memory/2836-275-0x00000000064D0000-0x00000000064D3000-memory.dmp

memory/2836-284-0x0000000005FD0000-0x0000000005FD3000-memory.dmp

memory/2836-282-0x0000000005FD0000-0x0000000005FD3000-memory.dmp

memory/2836-277-0x0000000006030000-0x000000000609B000-memory.dmp

memory/2836-285-0x0000000007000000-0x0000000007011000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 11:22

Reported

2024-06-17 11:25

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe"

Signatures

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\SETC19A.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\drivers\SETC19A.tmp C:\Windows\system32\DrvInst.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\system32\\rdpwrap.dll" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regsvr = "C:\\Users\\Admin\\AppData\\Roaming\\INT\\regsvr.exe" C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d} C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\teamviewervpn.cat C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFC7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\rdpwrap64.dll C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
File created C:\Windows\System32\rdpwrap.ini C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFA6.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFC8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\drvstore.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\teamviewervpn.inf_amd64_5e1dcb6f86e23dcd\teamviewervpn.PNF C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFA6.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFC7.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\teamviewervpn.sys C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{89a2112b-10fa-f74f-9b53-017dc09c125d}\SETBFC8.tmp C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec
PID 3076 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec
PID 3076 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec
PID 3076 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 3076 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 3076 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 3076 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 3076 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 3076 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 1160 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 4912 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 4912 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 2680 wrote to memory of 4568 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2680 wrote to memory of 4568 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2680 wrote to memory of 2760 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2680 wrote to memory of 2760 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4912 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 4912 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe
PID 4912 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 4912 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 4912 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Users\Admin\AppData\Roaming\INT\regsvr.exe
PID 3988 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 3988 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 2784 wrote to memory of 2932 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2784 wrote to memory of 2932 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3988 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 3988 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\netsh.exe
PID 3988 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 3988 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 3988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 3988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\sc.exe
PID 3988 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 3988 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\INT\regsvr.exe C:\Windows\System32\net.exe
PID 4856 wrote to memory of 4240 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4856 wrote to memory of 4240 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b858bf816d0771d9a76ccd75a6f3df9e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec

"C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec" x -p6882ED8CBCB8B4F40D87E7AD947AB99E "C:\Users\Admin\AppData\Local\Temp\xhzrnnqqwhhdmt8cm99didtx.jpg" "-oC:\Users\Admin\AppData\Roaming"

C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn

"C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn" wait 20000

C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn

"C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn" shexec "" "C:\Users\Admin\AppData\Roaming\INT\regsvr.lnk"

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

"C:\Users\Admin\AppData\Roaming\INT\regsvr.exe"

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe -r install C:\Users\Admin\AppData\Roaming\INT\x64\TeamViewerVPN.inf teamviewervpn

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fcf3b6ac-b4f3-d34c-9290-33de7e298470}\teamviewervpn.inf" "9" "4b0706d3f" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "c:\users\admin\appdata\roaming\int\x64"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:teamviewervpn.ndi:2.10.0.0:teamviewervpn," "4b0706d3f" "0000000000000178"

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe restart teamviewervpn

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

C:\Windows\System32\net.exe

C:\Windows\System32\net.exe stop TermService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop TermService /y

C:\Windows\System32\netsh.exe

C:\Windows\System32\netsh.exe advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\System32\sc.exe

C:\Windows\System32\sc.exe config TermService start= auto

C:\Windows\System32\sc.exe

C:\Windows\System32\sc.exe config DcomLauch start= auto

C:\Windows\System32\net.exe

C:\Windows\System32\net.exe start TermService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TermService /y

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -s TermService

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
BE 2.17.107.113:443 www.bing.com tcp
US 8.8.8.8:53 113.107.17.2.in-addr.arpa udp
N/A 127.0.0.1:55136 tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
FR 213.227.162.106:5938 ping3.teamviewer.com tcp
US 8.8.8.8:53 ping3.teamviewer.com udp
NL 34.141.162.53:443 ping3.teamviewer.com tcp
US 8.8.8.8:53 106.162.227.213.in-addr.arpa udp
US 8.8.8.8:53 53.162.141.34.in-addr.arpa udp
NL 34.141.162.53:80 ping3.teamviewer.com tcp
US 8.8.8.8:53 master13.teamviewer.com udp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
FR 213.227.162.106:5938 ping3.teamviewer.com tcp
NL 34.141.162.53:443 ping3.teamviewer.com tcp
NL 34.141.162.53:80 ping3.teamviewer.com tcp
US 8.8.8.8:53 master15.teamviewer.com udp
N/A 127.0.0.1:55250 tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 25.32.188.185.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
DE 185.188.32.25:80 master15.teamviewer.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\Crypto.dll

MD5 5fc727c579f3c3b69ce0eb7f2ec7d48a
SHA1 4686ade71a45feb36f5f5f48e78bd673f60e45b5
SHA256 b7b819dcf3aaed2774cecfa507f9baee47660b18758f7cb718bb5cb2d77947fa
SHA512 b407eb19db8967fc7eeea8d5576cbb909c89195a0ae2f2382b79ecc13f04d984ec46d014b7f8e2124c8fe6088097cdc8203e4258cdd36a38db94c7cb4a929fd0

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\blowfish.dll

MD5 a0a4fc162c9876660aae6d06008aa0a2
SHA1 c2bb69b4960660ebf8b8bafcad20a5eeb859a17b
SHA256 52b8e1f958fd0a352b7a9192d73a72d1c32711ff1740ded3e80009eb44d48575
SHA512 426f2c1cd52b1f0619f85c476f790b30ced912e31740fe7450dab9ed189d840b635e67ab05310269b1534d02be4afd885f952d4a231df6c232bae4313503c4ea

C:\Users\Admin\AppData\Local\Temp\f1m2fsqizv9lb

MD5 e8912822fc1e9efa844af889919fdcca
SHA1 79ea8febf0103cf8a05f62b1f1455519aded75a6
SHA256 abb006b464385a32220725b4ce67341c62204bf7d83aae8f9ebdc03a7d4b3697
SHA512 f80925f477e8eb53415581e6ceae2924d84adcd82a20b9acb0d76da4e2ad6e25dfc99bd30338379712ae1f0c135d99f2bf6320c7498cabfdaf7d8a761f7dd66f

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\nsExec.dll

MD5 1f49d8af9be9e915d54b2441c4a79adf
SHA1 1ee4f809c693e31f34bc6d8153664a6dc2c3e499
SHA256 b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782
SHA512 c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\2us6otf8rec

MD5 e3c061fa0450056e30285fd44a74cd2a
SHA1 8c7659e6ee9fe5ead17cae2969d3148730be509b
SHA256 e0e2c7d0f740fe2a4e8658ce54dfb6eb3c47c37fe90a44a839e560c685f1f1fa
SHA512 fe7796b4c5aa07c40aa2511a987fed59366d3c27bf7343f126f06cb937bfe7a7d8bd6cd785a7e3dc9087b99973e8542b6da7be6eed4585bd3cee13164aed79b4

C:\Users\Admin\AppData\Local\Temp\xhzrnnqqwhhdmt8cm99didtx.jpg

MD5 ab84da981e287e44d11648d29cdbb882
SHA1 df014a3743b9a2e24a4cec5b010a42228226e7fc
SHA256 b081c56d67dcf29c0edf5623756a58a1bb8ad834b42e0c79390db5336db86280
SHA512 03205afed55dc7f771bae1b1d4eaf76f508f45433f8480a655d5667b4a30eb1a49bfbc33e6263915fd6d141a4e6338313f1c9219a11ad3c46a9c6c79f4f07109

C:\Users\Admin\AppData\Roaming\INT\pqb3w3

MD5 54b108d7a3882812e5f9cb5d3275ce5c
SHA1 44a9ea2494b3e8ad2dfa7d9f4d2fe7748b978974
SHA256 b74e873f8604997e444b01a97a024bd56d005f136dfdae9e060b981cd7d0b571
SHA512 e1159a636d10a86f5d2fddd2b4b05a63f4bd10d8dd782e060287c97af597061aa3782429ed43d0023c31498fd800d6ed66eb5daee28455a8d0393263b9821774

C:\Users\Admin\AppData\Roaming\INT\regsvr.exe

MD5 28c4c35aed7949277a9c68a04a113114
SHA1 2a845df5253b3f5becb9c83527c9bfd3113be092
SHA256 5c80b0ced982b868d7e2ba6269509f597a05704fa6d86a30e8d51bf5687c3361
SHA512 ed4ca23c7efd4fbf39ae50dc14020aead7d515e27b002aa2dd7a5417ba63c550d19120f84ef7058147035dfbc55f937debbde61bcd1af2e2070ae6b04b786618

