Malware Analysis Report

2025-01-02 15:33

Sample ID 241127-s4nzmswkdj
Target a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118
SHA256 c98de3d6b0dc4e9f54a1de1a10c8ed0f746a7c03eb71424855ca2b0ed850d4f7
Tags
pandastealer discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c98de3d6b0dc4e9f54a1de1a10c8ed0f746a7c03eb71424855ca2b0ed850d4f7

Threat Level: Known bad

The file a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pandastealer discovery stealer

Pandastealer family

PandaStealer

Panda Stealer payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 15:40

Reported

2024-11-27 15:43

Platform

win7-20241010-en

Max time kernel

148s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reg-Tool\privacy.db C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\startup.db C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\general.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\privacy.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\scheduler.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\definitions.db C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\Reg-Tool.url C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\optimizations.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\startup.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\wizard.css C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW.zip C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f77fbfc.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77fbfe.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI734.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Tasks\Reg-Tool Scan.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Tasks\Reg-Tool Scan.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\Tasks\Reg-Tool Startup.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f77fbfb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77fbfb.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77fbfc.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Reg-Tool Startup.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Version = "34082485" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\PackageName = "setup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\PackageCode = "48BA83601803F4045BC521D940643267" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49\OptimizerApplication C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductIcon = "C:\\Windows\\Installer\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\Icon.exe" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductName = "Reg-Tool" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net\1 = "C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2896 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2616 wrote to memory of 2104 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2104 wrote to memory of 1028 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
PID 2104 wrote to memory of 1028 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
PID 2104 wrote to memory of 1028 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
PID 2104 wrote to memory of 1028 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe"

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{90D92A69-433F-49BF-B358-E0B785FFBD94}\setup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "0000000000000588"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F31776518EC40015DCDE568ABA27B796 C

C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

"C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 csc3-2009-2-crl.verisign.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.regtool.com udp
US 3.33.139.32:80 www.regtool.com tcp
US 8.8.8.8:53 m.ask.com udp
US 151.101.194.114:443 m.ask.com tcp

Files

\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.exe

MD5 de1a17d4d7683738c4b0b165d36d5821
SHA1 5b175debe5ce1e700a2f420bf944b20f5f17bd2e
SHA256 1ee03147705d39bf9c2c57340bcf6576a1647ad97517e74df2ebb4443cd8ee66
SHA512 7f2ebfd3b532548aec594b4399ccec17490a924215c0dfa0683becb5b9da19af5ba37341b562d04d4adc9dfea6feacea701652fdc612d14cc17acfe869c39177

C:\Users\Admin\AppData\Local\Temp\7zS31BA.tmp\setup.msi

MD5 8d5626aaf4505a65505f646959aab3fe
SHA1 65baaabfd5d1eb022083fe9df79504cc656f315e
SHA256 b479919a20b820f13ba758f5a3851045ead9315b702bf5355c66e00593a5f832
SHA512 fa2024af189f337048d4e425829bb75ff83f91b879b67502913bb25e734b2ac3371f7b9b2d502b05e8471791a765f018800edbb0ee57db5410db9d6d3fe7cfec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

MD5 6e0a31bd3792936f2d7ebe2eac843d41
SHA1 c1939e6951347362a3d5fb7962cc31ce5632b97b
SHA256 e10bd2ba7497b927fc718fc1b583b291b2bd6491117caa2116a18d4fbdc13be4
SHA512 1517b288dc8d2b40aac719457656043d0b396191a6af52673da7b3e8f76531f927b3fa04802cfd8961b36907a7fdf04a7aee777baa1883f07834d2bc4f699b44

C:\Users\Admin\AppData\Local\Temp\Cab3F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cce8374ffce4f8c6032aafbff8a9ffe1
SHA1 3a9fe5aa18e101535998ff6e18e66714f89ab37a
SHA256 63c717e71eb42cfc17adec8e5b6d1feb3d140aa46b2276cce578fd1b57670375
SHA512 61dc43187b23dbe75efd88d78455a8b5894ecd78153617c145bd6f9fd9afd785db2abda8d6ef6a24e94c7feef4e5086e0788f9edb7fd956066af4f7f9d36062a

\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe

MD5 9c4d469714ff8a4cb84f4d01ce79f391
SHA1 3e3ef7a2f1f9eb37ed8de407da85c5bccd3501c3
SHA256 5cfdd807f3559b2b91d4de7777c7dec47f8603b70e058dedbfa353f6fb847ca6
SHA512 bbf4fed5d1882b64fcfa22cf60e2a2f69dc7ab621159be6e191c6ffc8f6482dfccbf8e3fb25070baec30744171761723080d9abb67760caa45325c78cccc19b9

C:\Config.Msi\f77fbfd.rbs

MD5 c479bb53933c6fd1d7a0c3e66df9c0a0
SHA1 9ed0802bd7e412141165fa5747cb20175226184a
SHA256 35ee375c33592fb644e3ff5b8b51d4b2a052a397d785cba7e8a3d76518833a63
SHA512 d98344e742da412cc443ab33d01fe7d350cbd5cee37b3dd680b8e9cec85b25c018e922c650bd6abaee0f85a63d1b41c4f19f1af7ea79dd0c01cd55b1f9f2f7c4

\Users\Admin\AppData\Local\Temp\MSI1CF5.tmp

MD5 14c01c848d8452005734858a64b6784b
SHA1 d3d81fcd1267095880218ef09b92220248905ea8
SHA256 fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185
SHA512 8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

MD5 5bc76411c1dfeaf988a4469f128bbb6d
SHA1 b66c018fedfca88a82c96c58a97c6006f870b32e
SHA256 26eecdb9ae714be60758560d7f8410c2d78faa13d66e1f6714db2f17b7c5bd55
SHA512 d73865f15af9c64349ff02c85a18f009ad8b8f5ccd219a4d90d13a73ed1aa0f42a6c8f7d07ea1b836ce4b8da36e191e6af371439a51b3600b53a693c71298c16

C:\Program Files (x86)\Reg-Tool\definitions.db

MD5 9d5a45aa7203672bd0c16e212815f1bf
SHA1 e09162aa55916d5428ea540c11b00d8f77be9a8e
SHA256 2af162c85d8f898cf31a972c9af66caa21aa009bf84b1522c8a37cbe0d84e34c
SHA512 a274750efead11bb21bbdd6c77b2a902ec51d8d760405f2600bb62992798123995acd475b4891d0c94d52b0b0431fd244867eba33fb16c787759ca2e538b8748

C:\Program Files (x86)\Reg-Tool\startup.db

MD5 44fa7b9f408c0b5ba1fff283808eba34
SHA1 9c9809646306f67b4ab1cdec78cacbb2a5162e84
SHA256 6573f1fe1de7541042ca6f49a0adac130fde506d6b92e1ed0ee856d69fb57946
SHA512 5bdec5ed5a21f3a2e6a04ddc9aab06fb8fc3256eddf79c62d026022fbd41f4229a73c57c775ff8c5e3723fc47f9773c951260928c4b5877fb67399b861538f68

C:\Program Files (x86)\Reg-Tool\privacy.db

MD5 bc166f104d54c05ef2ea87d0c5509f46
SHA1 9c5068bca2fba2d6e39df6b171ecf944b14899d4
SHA256 4b489a11a37516b7f1ebbacde2cfbe173726deb570a89f367094370045c57772
SHA512 671765513c11254f5f4cfbd106898a2505299071ffd188b7505b8c5b9ef53a24b04fd7d8c0c15227a02ada5d2695417352733926e6407880bd87e6d7947f515f

C:\Program Files (x86)\Reg-Tool\pw.zip

MD5 b8b098eae0638a02207abb73dba0afe2
SHA1 3316ffabbf994bcea4f3a2f4c97e8352621171ea
SHA256 0ae908b2989b4a9d7c93cd7cfe27b7c0c60cce64c265b743fb6b5f7a6d72f269
SHA512 29b0c4de613a7ece77d4668af9169d54140f2bdb49218f294b5dbc91ef48b51b7b2f556ccd530b67d8c2808a59becd5489ecfad0d4ff91283c01fdc8ae5c415b

C:\Windows\Tasks\Reg-Tool Startup.job

MD5 05c3e1b66ba34d4a955b79fe006f6dc5
SHA1 884308774f7c6bc8ada95faa13e08ffaa94faefd
SHA256 9227f67dd427f033e979f0979aeb8cd3e2672541a5c5be42832bcac9d2b0c81f
SHA512 1e5bdd5e5baca48e0e17a35d8c9dbd5c68df5216ddde1d39fc94384268eccc5784480757fb8c53783da8f62121fb15fa921d90070a8fd0ba89e27342dfd7352a

C:\Users\Admin\AppData\Local\Temp\Tar45B8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3c7dd4dff69c3d094e4f1db20ea72ca1
SHA1 c28312e27779b267e93fa08765396066cf8bc2c1
SHA256 cf91dc80d113dc0309569b86b834080bc4b9fc49e545dbc4f2b71f7a103e17ae
SHA512 59e109c59c57f75701380dd6ffd3077e51f8fe5b6f0e9fea5b2833ee7989fe1ff21a8ee01ff01a1c0e598b45dcee0771752cadce97dd7470f00aaec5ca57103a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 15:40

Reported

2024-11-27 15:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Pandastealer family

pandastealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reg-Tool\PW\optimizations.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\startup.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\wizard.css C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\startup.db C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\general.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\privacy.db C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\Reg-Tool.url C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\privacy.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW\scheduler.html C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Program Files (x86)\Reg-Tool\PW.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Reg-Tool\definitions.db C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e583d52.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{90D92A69-433F-49BF-B358-E0B785FFBD94} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4198.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\Reg-Tool Scan.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\Tasks\Reg-Tool Scan.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Windows\Tasks\Reg-Tool Startup.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File opened for modification C:\Windows\Tasks\Reg-Tool Startup.job C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
File created C:\Windows\Installer\e583d52.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{90D92A69-433F-49BF-B358-E0B785FFBD94}\Icon.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583d54.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net\1 = "C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\PackageCode = "48BA83601803F4045BC521D940643267" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49\OptimizerApplication C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Version = "34082485" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductIcon = "C:\\Windows\\Installer\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\Icon.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4BA57B859A49DD113BC7188A558D5939\96A29D09F334FB943B850E7B58FFDB49 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\PackageName = "setup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Downloaded Installers\\{90D92A69-433F-49BF-B358-E0B785FFBD94}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96A29D09F334FB943B850E7B58FFDB49\ProductName = "Reg-Tool" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A
N/A N/A C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe
PID 2796 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe
PID 2796 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe
PID 5108 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 5108 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 5108 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe C:\Windows\SysWOW64\msiexec.exe
PID 2984 wrote to memory of 1108 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2984 wrote to memory of 1108 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2984 wrote to memory of 4512 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2984 wrote to memory of 4512 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2984 wrote to memory of 4512 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4512 wrote to memory of 4328 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
PID 4512 wrote to memory of 4328 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe
PID 4512 wrote to memory of 4328 N/A C:\Windows\syswow64\MsiExec.exe C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a88d1914a8879ab730ff1ba9c2f2f585_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe"

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{90D92A69-433F-49BF-B358-E0B785FFBD94}\setup.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E3AD6ADDE5D9497F3E0681C13EF9682E C

C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

"C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 csc3-2009-2-crl.verisign.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 csc3-2009-2-crl.verisign.com udp
US 8.8.8.8:53 www.regtool.com udp
US 3.33.139.32:80 www.regtool.com tcp
US 8.8.8.8:53 m.ask.com udp
US 151.101.2.114:443 m.ask.com tcp
US 8.8.8.8:53 32.139.33.3.in-addr.arpa udp
US 8.8.8.8:53 114.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 fe2cr.update.microsoft.com udp
US 40.83.50.88:443 fe2cr.update.microsoft.com tcp
US 8.8.8.8:53 88.50.83.40.in-addr.arpa udp
US 8.8.8.8:53 download.windowsupdate.com udp
GB 2.23.210.83:80 download.windowsupdate.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.exe

MD5 de1a17d4d7683738c4b0b165d36d5821
SHA1 5b175debe5ce1e700a2f420bf944b20f5f17bd2e
SHA256 1ee03147705d39bf9c2c57340bcf6576a1647ad97517e74df2ebb4443cd8ee66
SHA512 7f2ebfd3b532548aec594b4399ccec17490a924215c0dfa0683becb5b9da19af5ba37341b562d04d4adc9dfea6feacea701652fdc612d14cc17acfe869c39177

C:\Users\Admin\AppData\Local\Temp\7zSA374.tmp\setup.msi

MD5 8d5626aaf4505a65505f646959aab3fe
SHA1 65baaabfd5d1eb022083fe9df79504cc656f315e
SHA256 b479919a20b820f13ba758f5a3851045ead9315b702bf5355c66e00593a5f832
SHA512 fa2024af189f337048d4e425829bb75ff83f91b879b67502913bb25e734b2ac3371f7b9b2d502b05e8471791a765f018800edbb0ee57db5410db9d6d3fe7cfec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4DD39726D4B55AC3B4119B35A893323C_E7006F6DAEDBA5B627CA573B13FD6F3A

MD5 2c4b0106b503c0d2c861d165bad88b40
SHA1 c1d64a3b0c5e17897203c551a774ef74f58f881e
SHA256 a41aa04286910a41c98bd4c1df65e2cf4b0e98d8bb4f3a8e3f269e1a8bdb21d4
SHA512 512c7054cd7bcd35ffd130b263d0007cd53a84cd255b9a0711fb2f0aa81d3e9ebf6446c36ea16a765e54b1100fabab797bdb0a06c38188a39ca4a52d753f778b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

MD5 1ba25895dc793e6826cbe8d61ddd8293
SHA1 6387cc55cbe9f71ae41b2425192b900a1eb3a54f
SHA256 cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a
SHA512 1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

MD5 475fd6b63ea1af350c330855b6826bb8
SHA1 e541e304fa55dfb44777a1a5ea8dd26af308561e
SHA256 f06d9137292d9dd97120e274cec6ba680bb912eca0b5417b082ead636777aa4b
SHA512 1d4b5c70e079ad257e7f86c1c908655bdae9f8cc4ab77badd0bd72732a49fbee5ddfa518218e46f2bc306da48f4d9d9d6047983c1cda15ea3da6d3fe9215376f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_4DD1053BCC726DA41115FFF4C7D6E9CC

MD5 0d21d80c9639e14a4d07441c970b1a88
SHA1 6e3485c9a29bd67f52d0fd58e3ef779f33db8b50
SHA256 1639a46e2f5887ed5106a403a7acedf5ca98f188488306e5db018c7a91cd966c
SHA512 61494385c43089e029149cee7cae9a1f15d5b41497c8a0e076942c7023848d7cf956f91eae87aaeda40733fd18998523cc7c896eabd5016c7d00ea80061a37fd

C:\Config.Msi\e583d53.rbs

MD5 12afadc9a9aad12c0f9157ec6846ae78
SHA1 5869999c2c84ecee9e9b8d29921c63dfe0b80e90
SHA256 4e1b35a16d1911b977ca30da3972880eccedb8a037244802974246b30595dc05
SHA512 82ef95885fdbc6cfb5cff8f7e9f1fe28e65d58934743d09325c457fc8e4dd21dc7d3be4432dc22cbedd3994a654cf8a62989695a2ef9122b958c9ba7bbd0f858

C:\Users\Admin\AppData\Local\Temp\MSI4B9A.tmp

MD5 14c01c848d8452005734858a64b6784b
SHA1 d3d81fcd1267095880218ef09b92220248905ea8
SHA256 fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185
SHA512 8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

C:\Program Files (x86)\Reg-Tool\Reg-Tool.exe

MD5 5bc76411c1dfeaf988a4469f128bbb6d
SHA1 b66c018fedfca88a82c96c58a97c6006f870b32e
SHA256 26eecdb9ae714be60758560d7f8410c2d78faa13d66e1f6714db2f17b7c5bd55
SHA512 d73865f15af9c64349ff02c85a18f009ad8b8f5ccd219a4d90d13a73ed1aa0f42a6c8f7d07ea1b836ce4b8da36e191e6af371439a51b3600b53a693c71298c16

C:\Program Files (x86)\Reg-Tool\definitions.db

MD5 9d5a45aa7203672bd0c16e212815f1bf
SHA1 e09162aa55916d5428ea540c11b00d8f77be9a8e
SHA256 2af162c85d8f898cf31a972c9af66caa21aa009bf84b1522c8a37cbe0d84e34c
SHA512 a274750efead11bb21bbdd6c77b2a902ec51d8d760405f2600bb62992798123995acd475b4891d0c94d52b0b0431fd244867eba33fb16c787759ca2e538b8748

C:\Program Files (x86)\Reg-Tool\startup.db

MD5 44fa7b9f408c0b5ba1fff283808eba34
SHA1 9c9809646306f67b4ab1cdec78cacbb2a5162e84
SHA256 6573f1fe1de7541042ca6f49a0adac130fde506d6b92e1ed0ee856d69fb57946
SHA512 5bdec5ed5a21f3a2e6a04ddc9aab06fb8fc3256eddf79c62d026022fbd41f4229a73c57c775ff8c5e3723fc47f9773c951260928c4b5877fb67399b861538f68

C:\Program Files (x86)\Reg-Tool\privacy.db

MD5 bc166f104d54c05ef2ea87d0c5509f46
SHA1 9c5068bca2fba2d6e39df6b171ecf944b14899d4
SHA256 4b489a11a37516b7f1ebbacde2cfbe173726deb570a89f367094370045c57772
SHA512 671765513c11254f5f4cfbd106898a2505299071ffd188b7505b8c5b9ef53a24b04fd7d8c0c15227a02ada5d2695417352733926e6407880bd87e6d7947f515f

C:\Windows\Tasks\Reg-Tool Startup.job

MD5 cbec6b878ef7cd520c8dda9f68d3ddc6
SHA1 3365966b73baf1d710a7bcb453f838959fa6476b
SHA256 6cbbd5eb18130a667c74111c27c81baaf72e7698032ff9d890d44faf03d58293
SHA512 2429c904660bbd933d502bb935838a0bd072a7a695f4ed9b3289e04d8c0b0428eb5318a2e14fb26c89d398be3d6387c9a9fdad0e4b77414d0a182a88a19b082f

C:\Windows\Tasks\Reg-Tool Scan.job

MD5 7433803142b99264d274c83902e47f79
SHA1 cf22880e9aea42cf531effd7287ce4a9430f7b85
SHA256 dbffa9bad9491fbb78aa07212009c71de3f4cca4f8e9773b43aa9d4487d2e6de
SHA512 6dde5abd17ff406612ae890444acaf17b3779baa721cd2a4c27ec30b579b332af8a5886496dc6dac109a2698e8dffe01cc73e83b011df99b5e681a1b0ac69746

C:\Program Files (x86)\Reg-Tool\pw.zip

MD5 b8b098eae0638a02207abb73dba0afe2
SHA1 3316ffabbf994bcea4f3a2f4c97e8352621171ea
SHA256 0ae908b2989b4a9d7c93cd7cfe27b7c0c60cce64c265b743fb6b5f7a6d72f269
SHA512 29b0c4de613a7ece77d4668af9169d54140f2bdb49218f294b5dbc91ef48b51b7b2f556ccd530b67d8c2808a59becd5489ecfad0d4ff91283c01fdc8ae5c415b

\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{398257c9-b1ab-4b98-87a3-479a55dbc59f}_OnDiskSnapshotProp

MD5 19a76b2579c0ce856f25bfcfafadfef9
SHA1 51398ed8d31045431262fdb1f8aa4d1c321f10df
SHA256 892f7d7b371a55851fc0735b8676c36078af64874888e28aac845b8a3228fee7
SHA512 2ccd8547e5e78e6a0a6100c235135df5671b994abd37659cdfc03fba7ca20dadec69110b2bcc0e1c9231402b41d16a7ea08305d0f9e83776c865569ed83dfb83

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 64c47b84ec0a3a89247fa2f191af007f
SHA1 22de42ef56a0ea58a4afe4fad5b3a2ef5ae647d9
SHA256 bbe8216b996fe917a3da61269b1da88a722c500f28ce8042dd90a78d014e94a7
SHA512 f7e1b5587b49e4182e05f84a8711a50e2be5a356b938dffe04e5fd9b70dc4e05665052b10025675d26c48f830a5c885beb54ac838cbf6304a4a94fbef7c78094