90dff6a1f907f9b4643d0dc6d5b7d4f036041f8eee8fb6eb862c8984d6732b8a

Analysis

max time kernel
142s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe
Size

7.7MB
MD5

c1ede0578b6beba738256886fbad479a
SHA1

1e7bc64654e61ec9626552c11749fea9394f69d3
SHA256

90dff6a1f907f9b4643d0dc6d5b7d4f036041f8eee8fb6eb862c8984d6732b8a
SHA512

e7848315a4aab6b551e8460a53e8365cc5d40efa6b9e6a78689075bc1b17abda02e02ad8efd4be360aecced061730a663cbca34f326c1a6cf475113f8bb7e8fb
SSDEEP

196608:VdsE/YFow3sp9LcK8yN0Ar5OhOI94J8/jsNmBDFGvo2ywahrYFwao6:wEwFz8pVcWJ4xIsB5eNShrYU6

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
1028	vcredist_x86.exe
2440	VCREDI~3.EXE
3740	ARTLToolbox.exe

Loads dropped DLL 4 IoCs

pid	Process
4904	MsiExec.exe
4904	MsiExec.exe
3740	ARTLToolbox.exe
3740	ARTLToolbox.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002342d-183.dat	upx
behavioral2/files/0x0007000000023437-189.dat	upx
behavioral2/files/0x0007000000023447-200.dat	upx
behavioral2/files/0x0007000000023442-197.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~3.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.1\8.0.50727.762.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022597.1\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022581.1	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022597.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80FRA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022534.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022222.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022269.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05.cat	msiexec.exe
File created	C:\Windows\Installer\e57b48f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9DB.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022222.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022269.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.2\8.0.50727.762.cat	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022269.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022597.0\8.0.50727.762.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022597.0\8.0.50727.762.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022269.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\mfc80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022347.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022534.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022222.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022534.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022597.1\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022269.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022425.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b48b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB630.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.1\8.0.50727.762.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022597.1	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80JPN.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022534.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022581.2	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022347.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\mfc80ESP.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.0\8.0.50727.762.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022222.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022269.0\msvcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022425.0\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303.manifest	msiexec.exe
File created	C:\Windows\Installer\e57b48b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7299052b-02a4-4627-81f2-1818da5d550d}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.2\8.0.50727.762.policy	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240826004022581.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240826004022581.0\8.0.50727.762.policy	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1468	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VCREDI~3.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARTLToolbox.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\PackageCode = "ECF0C5769D85D534A98DCACD5B08A8A3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e00370030002d0054002400210028002a0026004e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e005f006a0030002c0059005d007300210053006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\VC_Redist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\ProductName = "Microsoft Visual C++ 2005 Redistributable"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0021004d00210026005a005a006300300025006e00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e003d0024006b00600049004e005d00490038004300650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0035006f00300068002c0070004d0076004e003d00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244\b25099274a207264182f8181add555d0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006600720038005f006c0028006d0032004e004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\b25099274a207264182f8181add555d0\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e006900450024005b004d00310025002e0064002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.762",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 65002a0063006f004c0038003f00510056003d0078006f00420068002a006e006500390040002700560043005f005200650064006900730074003e0036006b007d00700048004c004800240053004400650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\Version = "134274064"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\b25099274a207264182f8181add555d0\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable [Disk 1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2128	msiexec.exe
2128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	2128	msiexec.exe
Token: SeCreateTokenPrivilege	1468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1468	msiexec.exe
Token: SeLockMemoryPrivilege	1468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1468	msiexec.exe
Token: SeMachineAccountPrivilege	1468	msiexec.exe
Token: SeTcbPrivilege	1468	msiexec.exe
Token: SeSecurityPrivilege	1468	msiexec.exe
Token: SeTakeOwnershipPrivilege	1468	msiexec.exe
Token: SeLoadDriverPrivilege	1468	msiexec.exe
Token: SeSystemProfilePrivilege	1468	msiexec.exe
Token: SeSystemtimePrivilege	1468	msiexec.exe
Token: SeProfSingleProcessPrivilege	1468	msiexec.exe
Token: SeIncBasePriorityPrivilege	1468	msiexec.exe
Token: SeCreatePagefilePrivilege	1468	msiexec.exe
Token: SeCreatePermanentPrivilege	1468	msiexec.exe
Token: SeBackupPrivilege	1468	msiexec.exe
Token: SeRestorePrivilege	1468	msiexec.exe
Token: SeShutdownPrivilege	1468	msiexec.exe
Token: SeDebugPrivilege	1468	msiexec.exe
Token: SeAuditPrivilege	1468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1468	msiexec.exe
Token: SeChangeNotifyPrivilege	1468	msiexec.exe
Token: SeRemoteShutdownPrivilege	1468	msiexec.exe
Token: SeUndockPrivilege	1468	msiexec.exe
Token: SeSyncAgentPrivilege	1468	msiexec.exe
Token: SeEnableDelegationPrivilege	1468	msiexec.exe
Token: SeManageVolumePrivilege	1468	msiexec.exe
Token: SeImpersonatePrivilege	1468	msiexec.exe
Token: SeCreateGlobalPrivilege	1468	msiexec.exe
Token: SeBackupPrivilege	3116	vssvc.exe
Token: SeRestorePrivilege	3116	vssvc.exe
Token: SeAuditPrivilege	3116	vssvc.exe
Token: SeBackupPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1468	msiexec.exe
1468	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3740	ARTLToolbox.exe
3740	ARTLToolbox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 2000	3848	c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe	87
PID 3848 wrote to memory of 2000	3848	c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe	87
PID 3848 wrote to memory of 2000	3848	c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe	87
PID 2000 wrote to memory of 1028	2000	cmd.exe	89
PID 2000 wrote to memory of 1028	2000	cmd.exe	89
PID 2000 wrote to memory of 1028	2000	cmd.exe	89
PID 1028 wrote to memory of 2440	1028	vcredist_x86.exe	90
PID 1028 wrote to memory of 2440	1028	vcredist_x86.exe	90
PID 1028 wrote to memory of 2440	1028	vcredist_x86.exe	90
PID 2440 wrote to memory of 1468	2440	VCREDI~3.EXE	91
PID 2440 wrote to memory of 1468	2440	VCREDI~3.EXE	91
PID 2440 wrote to memory of 1468	2440	VCREDI~3.EXE	91
PID 2128 wrote to memory of 440	2128	msiexec.exe	104
PID 2128 wrote to memory of 440	2128	msiexec.exe	104
PID 2128 wrote to memory of 4904	2128	msiexec.exe	106
PID 2128 wrote to memory of 4904	2128	msiexec.exe	106
PID 2128 wrote to memory of 4904	2128	msiexec.exe	106
PID 2000 wrote to memory of 3740	2000	cmd.exe	108
PID 2000 wrote to memory of 3740	2000	cmd.exe	108
PID 2000 wrote to memory of 3740	2000	cmd.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c1ede0578b6beba738256886fbad479a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ARTLClean\run.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\ARTLClean\vcredist_x86.exe
    vcredist_x86.exe /q
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /i vcredist.msi
        5⤵
        Enumerates connected drives
        Event Triggered Execution: Installer Packages
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1468
- - C:\Users\Admin\AppData\Local\Temp\ARTLClean\ARTLToolbox.exe
    ARTLToolbox.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD50DA4A195F5C656D426BB2F2A19587
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b48e.rbs

Filesize
50KB

MD5
f75b8a89abc1e31c73ddbe4224bdd9e8

SHA1
04accc6a3d0de265a028f2a384f5edb305e53034

SHA256
19611b52eb5b6a22c3a793d09063cb14092f7ba51c914b4d539cf4a6ce30f91d

SHA512
8895a295bd45c5968261b648288aa7bd753fc3c4edf7dd8c35d5fa5f0867f45aa7beb751250eb867519a0b8cdf76489cd273ae6edd648ae94ddcae6858fbb627

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\7Z.BIN

Filesize
229KB

MD5
9eccdfec830e8cf6ed6e7d02019af35b

SHA1
87700229cdce11a05113c418869cd3f05be058b3

SHA256
ecedf073e0c34254bbebf63ed3a33490c33f6a4c624382d4c78fe785d9bac005

SHA512
436ed21fee5ca9cc5ce2624cad25ab104a46f7ee569f548335ce790149fbe2bcc29ba931d2185131e7ec3de85360237c86cd88d49ce26c74275c7e352ea00f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\ARTLToolbox.exe

Filesize
1.6MB

MD5
fffe60e6a1e720ded31940a6f1646a75

SHA1
81ce9fb469fc74283f694f410a67faefb61cce40

SHA256
010c304d75210183e4bd6e33fbdd64f878a3984e780aa3324c7ca2df5384ec14

SHA512
9c18c3abe78983bf601b6647168a5d8b39ff78c24fa183caab75d9827919ad9523dc74fc9aeccff7b84631eac2c7fff86dc823445751434080babacae497a24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\EMPTY.PTN

Filesize
24KB

MD5
774c487225bbb306c39461016cf6e7db

SHA1
dc80dd0910b13f94fd0c5cdf4b275173ff4624b9

SHA256
7cabab2776756bf2d46895676a72a6e1678e88a2a92da9ee4d2f5ce9277b0b74

SHA512
9ba5e80b074db1e44ba81937a2d927186f6341beacc18c5be77a7dcde1f25957ea19c51a517e0046b166af45387bafd95722af55a41b94553dd0570cc452a232

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SIC.CONF

Filesize
26KB

MD5
b7e82a9b0df3accaed2ca5c5dd89919c

SHA1
09fc4d2ea33adf717dff5ed7438ffed8d4e8a28d

SHA256
175077706bbdf160a0f2029d626550988b6a2ff02f7b28f40756ee5ac07b5a86

SHA512
850a544d20a507c62b8127273a74cde0f94ebe066ee5ae16cc37d0c9e8945ebed67be21eb56973480ac496f4ef9a2a45ff9de9c56b878df814588b0cd851f693

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SICBASE.DAT

Filesize
188KB

MD5
befa19c975dc2608ab88f9510c5f5568

SHA1
e90ec4322ffc2b695851deb9e142ce6c608f73de

SHA256
9b052312d8f661cea9fac53f89f3361b5d9bccddb295fb45689cb515e3817d13

SHA512
1761ef01300795428fd622eff356b42e7a615c6dff321ebdb8a9cafb7fbdae58787d7c874fcd906a7e4b8e1043676285deffdb15191d6aa5bfd98929d6f4cbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SICWIN.BIN

Filesize
2.0MB

MD5
7871fe235f3149d44270a492461b1e60

SHA1
23ddd783c0088549424c780905d2d250e1497ca4

SHA256
7bac2888de17081fbf0898b2b91335fa44bcb7892aaec297ed553e771d031a08

SHA512
ba9f648e31cae8c7f5979f9d605a5987397a2e4105db82988ff0a5adf09bb2171fdd636130bfdc10cfad79b9e2f7b6975ee72df84cdb61a5733371e59fccab32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SLR.BIN

Filesize
644KB

MD5
52305c7703f3e339270bfec2d5fba4ed

SHA1
80041e584c332f7c97a0874faca248d2cb040d59

SHA256
8e385aeb69326784191a37ef275f8789dc9e8d99b7087eba9219206f49aa84c8

SHA512
8a239205f1196f75ea47e808e24e538b18791e5b9ec3ac09f5d6d1de99768a033317a875131399fa091ce4c7e2c6f1a06265be1a2bd15ee09734de1b165ec7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SOS.BIN