C:\Users\Admin\AppData\Local\Temp\nsp5E9D.tmp\ShellLink.dll

MD5 aad75be0bdd1f1bac758b521c9f1d022
SHA1 5d444b8432c8834f5b5cd29225101856cebb8ecf
SHA256 d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7
SHA512 4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

C:\Users\Admin\AppData\Local\Temp\sv0e6tcmn

MD5 84d499f558570c32f4cb100a9124890b
SHA1 9adfc7ab66348d84ebdd9c1e8093cad4cc8485ef
SHA256 31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5
SHA512 560aaadebcbd425d35fc3a567c987a5f15a5f091962328f0479c1ec2378c732cca892eb3252179c8895413b0f3d08f44fbcf8c9d2375877c81622f42e6549c86

memory/1372-95-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1372-96-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\regsvr.lnk

MD5 33d60f1699d2f36353b0ea8ada635794
SHA1 0f6ad44cd7f5b2169f0deb7c2b77a1e2719ae707
SHA256 2f1ab3bb15e516d1f112ff686e9ec5be23cfd23acdb9253d52014c7123914ce2
SHA512 409f46e0c49064f435a21cbcc468bbd05dd4e2b25fabdb20ca16b60a326d2cc7fd4488b6c76f77e1d48f130a39652b72bd81e5d766ef6c3302dc83fd541da083

memory/4912-109-0x0000000007000000-0x0000000007011000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\tv.cfg

MD5 1a1bccb79e089396dbf09152bed8cd6e
SHA1 90945b294f47c63dbb80c9206aaf5c33410e760a
SHA256 594d6e39da16cc7bfe4258a639e5b98087234b84f6955b36f322a3327f69aa5a
SHA512 ec5cfb3babcaf6ce6161b5519bb4e0c1375731ff8647b6a6fbac073fc7af48feb0ddcaff0cbd757907645ef795d2d2015839e269ec9fe547e5efb3a42421791a

C:\Users\Admin\AppData\Roaming\INT\h7we97gmledmz9.jpg

MD5 351cf626f899fbf851ed9bc15bcfe4e3
SHA1 c108746906bd01f5b6a1a22d41184528c91d6c99
SHA256 3d4820e1178605a257851fc7ddd33f12e9b9d49a134e5c1abbc2b624e5859c3a
SHA512 c4aa0855ca081ad38499e22c10e9854b63e8e98eae84d92a11c2c4efcd74c73118b1e544c8d780490aa2c58f6b89834ac60adea23c8d362ceae9bd33ffb46218

C:\Users\Admin\AppData\Roaming\INT\TeamViewer_Resource_en.dll

MD5 97878dceaf0632f49b75601e998c53e1
SHA1 ee60be147721e2c4ef5d7d6860fce8645b2088e6
SHA256 a40088e36440f9de74bbd2d6e5cf969ab42ff629cea6d685cc9d8300b91b5028
SHA512 9691057e6f0aefeac2c4275c278ac8cbe5ac95d820bd92b2e65c0d8aee6768241b4832b31db7df2e0b203c77b2c486662bdd31c66892b84bb2a49edabda9abf7

C:\Users\Admin\AppData\Roaming\INT\TeamViewer_Desktop.exe

MD5 95b5331ae88259d3a9dda90f2a29905c
SHA1 3df3d52c6fc9e1811954a0b66c0e29f52f844a8e
SHA256 9fe4685f1d76b3c0ff80e2b9348d5f1b5a7856d472ae4be4b0fe9d9c08d32669
SHA512 e9e67334758f2261131310b1ecf9dd9f6d70a123b3519110ec781d3dd26b7832734cee45c6643809b741d74b0c9d9f3b3abddefb427a4d691a31a9cef81848db

C:\Users\Admin\AppData\Roaming\INT\tv_w32.exe

MD5 7d90bdf0f9c2d9224d8b4d5d2f195506
SHA1 aa1bef60878b8c43c6fd763a0bf83b65a488ba81
SHA256 c96ed3b60727973d746834eaec3df520447a039dc447f717f6cd32335e2dc1d0
SHA512 4b08e6b4da089d46ce806baa1c3896d46bf9aa3598141502c3dd62683d97a50e560e48c1060bde0e959b3e33f05b1fc43056cf99b2252a9a1a0099294bd6a5b6

