e91bbc7a3407956d8e7df2f24b875b8cf01b89f3d619c1af8906b1a5299498aa

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
Size

4.5MB
MD5

0a65588a9196e5fa84e6bf7833140998
SHA1

17cb241c28efef6c382cd49385dad7bc8be646a1
SHA256

e91bbc7a3407956d8e7df2f24b875b8cf01b89f3d619c1af8906b1a5299498aa
SHA512

aec9e3a4e22c8bded036d7128a1a197f130e19d802930121d2afca08d502d86aa6ba84d752ac4ba960ff3e29439c938c07872d0273df0c0dc514396f8e81298b
SSDEEP

98304:CNBf4LJfDU5+pZ5kCqGorFB+pKgvLdC9+z8e4KU9I:CNh4HnkCqfrr5gjdE+z8ooI

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
116	~DP6D12.exe
4244	~DP6E5B.exe
4948	~DP6E5B.exe
1540	winlogon.exe

Loads dropped DLL 27 IoCs

pid	Process
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe
4948	~DP6E5B.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\~DP6D12.exe"	~DP6D12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvchost = "C:\\Windows\\winlogon.exe"	winlogon.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\Dot76D1.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.exe	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.skin	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe76B1.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\Hrm.d6e7.rra	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\MstGps.exe	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\MstWin.pdf	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ius7722.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\HRMd6b9.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\datad64b.rra	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsP7742.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.ini	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isc7702.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsP7742.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\datad65b.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\mstdd699.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\MstWd6a9.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp71C8.tmp\temp.000	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\layod64b.rra	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp71C8.tmp\setup.dll	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\HRM.exe	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.boot	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\Mst.exe	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\Hrm.exe.manifest	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\Dot76D1.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\data1.cab	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isc7702.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKe76B1.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\Mst.exe.manifest	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\hrmcom.dll	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setud66a.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\hrmcd6b9.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\Mst.d6f7.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\MstWd6f7.rra	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\cto76E2.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\iKernel.rgs	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\MstWelcome.jpg	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\MstGd6e7.rra	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp71EA.tmp\iGdi.dll	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.inx	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ius7722.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsProBE.tlb	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\cto76E2.tmp	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Obj7763.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Expose\MySportTraining\mstdb.mdb	~DP6E5B.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\isp71EA.tmp\temp.000	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\data1.hdr	~DP6E5B.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\_setup.dll	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Obj7763.tmp	~DP6E5B.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\layout.bin	~DP6E5B.exe
File created	C:\Program Files (x86)\Expose\MySportTraining\Mstd6c8.rra	~DP6E5B.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winlogon.exe	~DP6D12.exe
File opened for modification	C:\Windows\ODBC.INI	~DP6E5B.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DP6D12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DP6E5B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~DP6E5B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21D98482-146C-4EBF-AF1E-B04395110005}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\Version = "1.0"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\ProxyStubClsid32	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A74C06E4-12DF-4060-9AA7-83CFAA66D604}\TypeLib	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\TypeLib	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E26CAD5-1B59-4D1D-9063-2D91314C9E45}\ = "ISetupMainWindow4"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupFeatureLog"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogDB"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib\Version = "1.0"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\ProxyStubClsid32	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E26CAD5-1B59-4D1D-9063-2D91314C9E45}\TypeLib\Version = "1.0"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FFDEFD7-3EC4-4E5A-9EFC-AD04E14A9934}\TypeLib	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1B9357F-24B9-11D3-88B2-00C04F72F303}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FFDEFD7-3EC4-4E5A-9EFC-AD04E14A9934}\TypeLib\Version = "1.0"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91814EC1-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupCABFile"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5469EE67-1493-402F-8E2C-99936C9E4983}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\ProxyStubClsid32	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ = "ISetupObjectReboot"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}\TypeLib\Version = "1.0"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{787D0980-F63F-462C-86BC-FC23847C70F4}\TypeLib	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21D98482-146C-4EBF-AF1E-B04395110005}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ED19966-1493-4539-B9F5-97A6556CE8F8}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}\ProxyStubClsid32\ = "{F4817E4B-04B6-11D3-8862-00C04F72F303}"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1ED19966-1493-4539-B9F5-97A6556CE8F8}\ = "ISetupScriptError"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\TypeLib	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\ = "ISetupShell"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BD0749C-12DC-4D2B-A4F6-9E52F0F38A6C}\ = "ISetupProgress4"	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	~DP6E5B.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B4D3EAE5-8A3A-4376-8B65-6A81293EDB1D}\ProxyStubClsid32	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4817E4B-04B6-11D3-8862-00C04F72F303}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\Professional\\RunTime\\objectps.dll"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\Version = "1.0"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	~DP6E5B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AFED5DD0-0694-11D4-A934-00105A088FAC}\TypeLib\ = "{94636247-BC39-4B8B-A728-2D1FBEBFA76A}"	~DP6E5B.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	6912	vssvc.exe
Token: SeRestorePrivilege	6912	vssvc.exe
Token: SeAuditPrivilege	6912	vssvc.exe
Token: SeBackupPrivilege	1600	srtasks.exe
Token: SeRestorePrivilege	1600	srtasks.exe
Token: SeSecurityPrivilege	1600	srtasks.exe
Token: SeTakeOwnershipPrivilege	1600	srtasks.exe
Token: SeBackupPrivilege	1600	srtasks.exe
Token: SeRestorePrivilege	1600	srtasks.exe
Token: SeSecurityPrivilege	1600	srtasks.exe
Token: SeTakeOwnershipPrivilege	1600	srtasks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1540	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 116	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	82
PID 3664 wrote to memory of 116	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	82
PID 3664 wrote to memory of 116	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	82
PID 3664 wrote to memory of 4244	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	83
PID 3664 wrote to memory of 4244	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	83
PID 3664 wrote to memory of 4244	3664	0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe	83
PID 4244 wrote to memory of 4948	4244	~DP6E5B.exe	84
PID 4244 wrote to memory of 4948	4244	~DP6E5B.exe	84
PID 4244 wrote to memory of 4948	4244	~DP6E5B.exe	84
PID 116 wrote to memory of 1540	116	~DP6D12.exe	85
PID 116 wrote to memory of 1540	116	~DP6D12.exe	85
PID 116 wrote to memory of 1540	116	~DP6D12.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a65588a9196e5fa84e6bf7833140998_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Local\Temp\~DP6D12.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP6D12.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\winlogon.exe
    C:\Windows\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1540
- C:\Users\Admin\AppData\Local\Temp\~DP6E5B.exe
  "C:\Users\Admin\AppData\Local\Temp\~DP6E5B.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\~DP6E5B.exe
    -deleter
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:6912

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe

Filesize
5KB

MD5
19d3dc3c2159c407800d69089ba8ce3d

SHA1
636c1ce473252ab09fdc6d1d95658530dd413da8

SHA256
dc6f18f38ad199ceb9f7be94316aeb46b156bcb040059b5f60acde41bfb16ef9

SHA512
9213e33e50887ffe6d90a4a66964c2b88d8fd2585bf7d3f008798de4fc06b873e868de0688331c897fb32f310e902c2b2682928b01fffb03ff86a55d284f964a

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll

Filesize
56KB

MD5
e3db818aca6889a18fee5ebef336d305

SHA1
d68f8cc397f448c5fa6265642833a36a680e60ae

SHA256
ad48c416a57a9f8a47ec4c8f82f25430a2da42730c3891b43a44c1f21e7f5932

SHA512
1c44160f74b7afe992e6818689e375e88d07203856f6167e1602ead64210bd09787c2fb41ba31f21542861bcbc67f03b45e113937a9b069e8e5e2dadee9785e4

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll

Filesize
160KB

MD5
150f19ffcf1c56e3c5f77eb712d0310b

SHA1
ee29d37fe83ac48c00b5a15ef8073a653ac3354d

SHA256
63e799505ac9f425a9ae000adf438812d50cb7b92de50d4e45e042af704af49c

SHA512
e2bef9203abbd6934a16bd43c3f8975a69eca3c9ddea66d76dfd97fafceadb8779ea3c2b1f75787e7f909357ef636f5964a903148190886cee35a81668780e49