Filesize
190KB

MD5
193be2f16f7df778079974a5887e2647

SHA1
7425464a8fb5bd2e4a312496aee0e0a954ad4fc6

SHA256
9cb39d50c1c7c6986afcb85524c689c936bc9c5f67d78197ab4d6e61d58355e8

SHA512
7a385f02c201e909170d59cecf8188db73cf26692659c504e533cdd9a0969da09983ad64673473920d693b6f11344a8e350b8ba669132e21a1450dc696d35e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SSAPI32.DLL

Filesize
1.2MB

MD5
00863ff8c03d85806bcc26053bbdd6ec

SHA1
05354ad1445d5b88415b963f07880afadc9f526d

SHA256
d4202d630a58dafbbf65094b154489a841b168c510f7d4938cd6e7c088a47b97

SHA512
27aa9f958fe4d684d5867e381f13f6cfea5ad9a6971c66b8a2f5d1dc124ed0650eb9071c6a6fe267ccfbebbd736f8c5840652a19b3abf4bc793e650672a672ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\SSCAN32.BIN

Filesize
248KB

MD5
4f03d8cd9c3e25a3d75e5e2276a9c860

SHA1
c5cce7e80b21598334c9dd28cbfe613cc8c9e8fd

SHA256
a0c2a17d7201eb1e7213e3f87eb689506b507209c221f00716efce51084aaf2c

SHA512
18c1036602e535fffd17f68056ef2a2d455d3c4decbcdc1de39e245da265931c96ff38007157cb483bf0752f759b6e2c74f824a2f92dd1c0d33b11be9124a653

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TMCOMENG.DLL

Filesize
1.2MB

MD5
97f201b89274db6208852048991a329d

SHA1
c3cf4d07726274e2604b17d89e728263ed20cd38

SHA256
32cb804105798f6389f8c1bc8aecbf8c9c6c7b7ec436b824c047a2c4648592b9

SHA512
06871e2d54d89dbd780cf675161d14b89514abe54b0c194120b1d9f71e830bc163f2c477a6036dd1b6503c45e7afaa17d85289dfe3a6091bc645343a6949f386

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TMCOMM.INF

Filesize
2KB

MD5
c90ce2b246acef8154f5441678b5d208

SHA1
c1ee9de63c34551b0742c8142d4f11ad39baf646

SHA256
6ca46b5ff44a6f92a1b09594a10c402d199d0c227c2e2d4a2f49bc24f0642b02

SHA512
a77ad0f55e21837fdd1c2d16496f3c56bea9e5986f3c41e6088a66aaf9bf4d3d17a0693c513a0cd9a2900412531d7a5bcb38c5fd4d35ba9b3df5889b6601399c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TMCOMM.SYS

Filesize
157KB

MD5
91c8ed783527718b05e6d170e4a0d242

SHA1
44374cd30afd51c8b86f533bacbfdabc31950f40

SHA256
cec4e28ba6c5a4c92dfa569672a802f34828b9aaeb475c648ebdf3dd9d87a454

SHA512
d747532498174d8093e318548c7fddbe352d3f985c76a80f8b005d5546364529c904f123a45603269741e064e2869471ebc434fb54faf3fe8fe6ca55f04e4156

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TMENGDRV.DLL

Filesize
257KB

MD5
72486990beb1f58c520e6d8541d90495

SHA1
3a4a3c8282420771f10e82e50bc47d8f16f1e390

SHA256
8009813ebfb2f6acb1f4f2a13edf3c795124aa99a9b12ce9e3c4bb4de748f5c7

SHA512
06082618ccc7ba81946617d42447aa055ba4f58e33a0d1ecf17db7d132a8380d5a301d03bf26a0682bf8cda0692391b87353d4d7c26b93ccc039a7c464bed11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TOOLBOX.CFG

Filesize
97KB

MD5
6419ea327989fa0eb764a1e8b979685e

SHA1
096b6c10d773319b4874642de38c936fe0daa37a

SHA256
9cd49279a72a402487f96730e9a335a84b0046c36d7842a81912262cea91cdd1

SHA512
9614ee1e43ecb5e48d1045b4275dcb27eedfa32d9dff7ea8e2d79d3ac8433f8e0b8e58a2f83da6076af198af5d1303c356b42b594bad8873d7df988b5528334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TSC.BIN

Filesize
409KB

MD5
237046c943a4b4bee0a8ae3a215a1477

SHA1
b8ed5de59aaa98e71aad90c12d4438eef1dcc772

SHA256
eacc341681151df1568339717abc1312d2548e8baf32363a8c77b2f223cf4987

SHA512
fd62dc6748ffd334b06b0cf9c8b931ab1dbed0a65abe3feabee81a4d9eb06f330688ff0d0219ff557a52e559e4f7072601249dd3aaaf89997553802cada50a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TSC.INI

Filesize
1KB

MD5
60a182365f5e9fe136febb48391cb82a

SHA1
32f77bae0bdb58476cffcd20aa8fbe43d5c3ccd1

SHA256
ba402ff83ac6325b40f06c8abb1d8077a3bcf3c375e8f7a0d63948653d348d04

SHA512
0ec3cdd4d3219fc5800e85c16d4ec401c9b3d434b9d92f0910e2b7f0c10d6fb92dcc05499c87ff4bf051ff9f1dc773c831a2e5a1e45f2cf074598dc5465cb71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\TmSigChk.dll

Filesize
11KB

MD5
38644da6e794c301331c4348fa01ea17

SHA1
dd5b5326e63e0721b5693bed765959870419ff62

SHA256
d5b71df6467272c31baa27cafc2d9e56497685654c9280306dad2db5efa0d26a

SHA512
719cd8f424b5bad3742041cbaf285369efce9fde4ef44df97afa31c82137d7e69c1daf788665065257ea6da72f6a2b0bb93eb93c04035d11589909393123cd71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\VSAPI32.DLL

Filesize
1.3MB

MD5
5adf2f6a257ba83db961d0795ac44a1b

SHA1
adb1d5c70f2ba3ac5e0eddc4732a68db16f16042

SHA256
c451f27b6aed5266b30969c9ffa48521518e1fb3dd05fa9b8ac466473c4fcf10

SHA512
9b43978df9a8a3e2dc6ef15b35dce68bc8d16399785cc68e7e9794ba47893ad22fb49c3989f1aabd10433b76a36a732fc71c8164f9ce73ceb30eb4ee9ae4a4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\VSCANTM.BIN

Filesize
187KB

MD5
ca400ca15b12e6f71dc541d6244d3ba1

SHA1
c4485bf1ad2cafadf5d49e6c883db9d295ece510

SHA256
cd7b9c74c8ed78304dd931747ea96fc0d0b7a94a20a8187fd48d27785912418e

SHA512
5f2d3bb292ac5577a7e229c019cfab86040962034c5fa3cbfb1b81b557f1c912346bbb59d492a9a0cb0dc28805ac0c815d867c3da05af564326385f75deccb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\run.bat

Filesize
150B

MD5
4cd0832ed2a03c08e787eb982ef4941b

SHA1
997e2a78f7312c5a9b793ee32d9998708739ad49

SHA256
8a084f726a42edaf6d0be57cc8927cf233029913efd8f377ee8abd3989b449d6

SHA512
ec3fda84268bb1fa342537a62f8c9fa15893f54c0497f37973ef4d1afe24da0eb5507d2a6537b67531e058aab14d58d3daff3b60470c35fff62d9362bde1d502

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\tmufeng.dll

Filesize
313KB

MD5
c9a2f21677b0cbabdaff11569f10bd95

SHA1
8d49dfbf41c2ebb13810f3be9cfb1c8db1b42c5b

SHA256
2f9bd2d227669c40bb6349c4691db5806fb89e8fe83ae3b2f0f95526c66e1401

SHA512
3ba606dc03d2596e98684ea6c90fd1db46e45dd56c34090f1a2c14d49925072cc1bd1943bca8a3546400ae86f1dfbbc6bba6fd3cccfa0c99f9e9cae700a0aee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARTLClean\vcredist_x86.exe

Filesize
2.6MB

MD5
5c82be7ad1775b67916ee19c15b99331

SHA1
7dfa98be78249921dd0eedb9a3dd809e7d215c8d

SHA256
eb00f891919d4f894ab725b158459db8834470c382dc60cd3c3ee2c6de6da92c

SHA512
2c505476c81ad32a4904d57d9214bbaa805891c261e010b08055896dca32cfd426f4d13d14a96022fda9a5d8ecd638d65bc37baefed216a2517f07e9acb6939d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~3.EXE

Filesize
2.6MB

MD5
1f8e9fec647700b21d45e6cda97c39b7

SHA1
037288ee51553f84498ae4873c357d367d1a3667

SHA256
9c110c0426f4e75f4384a527f0abe2232fe71f2968eb91278b16b200537d3161

SHA512
42f6ca3456951f3e85024444e513f424add6eda9f4807bf84c91dc8ccb623be6a8e83dc40a8b6a1bc2c6fd080f2c51b719ead1422e9d1c1079795ec70953a1ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab

Filesize
247KB

MD5
aa85aa3738acfe30e197d9dfd5c3428d

SHA1
7f3ee53bd967265afe32b31d75b4f6c47363654a

SHA256
af3560ef0c55c7e4eff2170c63e7860498b5830e405a3841f96c91601e62e108

SHA512
e1bf248d6425f6ba91bf0a1f3d364321b09477af9be2f31f8bf6d92defbaddfbab8f3e6284262742378f1f87d60d06eee3b98fb081e60f9fb6f19c1797489861

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

Filesize
2.7MB

MD5
dc1ab7ce3b89fc7cac369d8b246cdafe

SHA1
c9a2d5a312f770189c4b65cb500905e4773c14ad

SHA256
dde77dd3473d3d07c459f17cd267f96f19264f976f2fcc85b4bbbecf26487560

SHA512
e554b8b36a7a853d4e6efb4e6faf2d784f41e8d26edafbb1689a944bf0a7a4b58258d820a3fada1496b8c8d295d8771fc713b29127d54a3fbc317659b7565cbe

Download Submit
C:\Windows\Installer\MSIB630.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
204c26896bac930d81779c2fb9094ad9

SHA1
cb909820f37f7f3a0040ebd5e7670897af7ca800

SHA256
1606068f6d18eb6be17e617d7e4a5da18bfe2167a55d84d093962b409d54d9d9

SHA512
e79dfe07ccd2a8bb62caea2f3367418a23ea4c1a7413536d347d417fb16bc37b0c9ef3e0c668f07756c3a4fcf20f094ad0cd3a6057b4d9c71dd2f978d0325206

Download Submit
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{12e895c4-833d-4894-99e4-f1d8f6872089}_OnDiskSnapshotProp

Filesize
6KB

MD5
538e36bfec9041f694e9828f69e3bde7

SHA1
e3000bc423e00de3e3b158d7e2a4851ef708c54f

SHA256
7a652bacb6311c36b085f2b892512f0b257b3a3270d479e2de91022480626071

SHA512
dd1c96b39cb388a0ca9e632441e831ca46c5a09ff60dc6437cafa595bb1fe1639bd5f6ebe42e15b3ba96a2ef975a3bb7f51ca3bab645b7d559bb752d8864ab3a

Download Submit