C:\Users\Admin\AppData\Roaming\INT\tv_w32.dll

MD5 d1cae98656bc6703e21f4580b8830dfc
SHA1 d0c1f9219380ae73c5b151e5c7afa9e11c07bd97
SHA256 d2b39bcf9ca3888887fb84a0897fcb80dccacc5ccfb5a66357e3dbdcafee3904
SHA512 1270c00a01be2d8e27dc31a3e355eee8e5f56330674ec9776e2a5c6ba7990c3a4d4eccc501675e83e4baed977ea94dde2c857f63400564b85a27a94910d07cae

memory/4912-134-0x0000000004280000-0x00000000042A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\tv_x64.exe

MD5 e0331b54a56e7aa48f97b4956bcef769
SHA1 2907cf777d6cf92656c8de211093751e12ddf9c4
SHA256 7a487c2cba93e7d6963930c5734f14d6cf17e85fc2316d6aeccd617100a1ff9f
SHA512 dc423898519ac48ca0b12e72076e7e9441e35f0fbc409af95b90288f3fefe23a2cd4a4b9c83e1a3dc123b0fcd2ea4f8ca981bb667be56be2cdcf8ad4df047aaf

C:\Users\Admin\AppData\Roaming\INT\installvpn.pg

MD5 1dbcbc0aeefbef5a941ecee7568bb7d1
SHA1 9061ff9830499ccd2df0d20afd73373f766659de
SHA256 36c60f63fb12f9df18afb3e255b44d96ead54c9d48dcb4638e12b1a54475d0c2
SHA512 3b0adc6e7adac47e217f5a77bdbb35e2f633b47e661598163f6b1832e05ce064c8b7bff10710f13fd771673aff3cf7da804508fb5a72e28a8b50d28a43e54e91

memory/4912-143-0x0000000007060000-0x0000000007063000-memory.dmp

memory/4912-141-0x0000000007060000-0x0000000007063000-memory.dmp

memory/4912-139-0x0000000004C20000-0x0000000004C23000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\scankey.pg

MD5 b65ee713a834f3e0712cc5d0f494f8cc
SHA1 231ce0ffd58502dca27eaa5653d07b7cfda76b36
SHA256 7fd3d650ffea9a2c4bb43770985a39d393d100c01569fd06fa67ff45f6403566
SHA512 bd60aa037901fe5b721d3637037b7aa5a01522912683c0274a16665c66f99cae01ed59cdc7f8a78b1674a1fd08f759f9c6edec3bc4b61b3ea6bf2f9f3e5e4be7

C:\Users\Admin\AppData\Roaming\INT\rdw.pg

MD5 1b8ca0bc04d94d0bf2fbc128d49a3c44
SHA1 34512c7376ac65ace1693b8fe5833c9f6672eb1b
SHA256 d9a301684e39a64c68f8a17374bf67acdc98fd17e7be79b610eda0ac09446e2e
SHA512 c23334942a5d1ea5ef6575a77d6bd8e813d1ef165ffdb246a1970cbb6f42bb6b80851c40ffa4d00093a5470e74b0555c458c5f209a6987fae7a632e6d653a475

memory/4912-144-0x0000000007750000-0x00000000077BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\x64\install64.exe

MD5 112b0c8b6b0c0a6c24f90081cc8a77d0
SHA1 1776a73316baeeb818884196a54f49d1385c06c8
SHA256 f627380e9de14af3eb5331bb9a4d559b2c970abacff038ea464044ca1ef62163
SHA512 1552b267931004d8936058f5cac49dc618eae2224ea3b082f1d899cd1b2c1cb7eaa98ac7653740fd07b2df40abbdd2d6318a9bed8794bb7a8872e379a50ef585

C:\Users\Admin\AppData\Roaming\INT\x64\TeamViewerVPN.inf

MD5 447fc733747db11cd4492ae01c5652fe
SHA1 2a70dcd391464cb8d3736322e07e966e105d396e
SHA256 a817b0e8a669d5acaf2ddfbc95acf2a1213b092b44dc896a0ee4a5301d06ebc3
SHA512 238099db072af55445d421e941944abe8a6f52a124a26cae84c1dd52fffafc4dac5586d0c7407b461cd0db8e771e1dbb6ca34aee84581b24347f401410b2afe5

\??\c:\users\admin\appdata\roaming\int\x64\teamviewervpn.cat

MD5 5cffe65f36b60bc151486c90382f1627
SHA1 f2a66eae89b4b19d4cab2ac630536af5eeeef121
SHA256 aa7c09a817eb54e3cc5c342454608364a679e231824f83ba5a2d0278edcc1851
SHA512 1bd48ef66f8714e7e9591043d03bd69a30881ed3d0f2463b15750a3282df667ffb076b3a92358eecedae0e54485b07d702667e8fe0af64c52be04db47145920b

\??\c:\users\admin\appdata\roaming\int\x64\teamviewervpn.sys

MD5 f5520dbb47c60ee83024b38720abda24
SHA1 bc355c14a2b22712b91ff43cd4e046489a91cae5
SHA256 b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0
SHA512 3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

C:\Users\Admin\AppData\Roaming\INT\tv_x64.dll

MD5 dcd8cda46bb20ff09c8c8be8be2f3098
SHA1 f39483343c5f95011131048cc0326ab1d034ef29
SHA256 a21dafab3d25f88d7001de9437f0a01c72d66db0c1a190dd5acdb2cc38ea9513
SHA512 9d28691f3532f8126429940623872503560c3244d111b64d3e598e08d961f8bb05efc87247d5f78b288506d8e77e08a9ce20c76cc8ac14b28a84d26f2d8f8565

memory/3988-227-0x0000000007000000-0x0000000007011000-memory.dmp

memory/4912-228-0x0000000007000000-0x0000000007011000-memory.dmp

memory/3988-232-0x00000000042C0000-0x00000000042E7000-memory.dmp

memory/3988-233-0x0000000006030000-0x0000000006033000-memory.dmp

memory/3988-236-0x0000000006040000-0x00000000060AB000-memory.dmp

memory/3988-242-0x0000000005FC0000-0x0000000005FC3000-memory.dmp

memory/3988-240-0x0000000005FC0000-0x0000000005FC3000-memory.dmp

C:\Users\Admin\AppData\Roaming\INT\x86\install.exe

MD5 b36c5e40f25c8afe8c8acc7e895d9c6d
SHA1 e3ab57d8cf17aa6156d417963b02a2e659a5c5fb
SHA256 64f42467a18009ae3d7cd24ed140141afd31826761944bd4e1891ea9f02411c9
SHA512 6902789b6d44b7e6caa6010bdb5fb05073cbee1a5d51795cd5854ac7ab18c9eda1620dfed9249c0afa299646947766f5a53e9ef8d60a89eac8e8cc5c9570dfe9

C:\Users\Admin\AppData\Roaming\INT\x86\teamviewervpn.cat

MD5 e5c3624879ebcc3e37431c5163067e35
SHA1 ed87210b0747c88124ef299dc07695de022bcd4b
SHA256 28a25533a42223867256e64c1a75a9fa4831cd09e12a1bff3c63930583333a9b
SHA512 a1142e2fbf62a6c9be2e47d697919bc0eafdbaec62b10b98dee3ce75e2897459a86a2911f1d80429c30509ecc9471b68d00172df6f522a65ad315ace0a83c290

C:\Users\Admin\AppData\Roaming\INT\x86\TeamViewerVPN.inf

MD5 ea43320244bc11fa4445e80294a5330e
SHA1 310aeaed480baea80adb7831bb973301bf0be96d
SHA256 6f15408132b38c37e1d12998d0df67bbe9664c4e0e927d5f87896fc251653769
SHA512 e78a5e34e67d203c66745ca87dafbe9cccbd0463b0b2bda035d4e6fca5f05a7677d8791c7c916b15f7649328ebf6ee7c7f688a04615a5982c51cce27137333d5

C:\Users\Admin\AppData\Roaming\INT\x86\teamviewervpn.sys

MD5 9101fffcfccd1a30e870a5b8a9091b10
SHA1 1ba11156d8afa2a0ae537404d156b8e12f68b86e
SHA256 58aab0f6ff78fd0ecdd8d9da1b6852e9e57e3daa39489abddba106ece0b3bca7
SHA512 065a2bdef94aab5f9c8927bb39eef7698a83f3cb50c71d2bb35fb219fb259683b861388a3ac948694dbd4c44a91a5a10657f41f438bf9396c75dd10872651804

memory/3988-247-0x0000000007000000-0x0000000007011000-memory.dmp

\??\c:\windows\system32\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

\??\c:\windows\system32\rdpwrap.ini

MD5 398be25b8f112ffcb06c8fed2cd23cfc
SHA1 5b159798d57e5e302a2970e9bf1f7b8c95516655
SHA256 db1d30ec1fcec8186b0ec01b8a2984244b3393dd7883be442d983aa4cbf29814
SHA512 b26f1c90ce79bd62c4198d7d2bf42fb2e3ee70f3093f167bfdebe705c0f7b83c1563b135accbfa329a888110f5c43ee69491469fcae5e643abe2706b585bb371