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll

Filesize
680KB

MD5
8230d489547e2f1c0af852f81d1d63be

SHA1
95e4ae5e66f60d51a29a007869e3f380d82549f4

SHA256
7b5542d5c304f3f5ada9eedfa3fb82c28bec97a0d49e9f0ddf61b7a65006e301

SHA512
7a75352290c6595ec47eb9698626adbeef8b4a4c62399e0620d6fd7fc40fa9adbd49333bc53c21dffdedb89486d13f9b18502ee23ab8394a5a8d51834dda82ed

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll

Filesize
232KB

MD5
742679327ee56723096eb5aa5928be26

SHA1
20c6d65b0ae8e5e98198cf6dc993c60ada1d6553

SHA256
9fae0665d7b6d21a93a73708249bd44337910cf4f32210c584eda24733cacf7f

SHA512
05fa9e09fa3fd114eb1dbb96f27c680d78a82e318731a81174e68fe559e1d9f1b3565f2e7eff6b838ed41a429fd00577f2bb5885015bc68bb04d0f97c3150bf1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll

Filesize
152KB

MD5
85b1375725843284c7987b6bad170bcc

SHA1
490e87557116cc75167044d18f50af47167df467

SHA256
36f4b8a79035b4df985dbeae8e42312a6ff74d947275ac312d5f2a3fd45b4030

SHA512
7fc14814bc06c176796c0fbab17dd2131859db35f5c53685792d8e1c0b2ca3da16af017df20b0f035ef44a10bb92c5a556e26ed1a37f16bf3ad3e7212f74d02c

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\IsP7742.tmp

Filesize
83KB

MD5
a1200142ffc51c3ddf558ee2a97f559f

SHA1
b5c97c457cb90bd05538708c0ec550d966634b22

SHA256
0f0fa3d16fe519155f7ee51594e54be34f46c785a18c8278fdeef571f594ace3

SHA512
3734721f50c8c78a9975030277e260ab4768805a3719f243e376a9bea12c6a62b5ab0e648760845bb45805a396958fbf74a5b6f646e068480de31e1793eb45b1

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll

Filesize
32KB

MD5
f68ba4725d1aaf180ff33cf18d262c5e

SHA1
c80aa11dac0425dcc41e44a955036dbbb773cdc9

SHA256
dfb91bc980fd1267fb8032b0d36c72d08fca03bb723d895be481ae7d275174e4

SHA512
7aba373385f2d7a9d4bba03facc2df50bb1a644580fcfbfabab090bccc835b25c48a8432325d1bf380795e92a700e45a8615138a609e8848dc7f82c9b4cfdbc8

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\data1.cab

Filesize
357KB

MD5
0b3952fa84a1dcd4df74ddf9cbb345a8

SHA1
c0802bcd2b7e9f07ce79b9b8d64f33d720a10899

SHA256
26042b54d45b614835c1405af28b8e3789aef214bac5869a369c67acd8f291aa

SHA512
dc8401cf4ad10a520f520c7c09bdb35f137e472523df3e0f95a217cb020acfcf323276218fe4a9381d7b64bb85b6a6caa6ef14f18363a54e0221575b39769efd

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\layout.bin

Filesize
475B

MD5
dc2963e6d9c7b3f0a9ae49eec742ca17

SHA1
a4d7a743ce973146e52407e76fa5f425dcaffdec

SHA256
74443e8f6fe3f0fad0ad3118cb993e904e20c6cc5defe63447d0e7b04325deb2

SHA512
886b543a035aff4fe2ef643be0432b2bdda84b2098232cba76db98110f1a14278cd43255af61a0a8a51f9054179d15348c6b3a372578808d8fc405786f74d21e

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.exe

Filesize
104KB

MD5
5b2065fa6f2ec63fe28be26fdb7b0480

SHA1
e6d5fde72e7dd1d6581ff6dc05c4d00c795cd760

SHA256
e25cadc80ea5163e0f1c6fd703479469d9f23b47ade244fac5f22bcdb01b39bd

SHA512
51dcbf8583104754902a9387da0c2efd05b04842ffb043f3d1035940f6c612e8e20259932e0ebf16e1857c6764596017fe7db3736cab62d3d3f62804535a8417

Download Submit
C:\Program Files (x86)\InstallShield Installation Information\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.ini

Filesize
514B

MD5
25213c13df24d90b9a732f87671c293c

SHA1
f15630e0c8e7acec23c6920822da655b2434fba9

SHA256
1331c6df3d8a6a3fcb9ba256db7a919643ceb59aca05f0fdb4a5e6dd220d1ea6

SHA512
499e1c472c1da4d9ca61297ca5cb163e109ad961627dd12c6e1699700c79944c4f5521de10c13f096dfcfe13ed688dc83c41f181f90656b078b03ee6e625d652

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySportTraining\VidaOne Web Site.url

Filesize
124B

MD5
0c6b8b6032981afb2abf052d5602dfc5

SHA1
09e747326ce9973ef1596d1b165dcd44cff43c5e

SHA256
84054ac209cfc11ce7d9b4a00430459801a522335c1a663ecfd9f65ea29a0119

SHA512
dfa4733152c2135c002f93c2436f90b8ab880b1463f47da14c6024b69ea70afa248a3cb106b56ddcf9654821b4c42605fd3a0c93c0cb3173295a6ea3def1de5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISPackFiles.ini

Filesize
821B

MD5
a966162a072d8645b68f4f6416296b1f

SHA1
640bb4e820146cd848e5966e3e96fe8648a08ffa

SHA256
c6b17db14d451a2a6a6f2e902538f55c455eebd3360ac42d564ed73107b871fa

SHA512
cff615f6714a0446074d180ab0c20c5ce3cf646cec3fa183db6e67c0353e6e347c0f7ae6e582c98aaac3fd527aafe2e949bf22cc8ca1d689ce5515d23f94eb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isdelet.ini

Filesize
292B

MD5
fc4a843859fb0aee9f2d13ebfef3456a

SHA1
621ef367e50ee59da34af1412ebcfccf1a9d7b55

SHA256
822b915f1d563fc9354c5c1c104d567ec0d5a973b376597f65609d923ab25f1a

SHA512
4ed5f9633ddae7a8fad1f8710d578d74253f85c3e083cd36b5a2c27aa9bffc114ea9b7709dce8c24b4614b2ae606fa97b5d3d9e4bc0a18c13ef7f38997cbd521

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye7129.tmp\Disk1\data1.hdr

Filesize
15KB

MD5
de6d5b6d3723f966c2804b8d7253c4af

SHA1
32e25207be7640751af45ec1d5e3572bbe28215d

SHA256
84059d08d4e6b43e21bdcdb83214cee3fbebdcd290306f5a0f87fe2deb5230f0

SHA512
234c6b490207ff98c3811b70bd2a773dbc12805678ad436d8dc563bc034b2df8261eb8dede41d692fb3cdcfc958d7e5b81dc0db829696884653cd10ccef0da30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye7129.tmp\Disk1\engine32.cab

Filesize
410KB

MD5
1bc10e0ff6f2145e609997d6b1e07944

SHA1
052aad1fe7613cbbfe9147311f709c8f2fcfb377

SHA256
a5b857c9168aca517266f64ccba84d9866442250c0532846ad016a295c044523

SHA512
872d008ae2acd60a5ff63324dfc42598d2caf33dfe7895fff667f7d0da66c33380732de7a282d5760a890c17be2dd318d4d9f38088cbd8bce2ab71d42d593854

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye7129.tmp\Disk1\setup.boot

Filesize
321KB

MD5
173bddccc829d682046228b9a0a8ad8c

SHA1
4aadfc3c29a36f77cbe81e98cba0e59e6e620d06

SHA256
03e5ce8633b074b0a336ff5c5616318919e3b0a2291d381614858bdb35665ae9

SHA512
3a0f5bc0143cd548c14eaddc494a0646172164f6b7c81d1576714bfc6b58e027407d954e3a14bd81ab805fa25bedb1bc50ffce2ec45213d29a146def2cd658b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye7129.tmp\Disk1\setup.ini

Filesize
430B

MD5
f08b2efe62258456df12eb4a824b281b

SHA1
3eb29ccd0e823fb70c4a75aa41cc05aaf89553f5

SHA256
5fbc5c80e8c9aaf9172ee938f3ebad17132248c3b43c7acbe66ded83417e4cdc

SHA512
ea58bf7bb963840605219b1c267bf2257538e1ffe94e4202d7d1fdca565211a820c7a6181051a32e2d1744c548885173ff428c66c8055e2840b7c5a25920c471

Download Submit
C:\Users\Admin\AppData\Local\Temp\bye7129.tmp\Disk1\setup.skin

Filesize
58KB

MD5
1b7b3d6c129e2990822a9a757086bb09

SHA1
7d4c8bd2f6283933ba6808a8e875e8f3d39f87b4

SHA256
914be4660c2c16e4ac9d552a24509f39a195204fbb3645cb28a4e2b185a69609

SHA512
d1e491ac184626140565efb6343e1ddc4ccc420e355761a2a235fe86d9085b0f91585dfbb14d1951046027033c02746fdb3eacdc349fb39fed9ba7b5f272eb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp7187.tmp\Setup.dll

Filesize
276KB

MD5
e148c1132a32ccd424de346f2ffead1f

SHA1
d2eb1757293ae29ee6039d767953c85f17252915

SHA256
04e326274a3f687e7640a0219a53b7f59d61ca6e6f7320fde5d2eb7fa01290c5

SHA512
96a12bb1a6405e6d5b17b9bc0e8ac36d2bdfb5ca7a371dac7a806aa260dd24337dd6f7a9703d11196dbf77ff6b87c2e497ff07ff50fb9134e2aa61782ff2c0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\isp71E9.tmp\_Setup.dll

Filesize
144KB

MD5
7d206ffa959599b822512f184047f7f1

SHA1
2ccb525e2813d51bb37133bc33d0740355a3b4c3

SHA256
4466f4c424b139190b74137d9ebd901c7b1b1a9e2467d1607b048eb64a1011af

SHA512
b8f0b75a2486de4382177e94b622a73dee6e3ad9618872eb7747f082a5965591ba80d14c14ebf15ea93be892f494bdeca5a601d03e0a868df66170af8cfa03e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\set71D8.tmp

Filesize
149KB

MD5
43fffef9a91b39fed4196111bac39640

SHA1
9ce849f11188da639254a77d3f4e31db36a752d2

SHA256
d6fccdbe022be8d79dd40fa3d1bc29c284c19a3471cc5b7db7657496c1381d61

SHA512
ce9f61feaf874944bc4d8301565e704ae8dc263d702a0753f350cffccc5be7f6c7973dac21268031be9033c3b19675e55c40f6c8bf30069a2b33f5f44ec334cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin71f4.rra

Filesize
16KB

MD5
bb7f4d016ef07b7148fd48d081869f1f

SHA1
50284a88b0c64cb5847fdc05b7fe4f3ea6740fca

SHA256
678d339b3fc6625537f7bdd9c4c601d182de1881badb0fe8492023714b82901a

SHA512
3a008d4d041cb5f171fc920e22d6cd190594c1359139f3bc784085ffdca02b2d4e70c0a2996982f3054144b7479af3ae12302fc4603dba061ef5dcbee3f9644b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33892616-1766-407C-82E4-F3858FA38C7A}\{F730167F-9835-4E57-827B-F47A1E34810E}\InstallDll.dll

Filesize
60KB

MD5
28c8fd3f8529a41e7671abef4654c68f

SHA1
4b2d4fbf045cab72c0104dafb290764a94d59ce5

SHA256
fe2e79b6c161576e9dec20665b3cb0a21a17029148bf9603e194143854a31d48

SHA512
ba07eaebf2b06993d155cff8ac254677244cf9008b2524f99938d2ba7b0bc2f625f96355cd34bdd320514f3dbcf4a21796b9fe565a8f2cd1c584014905f60e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33892616-1766-407C-82E4-F3858FA38C7A}\{F730167F-9835-4E57-827B-F47A1E34810E}\_IsRes.dll

Filesize
352KB

MD5
1aee04222447851bc2a64d3264a5d625

SHA1
44835b44aa235a06585f134d64915344068d08cf

SHA256
3f22bad21fe5c5dc672a49bf969e2c2231c0597cbbe8a210de3d4b8d9b1acd8b

SHA512
8f3a8d02a3db199c448ce7a37b6286bc099d6373f6c75014a8d3153123cedb267da4cdec626300152912ff2392392ffacf74962b4d31a4d60b7f363bc9bd86af

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33892616-1766-407C-82E4-F3858FA38C7A}\{F730167F-9835-4E57-827B-F47A1E34810E}\condmgr.dll

Filesize
120KB

MD5
44762e0fab97302db55a5bdf9787bab2

SHA1
049930ae2e6fb46cf4d5d18f0ccaff12db370831

SHA256
6641768e8fd364023c3cb5f47301330a7952705d7be59ca11be521d2ecbf46ff

SHA512
3f09440125032d7f6732eea256a08dde22283f1005c8878b3618b8256565835f6b1f0df9a1038f1a77dc12fd261ea51fd4e6fae48e771ba9da1dfebc0d6d6abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33892616-1766-407C-82E4-F3858FA38C7A}\{F730167F-9835-4E57-827B-F47A1E34810E}\isrt.dll

Filesize
364KB

MD5
e90d6b156b10a4c6e18f65b336e939c0

SHA1
f93cb622a53e032233d1d17a26af55cf46d795e8

SHA256
329ad573ab2243755b8eafc01b0247c1931b9f7ca8bdc1fc7448795714dcafb4

SHA512
4a76f73b2ad8726d3ff105cbaafe5fccc4119e1e2bea499c717c4acd504c8c31eef192ec38cdad12862aa2cefa24b3d040065b7886d1640ee8cffb33d49a3a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33892616-1766-407C-82E4-F3858FA38C7A}\{F730167F-9835-4E57-827B-F47A1E34810E}\setup.inx

Filesize
171KB

MD5
7d07a27d9186752e1210ace973df609d

SHA1
9cc9f6768f01f96d7e59e32609dfdf6561f2301c

SHA256
c112de369ee10ef3740c46191d2fa79f2c45eb3df2642c6ee6607c35b0657d5c

SHA512
5297a9623774a07310ae091d1dbd1852d8f5902496eed33c138abe7ded37ce7b9bf18bcbe8c0e5ef792feebe33379d6dea50a6ea2c26e2f0a1f509d795fea0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP6D12.exe

Filesize
156KB

MD5
4ed4fdc51790b92c9bf0500bdaef7126

SHA1
49ff61012ff09d1740939ca2c295c011707a92a9

SHA256
136080043058565cbed31faa197c2b9019b01f532abd2c87c9dd38b635c54e3a

SHA512
50bee0eb216e41ef7d5134036301d71f944aaee5805711688b550521c3ef46d293ccb38c4da1bb55000d788cf199d518f53f28bd3d94a73a0e6eaf40dc7c7801

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DP6E5B.exe

Filesize
4.3MB

MD5
1eb5ea9749ba238df81442e2e3e569ea

SHA1
2bc8e2acf73895efb3553b0e586cbe05520abedb

SHA256
e668bbdff6b8fac54c2a22444665f3f0636e53f322de9213aa702d0f2dd15000

SHA512
031d065b2676086550f623752b181c978ede63afd52d15da8b9b8f1b632202c2d9b796e954f2d987f2cfd713617d6d1039fd3a46e97cd9d65750d7e0e1552b25

Download Submit
memory/116-1579-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/116-10-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1540-1578-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1540-4230-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3664-20-0x0000000000400000-0x000000000087B000-memory.dmp

Filesize
4.5MB

Download
memory/4948-4068-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4948-4039-0x0000000006060000-0x0000000006088000-memory.dmp

Filesize
160KB

Download
memory/4948-3964-0x00000000056D0000-0x0000000005790000-memory.dmp

Filesize
768KB

Download
memory/4948-4074-0x00000000054B0000-0x00000000054D0000-memory.dmp

Filesize
128KB

Download
memory/4948-102-0x0000000004CA0000-0x0000000004CE6000-memory.dmp

Filesize
280KB

Download
memory/4948-4115-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads