474632e0969c5835659a9d093a1578554b52cdd1b480c1fcb3b389f4b4fb5e6d

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
Size

1.4MB
MD5

44bd8f9ac9a3c8158b088f35b462685f
SHA1

fc9a02de2af758950542d3209400d4504cfeed37
SHA256

474632e0969c5835659a9d093a1578554b52cdd1b480c1fcb3b389f4b4fb5e6d
SHA512

a8225f6faa10bd34c96d3862fac70b67d8f3aa960187bbe9564938ff922202384d947e01897943411fe10bd0311ab97b72d27d81b419d942a5aa314ce1d0ed54
SSDEEP

24576:+VXnzzwJyAlaPq/yLGfCym9yMWbkExZDXTsOGlCs/Af3ilofeYdqbO/8nNovq9L:+NzCyyz/b/xMWbkETXTsOGZkiy9f/8nN

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 53 IoCs

pid	Process
2884	setup.exe
2820	INSA15E.tmp
3008	tsadbot.exe
2288	tsadbot.exe
2492	ctinstall.exe
1492	tsadbot.exe
1664	tsadbot.exe
1536	ctinstall.exe
336	tsadbot.exe
2368	tsadbot.exe
1040	ctinstall.exe
2144	tsadbot.exe
2264	tsadbot.exe
1616	ctinstall.exe
2140	tsadbot.exe
1604	tsadbot.exe
2388	ctinstall.exe
1556	tsadbot.exe
2696	tsadbot.exe
2060	ctinstall.exe
2260	tsadbot.exe
2912	ctinstall.exe
2916	tsadbot.exe
2728	tsadbot.exe
2828	tsadbot.exe
2816	ctinstall.exe
2664	tsadbot.exe
3052	ctinstall.exe
2684	tsadbot.exe
2448	tsadbot.exe
1992	tsadbot.exe
3064	ctinstall.exe
1256	tsadbot.exe
1812	tsadbot.exe
1048	ctinstall.exe
1980	tsadbot.exe
1284	tsadbot.exe
2508	ctinstall.exe
1324	tsadbot.exe
2024	tsadbot.exe
692	ctinstall.exe
1320	tsadbot.exe
2000	tsadbot.exe
1984	ctinstall.exe
568	tsadbot.exe
588	tsadbot.exe
2284	ctinstall.exe
820	tsadbot.exe
2592	tsadbot.exe
532	ctinstall.exe
816	tsadbot.exe
2352	ctinstall.exe
1124	tsadbot.exe

Loads dropped DLL 64 IoCs

pid	Process
3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2884	setup.exe
2820	INSA15E.tmp
2820	INSA15E.tmp
2820	INSA15E.tmp
2820	INSA15E.tmp
2820	INSA15E.tmp
2820	INSA15E.tmp
2820	INSA15E.tmp
3008	tsadbot.exe
3008	tsadbot.exe
3008	tsadbot.exe
3008	tsadbot.exe
3008	tsadbot.exe
2820	INSA15E.tmp
2288	tsadbot.exe
2288	tsadbot.exe
2288	tsadbot.exe
2492	ctinstall.exe
2492	ctinstall.exe
2492	ctinstall.exe
2492	ctinstall.exe
2820	INSA15E.tmp
2820	INSA15E.tmp
1492	tsadbot.exe
1492	tsadbot.exe
1492	tsadbot.exe
1492	tsadbot.exe
1492	tsadbot.exe
1492	tsadbot.exe
1492	tsadbot.exe
2820	INSA15E.tmp
1664	tsadbot.exe
1664	tsadbot.exe
1664	tsadbot.exe
1536	ctinstall.exe
1536	ctinstall.exe
1536	ctinstall.exe
1536	ctinstall.exe
2820	INSA15E.tmp
2820	INSA15E.tmp
336	tsadbot.exe
336	tsadbot.exe
336	tsadbot.exe
336	tsadbot.exe
336	tsadbot.exe
336	tsadbot.exe
336	tsadbot.exe
2820	INSA15E.tmp
1040	ctinstall.exe
1040	ctinstall.exe
1040	ctinstall.exe
1040	ctinstall.exe
2368	tsadbot.exe
2368	tsadbot.exe
2368	tsadbot.exe
2820	INSA15E.tmp
2820	INSA15E.tmp
2144	tsadbot.exe
2144	tsadbot.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\InboxSpecialist = "C:\\Program Files (x86)\\InboxSpecialist2000_458\\InboxSpecialist.exe /tray"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TimeSink Ad Client = "\"C:\\Program Files (x86)\\TimeSink\\AdGateway\\tsadbot.exe\""	tsadbot.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-E8D9N.tmp	INSA15E.tmp
File opened for modification	C:\Windows\SysWOW64\is-E8D9N.tmp	INSA15E.tmp
File created	C:\Windows\SysWOW64\is-2F72O.tmp	INSA15E.tmp
File opened for modification	C:\Windows\SysWOW64\is-2F72O.tmp	INSA15E.tmp

Drops file in Program Files directory 55 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-SCTBO.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-N5E6T.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-S85NG.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Sounds\is-EA659.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010003.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010006.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-JPS7V.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-I4EDO.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe	tsadbot.exe
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\unins000.dat	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe	tsadbot.exe
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\rc	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-N6DAM.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-0H27Q.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-58EPR.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Sounds\is-EA659.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010008.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\0101000a.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-1P4FN.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-ASAJK.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-G06H7.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-N6DAM.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010005.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-0H27Q.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-58EPR.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-S85NG.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-IJ9QK.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-N5E6T.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Profiles\InboxSpecialist\Admin\gutmannsoft\Done.idx	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010001.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-G06H7.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\TimeSink\AdGateway\Profiles\InboxSpecialist\Admin\gutmannsoft\Done.idx	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\unins000.dat	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-SCTBO.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-BU8D8.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010002.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-LO4LF.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-IJ9QK.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-GLT7Q.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-I4EDO.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\unins000.exe	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010007.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-ASAJK.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-I4J68.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Profiles\InboxSpecialist\Admin\gutmannsoft\Done.cdb	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010004.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-1P4FN.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-B0O7D.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\InboxSpecialist2000_458\is-BU8D8.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-GLT7Q.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\is-JPS7V.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-B0O7D.tmp	INSA15E.tmp
File created	C:\Program Files (x86)\TimeSink\AdGateway\Ads\1544\01010009.004	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-I4J68.tmp	INSA15E.tmp
File opened for modification	C:\Program Files (x86)\InboxSpecialist2000_458\Skins\Default\is-LO4LF.tmp	INSA15E.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\is-D8C1P.tmp	INSA15E.tmp
File created	C:\Windows\is-87BFQ.tmp	INSA15E.tmp
File opened for modification	C:\Windows\is-87BFQ.tmp	INSA15E.tmp
File created	C:\Windows\is-D8C1P.tmp	INSA15E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSA15E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsadbot.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\TypeLib	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{973C8EE3-4546-11D0-86B1-0020AF1EF604}\1.0\0\win32	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}\ProxyStubClsid32	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BAF5903-01D9-11D0-9E0A-444553540000}\5.1\0\win32	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5904-01D9-11D0-9E0A-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\MMAIL32.OCX"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BAF5903-01D9-11D0-9E0A-444553540000}\5.1\FLAGS	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\Control	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\ProxyStubClsid32	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\TypeLib\ = "{8BAF5903-01D9-11D0-9E0A-444553540000}"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\TypeLib\Version = "1.0"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\TypeLib	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\ = "_DMail"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}\TypeLib	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}\TypeLib	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BAF5903-01D9-11D0-9E0A-444553540000}\5.1\FLAGS\ = "2"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\TypeLib\ = "{8BAF5903-01D9-11D0-9E0A-444553540000}"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}\ProxyStubClsid32	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\MiscStatus\1	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\TypeLib	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\TypeLib\ = "{8BAF5903-01D9-11D0-9E0A-444553540000}"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\TypeLib	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{973C8EE3-4546-11D0-86B1-0020AF1EF604}\1.0\FLAGS	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\TypeLib	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\Version\ = "5.1"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{973C8EE3-4546-11D0-86B1-0020AF1EF604}	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE4-4546-11D0-86B1-0020AF1EF604}\InprocServer32	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MMAIL32.OCX, 1"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\Control	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\TypeLib	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\ProxyStubClsid32	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{973C8EE3-4546-11D0-86B1-0020AF1EF604}\1.0\0	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Mabry.RASCtrl\ = "Mabry RAS Control"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\ProgID\ = "Mabry.RASCtrl"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\ = "_DMail"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\MiscStatus\ = "0"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\MiscStatus\1\ = "132497"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\ = "_DRAS"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\ProgID	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\ToolboxBitmap32	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\Version\ = "1.0"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\ = "_DMailEvents"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\MiscStatus\1	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BAF5900-01D9-11D0-9E0A-444553540000}\TypeLib	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE2-4546-11D0-86B1-0020AF1EF604}	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\Version	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}\ProxyStubClsid32	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MRAS32.OCX, 1"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\MiscStatus\ = "0"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\MiscStatus\1\ = "132241"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE4-4546-11D0-86B1-0020AF1EF604}\InprocServer32\ = "C:\\Windows\\SysWow64\\MRAS32.OCX"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\TypeLib\Version = "5.1"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5902-01D9-11D0-9E0A-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{973C8EE1-4546-11D0-86B1-0020AF1EF604}	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Mabry.RASCtrl\CLSID	INSA15E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{973C8EE0-4546-11D0-86B1-0020AF1EF604}\InprocServer32	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BAF5903-01D9-11D0-9E0A-444553540000}\5.1\ = "Mabry Internet Mail Control 5.1"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8BAF5903-01D9-11D0-9E0A-444553540000}\5.1\HELPDIR\ = "C:\\Windows\\system32"	INSA15E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BAF5901-01D9-11D0-9E0A-444553540000}\TypeLib\Version = "5.1"	INSA15E.tmp

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeRestorePrivilege	2288	tsadbot.exe
Token: SeBackupPrivilege	2288	tsadbot.exe
Token: SeRestorePrivilege	2492	ctinstall.exe
Token: SeBackupPrivilege	2492	ctinstall.exe
Token: SeRestorePrivilege	1664	tsadbot.exe
Token: SeBackupPrivilege	1664	tsadbot.exe
Token: SeRestorePrivilege	1536	ctinstall.exe
Token: SeBackupPrivilege	1536	ctinstall.exe
Token: SeRestorePrivilege	2368	tsadbot.exe
Token: SeBackupPrivilege	2368	tsadbot.exe
Token: SeRestorePrivilege	1040	ctinstall.exe
Token: SeBackupPrivilege	1040	ctinstall.exe
Token: SeRestorePrivilege	2264	tsadbot.exe
Token: SeBackupPrivilege	2264	tsadbot.exe
Token: SeRestorePrivilege	1616	ctinstall.exe
Token: SeBackupPrivilege	1616	ctinstall.exe
Token: SeRestorePrivilege	1604	tsadbot.exe
Token: SeBackupPrivilege	1604	tsadbot.exe
Token: SeRestorePrivilege	2696	tsadbot.exe
Token: SeBackupPrivilege	2696	tsadbot.exe
Token: SeRestorePrivilege	2060	ctinstall.exe
Token: SeBackupPrivilege	2060	ctinstall.exe
Token: SeRestorePrivilege	2916	tsadbot.exe
Token: SeBackupPrivilege	2916	tsadbot.exe
Token: SeRestorePrivilege	2912	ctinstall.exe
Token: SeBackupPrivilege	2912	ctinstall.exe
Token: SeRestorePrivilege	2828	tsadbot.exe
Token: SeBackupPrivilege	2828	tsadbot.exe
Token: SeRestorePrivilege	2816	ctinstall.exe
Token: SeBackupPrivilege	2816	ctinstall.exe
Token: SeRestorePrivilege	2684	tsadbot.exe
Token: SeBackupPrivilege	2684	tsadbot.exe
Token: SeRestorePrivilege	3052	ctinstall.exe
Token: SeBackupPrivilege	3052	ctinstall.exe
Token: SeRestorePrivilege	1992	tsadbot.exe
Token: SeBackupPrivilege	1992	tsadbot.exe
Token: SeRestorePrivilege	3064	ctinstall.exe
Token: SeBackupPrivilege	3064	ctinstall.exe
Token: SeRestorePrivilege	1812	tsadbot.exe
Token: SeBackupPrivilege	1812	tsadbot.exe
Token: SeRestorePrivilege	1048	ctinstall.exe
Token: SeBackupPrivilege	1048	ctinstall.exe
Token: SeRestorePrivilege	1284	tsadbot.exe
Token: SeBackupPrivilege	1284	tsadbot.exe
Token: SeRestorePrivilege	2508	ctinstall.exe
Token: SeBackupPrivilege	2508	ctinstall.exe
Token: SeRestorePrivilege	2024	tsadbot.exe
Token: SeBackupPrivilege	2024	tsadbot.exe
Token: SeRestorePrivilege	692	ctinstall.exe
Token: SeBackupPrivilege	692	ctinstall.exe
Token: SeRestorePrivilege	2000	tsadbot.exe
Token: SeBackupPrivilege	2000	tsadbot.exe
Token: SeRestorePrivilege	1984	ctinstall.exe
Token: SeBackupPrivilege	1984	ctinstall.exe
Token: SeRestorePrivilege	588	tsadbot.exe
Token: SeBackupPrivilege	588	tsadbot.exe
Token: SeRestorePrivilege	2284	ctinstall.exe
Token: SeBackupPrivilege	2284	ctinstall.exe
Token: SeRestorePrivilege	2592	tsadbot.exe
Token: SeBackupPrivilege	2592	tsadbot.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2884	3016	44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2884 wrote to memory of 2820	2884	setup.exe	31
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 2820 wrote to memory of 3008	2820	INSA15E.tmp	33
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 3008 wrote to memory of 2288	3008	tsadbot.exe	34
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 2492	2820	INSA15E.tmp	35
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 2820 wrote to memory of 1492	2820	INSA15E.tmp	36
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 1492 wrote to memory of 1664	1492	tsadbot.exe	37
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 1536	2820	INSA15E.tmp	38
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 2820 wrote to memory of 336	2820	INSA15E.tmp	39
PID 336 wrote to memory of 2368	336	tsadbot.exe	40

C:\Users\Admin\AppData\Local\Temp\44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44bd8f9ac9a3c8158b088f35b462685f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\f7685a4\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\f7685a4\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\INSA15E.tmp
    C:\Users\Admin\AppData\Local\Temp\INSA15E.tmp /SL2 C:\Users\Admin\AppData\Local\Temp\f7685a4\setup.exe 1389798 1392814 59904
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2144
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2140
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1556
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2260
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2912
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2728
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2664
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2448
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1256
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1980
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1324
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1320
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:568
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:820
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:532
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:816
    - - C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe
        
        "C:\Program Files (x86)\TimeSink\AdGateway\tsadbot.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1124
  - - C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe
      C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe InboxSpecialist Y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\tsadbot.exe

Filesize
93KB

MD5
5da59b129aade5dd45c04455a3e6f74f

SHA1
cd9282f0008e40219ac0c230ca4bb3b2544f73ff

SHA256
241414c117e09b5fae702fd19136c37342d56f021a78ce1fabe11009534a0f63

SHA512
064547c9213c25e669ac4fdbdaf29a29a8f3aa1c55509b0011a5ae51c1c799b6246f4635e4a697255fd28f443157daa22e165178bcd89df2997dea6342d14a1b

Download Submit
C:\Windows\tsad.dll

Filesize
206KB

MD5
4c07207fad92eac078b8956305caee08

SHA1
d3bcc6c6a2f1e6aeb00230c808e4e8306af045ec

SHA256
dcbdeb138e9d7dcac6079841ca99e5ce0c947eb581148df311ca0124b2edcc3a

SHA512
665c1eab4761b0e2eab9b8594d636d33f4bccc8f1197790f5d63e8c188832f1238e5789dff92990ce53169211022c68e4873478b892e18e4506cd7c100abcff8

Download Submit
\Program Files (x86)\InboxSpecialist2000_458\InboxSpecialist.exe

Filesize
1.1MB

MD5
3d178feca84b2c96c489cf5c5022fe56

SHA1
e2a25a8c08284dda2669b3ba07054e822e3db1c1

SHA256
62ec05292cc656a614c1c10064abe594b85f3705825f4a15bbd24f736180adcb

SHA512
254e48a94a2557c1a5d11ed5f7e237835af29af1fa02b28a8a453eb040d6d4d5540ed4d7d3774b562eaed0473e0af2eeca2726347291bb0913e7f1bb729924ac

Download Submit
\Users\Admin\AppData\Local\Temp\INSA15E.tmp

Filesize
340KB

MD5
24ba89618a33c309a3c739847ec79815

SHA1
5cf36961487ad9f8231c03372b236f7337940f67

SHA256
b62282628050b1a48c77a00716fc571843cd385b8d563dcfc65eadeea104e22a

SHA512
aa171133c7df46ccf68524d81ff5bfd88caaa8ba776119505a379d9b45ddd5d6c6d5b9037aefd13f1e9136a9afec8111a910e6241dde981d33efed3ce3cee0f3

Download Submit
\Users\Admin\AppData\Local\Temp\f7685a4\setup.exe

Filesize
1.3MB

MD5
f9a5568739a519e8b26a85f46b78f695

SHA1
5ab0331fb9bff357f8b613adb0b625819b8cc1e8

SHA256
a314c40124ed5829d2621866f36f3d989d19ac9cd20c48cbbfb4f5ac917d926a

SHA512
342f770a63f1c7d5978e1b65033883308087a4d9a92108e9ce7e5be86b5782a0725750abba331e9f7d0594dca7fdd8f02ab3db29ac4bd5a382d712326284b7af

Download Submit
\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\SimpleRegistration.dll

Filesize
71KB

MD5
eee07c076ae78f598205b8815cdf22dc

SHA1
e4e2658a6b553e06f517cd061fae7a55100def5f

SHA256
ce8e8fe3991577cc7a6baa8e43112c5dab9eff3e7a14a6061d98c31607bd23c9

SHA512
42add87936bd0cef892160e192b732b7a47c10b084ebc7f3602c351c2f9b77f78ebac8679d18fdb222a51099c16d30a12581132936bfbaac85ee5f062ffcf756

Download Submit
\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\_shfoldr.dll

Filesize
22KB

MD5
153241df0b44d47db2aa2ee755ea62c9

SHA1
4a6beaf3cf09bbcc6acb2382dff47c034c27fafc

SHA256
fd3f175e7d31a16e116616ab29c1b672ae4ed08d397fac014d1279b969af3b68

SHA512
95f712c21fb677f8ce6578648b6e065357d70523255de7af67471ea3c6e09303eb5adc02bf28f99284f97325181a94f3decdf9882db0d121811e016673f1b990

Download Submit
\Users\Admin\AppData\Local\Temp\is-3G1L2.tmp\ctinstall.exe

Filesize
40KB

MD5
879bd115d220898497311e6a6b660305

SHA1
e9658651ca612de4357d6cf9e1b16d2e79b2e4b8

SHA256
d45c36e79d825c899ad481c320145503a5e91533799d288427e0b468637f9d32

SHA512
bc909c86e05333fa87b91c955a8289aaab4ff30ff351b27f7533924521e53a60bf27b62a14e7078c4ce271c96cbcbedcfe021989c940465f152fd4b81f7ba38a

Download Submit
\Windows\SysWOW64\MMAIL32.OCX

Filesize
98KB

MD5
7e6592ba9492148602dc3a5bb93bfd49

SHA1
2aa773882b2c9ebe3dff0861faf057f2f6699744

SHA256
2571193afdedceb4b17cf54102898ecd3c8f50a211a12cf4354f4853863d9b39

SHA512
cafa1ed1b1957916dfad8de71651402ed48d8969b1eebbc1588c0bd67729268954cab080d49a483289aa24ab0d75fb9e272861bf2c287f1777cf6d69edd92ab3

Download Submit
\Windows\SysWOW64\MRAS32.OCX

Filesize
55KB

MD5
319c3629d9421d8678aed61b0d50d364

SHA1
ea87d3e3eb441d20f2c8721d19869b80a96167b3

SHA256
98f8dd40bed55cd6eaaf2f50a59f1ae3c9c0d254e76814e984fc0532432246d9

SHA512
377961b6158ca2ec09ec7a02b6093e01c1a358a930e1278191543d674264e1d69a6ff8262aea551024692dd169db0f3af342fc5fc4f78c8b0d4cb94999ab32ad

Download Submit
memory/588-270-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/1284-263-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/1604-241-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/1664-233-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/1812-261-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/1992-258-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2000-268-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2024-265-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2264-238-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2288-218-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2368-236-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2592-272-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2684-257-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2696-250-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2820-251-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-273-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-255-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-237-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-242-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-259-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-204-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-262-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-234-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-66-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-266-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-64-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2820-269-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2828-254-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download
memory/2884-63-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2916-252-0x0000000031830000-0x0000000031869000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads