neshta | 7e3e3413575bc60710db5d575851dfd46c05e596eeb7e01ead584e671fe7af62

Analysis

max time kernel
148s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Size

1.5MB
MD5

c9040ddc80275bce629c71c50d2e42ae
SHA1

b01c27424e01031bdc77f56bd55d04fe791661aa
SHA256

7e3e3413575bc60710db5d575851dfd46c05e596eeb7e01ead584e671fe7af62
SHA512

d39e783ba908e5d5853263a28c6744c892ddd549591bb24b8da95ef219d9df5ed9c6a56645689289f263a077015681b70f3c6a4b985a5cf8afe762d9f67437ac
SSDEEP

12288:DLI2nmeC1Tg13XD7tfmCnZVcorOk4X/3K63S+/9HQKGP2ZbHfUK2jRhSGakKeiSt:fnmwnECnZtR6f/OKPOAGakqKitxKMM

Score

10^/10

neshta discovery persistence spyware stealer

Malware Config

Signatures

Detect Neshta payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010314-14.dat	family_neshta
behavioral1/memory/844-117-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/844-118-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/844-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/844-121-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/844-125-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/844-163-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x00080000000195a9-334.dat	family_neshta
behavioral1/memory/2644-342-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2940-353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Drivers\vwifikerneldrv.sys	AdguardSvc.exe
File created	C:\Windows\system32\drivers\adgnetworkwfpdrv.sys	Adguard.Tools.exe
File opened for modification	C:\Windows\system32\drivers\adgnetworkwfpdrv.sys	Adguard.Tools.exe

Executes dropped EXE 9 IoCs

pid	Process
1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
2644	svchost.com
2940	svchost.com
552	ADGUAR~1.EXE
2680	ADGUAR~1.EXE
2580	AdguardSvc.exe
1548	Adguard.exe
1608	Adguard.Tools.exe
1748	AdguardNetReg.exe

Loads dropped DLL 64 IoCs

pid	Process
844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
1584	MsiExec.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
1584	MsiExec.exe
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe
1584	MsiExec.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
2632	rundll32.exe
1584	MsiExec.exe
1584	MsiExec.exe
1584	MsiExec.exe
1584	MsiExec.exe
1848	MsiExec.exe
1848	MsiExec.exe
1584	MsiExec.exe
1584	MsiExec.exe
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2244	rundll32.exe
2644	svchost.com
2940	svchost.com
2940	svchost.com
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe
2244	rundll32.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
2580	AdguardSvc.exe
2580	AdguardSvc.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adguard = "C:\\Program Files (x86)\\Adguard\\Adguard.exe"	rundll32.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	432	msiexec.exe
12	432	msiexec.exe
24	332	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\d3dx9_11.dll.tmp	AdguardSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AdguardSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AdguardSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AdguardSvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AdguardSvc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\DynamicDataDisplay.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Http.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworktdidrv.sys	AdguardSvc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\PresentationFramework.Aero.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Service.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\AdguardNetLib.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Filter.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adguard\Drivers\x86\AdguardNetLib.dll	AdguardSvc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworkwfpdrv.sys	AdguardSvc.exe
File created	C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetReg.exe	AdguardSvc.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Proxy.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworkwfpdrv.sys	AdguardSvc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Drivers\x64\adgnetworktdidrv.sys	AdguardSvc.exe
File created	C:\Program Files (x86)\Adguard\langs\Adguard.UI.resources.ja.dll	msiexec.exe
File created	C:\Program Files (x86)\Adguard\AdguardSvc.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Adguard\nss\mozcrt19.dll	msiexec.exe
File created	C:\Program Files (x86)\Adguard\ICSharpCode.AvalonEdit.dll	msiexec.exe
File created	C:\Program Files (x86)\Adguard\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files (x86)\Adguard\Drivers\x86\adgnetworktdidrv.sys	AdguardSvc.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Network.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\langs\Adguard.UI.resources.sr.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Html.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\nss\smime3.dll	msiexec.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.Safebrowsing.dll	msiexec.exe
File created	C:\Program Files (x86)\Adguard\Drivers\x86\AdguardNetLib.dll	AdguardSvc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File created	C:\Program Files (x86)\Adguard\Adguard.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Adguard\Drivers\x86\AdguardNetReg.exe	AdguardSvc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Uninstall.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4650.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{685F6AB3-7C61-42D1-AE5B-3864E48D1035}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\f78066a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4827.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4827.tmp-\Adguard.CustomActions.dll	rundll32.exe
File created	C:\Windows\WinSxS\poqexecv2sys.log	AdguardSvc.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f780667.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A4.tmp-\Adguard.CustomActions.dll	rundll32.exe
File created	C:\Windows\Installer\f780668.ipi	msiexec.exe
File created	C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\ehome\usrsts..dll	AdguardSvc.exe
File opened for modification	C:\Windows\Installer\MSI9A4.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1F85.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A37.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3E6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A37.tmp-\Adguard.CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1F85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Uninstall.exe	msiexec.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1F85.tmp-\Adguard.CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A37.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f780667.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F85.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3DA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\Icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI47A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4827.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3A37.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3C2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f780668.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4827.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdguardSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adguard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AdguardSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	AdguardSvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AdguardSvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	AdguardSvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AdguardSvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AdguardSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3BA6F58616C71D24EAB583464ED80153	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\PackageCode = "BEFABE847060739469BFE44F36E677D2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E5674DA1C957254AA41A33512538F4C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\adguard\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3BA6F58616C71D24EAB583464ED80153\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\ProductName = "Adguard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\Version = "84543491"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\ProductIcon = "C:\\Windows\\Installer\\{685F6AB3-7C61-42D1-AE5B-3864E48D1035}\\Icon.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0E5674DA1C957254AA41A33512538F4C\3BA6F58616C71D24EAB583464ED80153	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\adguard\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3BA6F58616C71D24EAB583464ED80153\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6037B932CA602E3C8319EF9620B18630DAA850C	AdguardSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E6037B932CA602E3C8319EF9620B18630DAA850C\Blob = 030000000100000014000000e6037b932ca602e3c8319ef9620b18630daa850c20000000010000000a03000030820306308201eea0030201020211008cf7a30c742236c95a8e63069e36fbc7300d06092a864886f70d01010b0500302b310b300906035504061302454e311c301a06035504030c134164677561726420506572736f6e616c2043413020170d3035303231343030323435335a180f32303635303133303030323435335a302b310b300906035504061302454e311c301a06035504030c134164677561726420506572736f6e616c20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c2f93e382d37c2fe0d2e9b21eebc1af13e09696a3fea98765d71c93d7c3985e25d3dbea4600ea78dd6b7f4c59e252602a929dc8ed7ffcc5a9baaaadd057dfbaad915a4ab1408bd254e78d57d314a9e5923e7d5b2b86a712dc7b905312f8823e6a2d9cd9b65f354af1800b60451778c4b841019a1ad97496da7e9deb428aeb2cd92bb7bc7aa7addabfba3af3b9b9733da39a32e1ea976f5e88bc9d6bc03368b5ae65c326190c05bd1b0c802b5dcaca62234b760103429d0697b915a8a28fc15f36a419d92c6d76dfa5ee3946d695676f4e53800ddb76c0a0ba54afb346efe066b59b37dd4263cee17fdef296a1d431ab280fb61209b49088743b9deb698465d290203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b05000382010100750bf8b214a133e84a15b10cc9088b1a7a1c0a049a33cc3b3c017a5f117e324a708ef31fea5c1863d5f484a1bef83ec0c52b4d1d589e70bd33c08b83440bb6b5770bc980064adf0fce1ed1c442c3560b98fefe2a13776114b27dd0d30aae12209e627ae1f8b0635cbc8261111f973caa4b31036ac051fe11311d9d0b5f1586c30c1c3c67d895361271792029574cc45596cad3e0b96ebfe6241794f06f2ddab5592bd3d576ee01f9d8b8f124fed2607ff1df35296f6c5bf66d639abbd9da43dfec566568ed87f67305f7a237175e787738b112c7764506f544d2b1e881bd3063a664f1a2d579ad9a7f90f3495901676a585bdd4ba063f19dc88e0d4859df11ce	AdguardSvc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe
2720	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeCreateTokenPrivilege	432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	432	msiexec.exe
Token: SeLockMemoryPrivilege	432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	432	msiexec.exe
Token: SeMachineAccountPrivilege	432	msiexec.exe
Token: SeTcbPrivilege	432	msiexec.exe
Token: SeSecurityPrivilege	432	msiexec.exe
Token: SeTakeOwnershipPrivilege	432	msiexec.exe
Token: SeLoadDriverPrivilege	432	msiexec.exe
Token: SeSystemProfilePrivilege	432	msiexec.exe
Token: SeSystemtimePrivilege	432	msiexec.exe
Token: SeProfSingleProcessPrivilege	432	msiexec.exe
Token: SeIncBasePriorityPrivilege	432	msiexec.exe
Token: SeCreatePagefilePrivilege	432	msiexec.exe
Token: SeCreatePermanentPrivilege	432	msiexec.exe
Token: SeBackupPrivilege	432	msiexec.exe
Token: SeRestorePrivilege	432	msiexec.exe
Token: SeShutdownPrivilege	432	msiexec.exe
Token: SeDebugPrivilege	432	msiexec.exe
Token: SeAuditPrivilege	432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	432	msiexec.exe
Token: SeChangeNotifyPrivilege	432	msiexec.exe
Token: SeRemoteShutdownPrivilege	432	msiexec.exe
Token: SeUndockPrivilege	432	msiexec.exe
Token: SeSyncAgentPrivilege	432	msiexec.exe
Token: SeEnableDelegationPrivilege	432	msiexec.exe
Token: SeManageVolumePrivilege	432	msiexec.exe
Token: SeImpersonatePrivilege	432	msiexec.exe
Token: SeCreateGlobalPrivilege	432	msiexec.exe
Token: SeBackupPrivilege	2104	vssvc.exe
Token: SeRestorePrivilege	2104	vssvc.exe
Token: SeAuditPrivilege	2104	vssvc.exe
Token: SeBackupPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	1228	DrvInst.exe
Token: SeLoadDriverPrivilege	1228	DrvInst.exe
Token: SeLoadDriverPrivilege	1228	DrvInst.exe
Token: SeLoadDriverPrivilege	1228	DrvInst.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeDebugPrivilege	2720	rundll32.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
432	msiexec.exe
432	msiexec.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe
1548	Adguard.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 844 wrote to memory of 1236	844	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	30
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 1236 wrote to memory of 432	1236	JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe	32
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 332 wrote to memory of 1584	332	msiexec.exe	37
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 2720	1584	MsiExec.exe	38
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 1116	1584	MsiExec.exe	41
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 1584 wrote to memory of 2632	1584	MsiExec.exe	42
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 332 wrote to memory of 1848	332	msiexec.exe	43
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 1584 wrote to memory of 2244	1584	MsiExec.exe	44
PID 2244 wrote to memory of 2644	2244	rundll32.exe	46
PID 2244 wrote to memory of 2644	2244	rundll32.exe	46
PID 2244 wrote to memory of 2644	2244	rundll32.exe	46
PID 2244 wrote to memory of 2644	2244	rundll32.exe	46
PID 2244 wrote to memory of 2940	2244	rundll32.exe	47
PID 2244 wrote to memory of 2940	2244	rundll32.exe	47
PID 2244 wrote to memory of 2940	2244	rundll32.exe	47
PID 2244 wrote to memory of 2940	2244	rundll32.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i C:\Users\Admin\AppData\Local\Temp\adguard\setup.msi AID=11947
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:432

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5DB2E531871F576B2293C2746892424
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI9A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259525306 1 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnFirstInstall
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI1F85.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259530688 14 Adguard.CustomActions!Adguard.CustomActions.CustomActions.PermanentActions
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1116
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI3A37.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259537506 29 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnInstallInitialize
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI4827.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259541031 94 Adguard.CustomActions!Adguard.CustomActions.CustomActions.OnInstallFinalize
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\PROGRA~2\Adguard\ADGUAR~1.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2644
    - - C:\PROGRA~2\Adguard\ADGUAR~1.EXE
        
        C:\PROGRA~2\Adguard\ADGUAR~1.EXE
        5⤵
        Executes dropped EXE
        
        PID:552
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\PROGRA~2\Adguard\ADGUAR~1.EXE" /f
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2940
    - - C:\PROGRA~2\Adguard\ADGUAR~1.EXE
        
        C:\PROGRA~2\Adguard\ADGUAR~1.EXE /f
        5⤵
        Executes dropped EXE
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C "net start "Adguard Service""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2912
    - - C:\Windows\SysWOW64\net.exe
        
        net start "Adguard Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Adguard Service"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C "net start "Adguard Service""
      4⤵
      System Location Discovery: System Language Discovery
      PID:780
    - - C:\Windows\SysWOW64\net.exe
        
        net start "Adguard Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start "Adguard Service"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
  - - C:\Program Files (x86)\Adguard\Adguard.exe
      "C:\Program Files (x86)\Adguard\Adguard.exe" /visible
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 991C12C0A3158CAAD06EF8C8B785662A M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2104

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003F4" "00000000000005B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2588

C:\Program Files (x86)\Adguard\AdguardSvc.exe
"C:\Program Files (x86)\Adguard\AdguardSvc.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2580
- C:\Program Files (x86)\Adguard\Adguard.Tools.exe
  "C:\Program Files (x86)\Adguard\Adguard.Tools.exe" /install wfp
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:1608
- - C:\Program Files (x86)\Adguard\Drivers\x64\AdguardNetReg.exe
    "Drivers\x64\AdguardNetReg.exe" adgnetworkwfpdrv
    3⤵
    - Executes dropped EXE
    PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f780669.rbs

Filesize
294KB

MD5
b8177bbf1fd6275a7bb67e6b6d837a7e

SHA1
baa508b366db12b1874d40c78e3243bdce4c6a09

SHA256
b1672d4daba1824d9ad78971f1cc9fe65ac415ece1a012763eda92adf27c5bf0

SHA512
6b8e4ad5e3101458f50e45b2c73831915cb8ebf573cace8496cdebce4bb3fe11b8065caa143f7c75336c19320333a9479f1e4bb34f7adace8db31bd708ff5754

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\Program Files (x86)\Adguard\Adguard.Tools.exe

Filesize
126KB

MD5
246012bdb779acdcb4f058dd33bedbff

SHA1
32cb320b20582fc3be192f921a9258b5094eea09

SHA256
e4909b7e113f0761ceca4b51edc367955ab4e544132957486cce23dfd2f8d29e

SHA512
f05066e9d6a82923962dcaa152ef0439f8c3bc9cf6a53134b069938a7dddf9f3e96f42a3292dc34cfb9c784cd11310bca1fcde4829ea51be0f56791639f092da

Download Submit
C:\Program Files (x86)\Adguard\Adguard.exe

Filesize
1.9MB

MD5
1036a5756f04cba6c7f01deeeecf8ac6

SHA1
8fcff1106409bad8974d74b16ae6035e006ef8dc

SHA256
a753557051177a292c07e936952558e266a3038fc60c324edf7333b32e635f19

SHA512
18a3b31915d94df9958056bd94eeb4ca7957717deac970f98db441fd9374763aee62409308574ae18a93c6aed75ccb05fc1f7a12ca4c7620dcedd2c4ecb00245

Download Submit
C:\Program Files (x86)\Adguard\AdguardSvc.exe

Filesize
117KB

MD5
fe392e13fb5c8be2ce9128449885bcb5

SHA1
0659e107869ca13d135e4ca5bfb47c28112f401f

SHA256
d5a62598b0b4348a626d92fd2fbbf9d00f593587e2aacc93bb18136662fbd8c5

SHA512
1b7ea1d684c80b0c56b81a4ad81536e1956a25b8f126c42a0ef2d55f1d83cc9c77d0d5dfd0c172fa16fa7251ff5e91493ca9c2c0f8eef21ea1cef6a5a6535fed

Download Submit
C:\ProgramData\Adguard\dbase.s3db

Filesize
40KB

MD5
749e9a44ae656a51851ce13ee0a1b9c8

SHA1
e9236af4f8ed8bb1ac5eb0c23676a5f2583cb96f

SHA256
17846f73646a7251a56bd6c42981bb9e7b64806df29558e5baaecdf8c598b90b

SHA512
f11b9367fbc4133ca14073b84d617bfcdbd13b3f42507105084d4f4a69f31f796ab6bafcad1de750469cb81c582b5c8a2f89cc4c5d7f99aa9abb49599c828fdb

Download Submit
C:\ProgramData\Adguard\dbase.s3db

Filesize
4.0MB

MD5
6eacc4f87152a16130cb6fdfde036f30

SHA1
2595bf90ab1e0a07258c6b5828139c7449b0ac4f

SHA256
8361463ae1924bbf846c70dc1eaaa8211c921148887887cf52f412f64ef93609

SHA512
f4e2c2746a856866e1b4c932f0c3df52799195ae4543441c4b050e25ac9a3f5e25b17ee10cbb19c4f1cd2c4a791d878a0bafedec9894ff52b1fb0863bd3311c1

Download Submit
C:\ProgramData\Adguard\dbase.s3db

Filesize
4.0MB

MD5
ed6570b5444f5bec7b00e0fb336b2625

SHA1
831cc2ff6c0c3b454904e2617e7466b79576c0e4

SHA256
c2f11bd863d2a145e4983198ea483cadae8ff8ca5c6c918c9fd23f95b054f6e9

SHA512
1ead109412077a7ace5cf4c74fbc68bab8a4873cfd4f4abcf6f36acb9bbf3eb07b395a991dcbcaabe2f51e19ad4f293ca2377ac7d8ef928b14080a8e8890b3f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A9510437CB4EEB09F4B3AC2BC980E19

Filesize
1KB

MD5
5e6295e7a66d37c86542a268e660a499

SHA1
d2806d11b81849475b13888e0fcb0ce2db5518bf

SHA256
34d5e9da5133fdac0b86a40136ef54ebe854084ee6c0933a22cf4593de214fa7

SHA512
3a9d52a8ed5878eae427d69d083fa5df03b3c26aa4ad489d85e80cd3c094831ffad7942229f80cc601663e6303cb7854c034a5bb12b5755de5fd6b29b0a57d6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E7EC0C85688F4738F3BE49B104BA67

Filesize
1KB

MD5
c9be626e9715952e9b70f92f912b9787

SHA1
aa2e946d9ad9027172d0d321917942b7562d6abe

SHA256
c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

SHA512
7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A9510437CB4EEB09F4B3AC2BC980E19

Filesize
208B

MD5
7c3f58b71f876ab7c1d72964e2b73e5b

SHA1
00b71810f06b79ca905ea78438c50fb8a32bade8

SHA256
e4f3cae823424207eb083fecf73aaeabce88b19ba9cecc2a0619626fbdc82b4d

SHA512
13cea26c5614c732b981b5cb54fe6b378942a4b2c0f7e48bdc67c34e2456d8b7ae984e9fd6a46723ba27a4ae452b4c845932a5a1fc83098bdd2d5934e2cf1d2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E7EC0C85688F4738F3BE49B104BA67

Filesize
186B

MD5
1f68c0069f522b42e6a83a89b5f18d24

SHA1
1dba524a46662bf0d46f3a0a37bb3f16f81b6607

SHA256
f31843ed95b82dcbd21ad7407bfd0bb1ab1f728fe728dd0810a69c363f42f1ce

SHA512
8cc73ca1b4623fcc99567478446cae755fd7d37a216f917fc1ce32bdce6b5686f7492e888d2ea15ec3dfff299ce769bfe76eef163d511106b2f0cc3fc2eeb18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5457.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar790.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\adguard\setup.msi

Filesize
11.4MB

MD5
5b8303360f8d585409d41be1a9513187

SHA1
c09f1ece40407ee6260f31ea84c1a9ff685931e4

SHA256
0eb35eb02667d3d23c14a2275db8e5ab292602b838e763f188a764765086c5c4

SHA512
eb2d2e659adb638e372cd032fd1bdead5185586281df715f7c740b9cacae8f8e8da08bcbdc03088896a235493c4f16ab6b25db8dca3a048ea18bb8ca8b4dc382

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
33b456b4a534163ab1a31e80b0c25c8c

SHA1
c5eb9f72e6dbfd6549e27db04189c79178b10c55

SHA256
be5a01593f516190f5b571f2956e2ec07f585d4e3709ea05e7f750c05f2da335

SHA512
7b5936d1500e2b1fc7d89f6c8b3276acb099e29600d4e7e501a9b59beebc5131eb4f0496958b9ff904c4fe82fa65763cfa1dc38224baa43e3500d2affa3d01e1

Download Submit
C:\Windows\Installer\MSI1F85.tmp-\CustomAction.config

Filesize
234B

MD5
dfbc95544efd4fd9aca13ca4d43440b5

SHA1
0b84c31f88a2e2c36732336b5674266205e1260e

SHA256
93e7b3276f8bbaddf70f808df1b605cfbfd2b8b16c31f459efa66f6028ec1c10

SHA512
6450d56de9767a09aacd8c880c10daaaeaee1e604553f47a7df2595b20e8dad7eadf5bd641524dee600a50c1b41e7cd26f85e211792bf9609701654c1df5c8a9

Download Submit
C:\Windows\Installer\MSI3C2B.tmp

Filesize
181KB

MD5
b1298b75b1c09fdbb3906aeec500f066

SHA1
d84b4fe247a47ea7649f75e88791d34a60454f2e

SHA256
826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

SHA512
2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

Download Submit
C:\Windows\Installer\MSI3DE2.tmp

Filesize
101KB

MD5
543f75540b657c47619488d9d479de17

SHA1
4b30aec5ad9e96f8101f116c1945eb3ae1b9bce7

SHA256
aaf422c618cd70950c600b2890440ac24d9ebda82b9072ac3d59bd44a6ef2392

SHA512
c1ff2ff0928e49a03e6204274273bb9ff581e7bba7bb3bf4534f7734ecc45bf3596c6a63386428248a1c1a733fd880c5ccdee2062a94227c6fcec2a8a9417ed4

Download Submit
C:\Windows\Installer\MSI9A4.tmp

Filesize
291KB

MD5
e9b6b9fd50a6a3a13fad66d497fd7950

SHA1
db392075dff3bffa5773dfcd5263dfd0d79159fe

SHA256
51f161358a273a3035c8b0d9d8f0261cb7eef20e180d4276a3d046d05436e138

SHA512
efd7253b81990b174d9daa1a13679ea7795a01d987e93b7ac82166aedaf482964fd00d91855d1457e6496267264b8f9ca008f5b89e43f71d9940b72e7aa8bdd0

Download Submit
C:\Windows\directx.sys

Filesize
34B

MD5
efe1b69e738f8520e0c7c7831e32c5bb

SHA1
e243f6ac1d686e8fb475a414cccfc67259fd67d2

SHA256
4e9df86fd4e68ad09aa7075634b3846ddcd9b5869f2b26dee5159d9e517dca4d

SHA512
886105b7e1f537cbaf8931217f81fbcf3712b776850eaffea7856b7d522d25d45d3dcf11f8ea74bff1c37d34ce6c46ef34e70fd3f1e4ebfc3ef0e29735cf6d3a

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
81baeae62298eda5bdb5d6bc28da08dc

SHA1
2eed11ab623bbd8cd71aba1fa9e30db5c82fce1e

SHA256
3a87dd25b3cd5fd9e111bd1b6bd169a4a89e4edc021c7a8ad5e6d66b7adb244f

SHA512
3e8f5acfc92ec0f3cf7c539369a16a75adc488de20384ce1f508f87d98818da03ab26be39c1b7c8d418c5aa8794752a48b0985415dd89633e38abf451b8ce402

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_c9040ddc80275bce629c71c50d2e42ae.exe

Filesize
1.5MB

MD5
33c788ad055127fd3a37ca958a9adb51

SHA1
4fa0b653e27516d7186ef56117e197e6c89ff987

SHA256
8d88f1eddb421c04f090fe09cfbc33c46244658fe77852e309014448bcc1da7f

SHA512
91a2c604d69be7cc4c887dfa48c959c418b8c812db9ff3287bf4fe6219aed23f46f5bdc123ed3ce041ca4ba4977eedb901fb4e6ae9dff0953d41e5ac215e4d52

Download Submit
\Windows\Installer\MSI9A4.tmp-\Adguard.CustomActions.dll

Filesize
365KB

MD5
6ee23c8c7772171e6e894fa986f81bca

SHA1
358751731976c09f5fadbd2616f36d07126982aa

SHA256
964e10b474e406457581cf6717db6a917783532ce73d1ef8e76f01f06d40ae32

SHA512
0255541b0e7b8483fb335bfbe920e80e514503769cfd863a60d465c671f83cb059d6795856db56f1ce50352f15b328d694558c0f49383ee4c6092912f380046a

Download Submit
\Windows\Installer\MSI9A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
180KB

MD5
7d625fe73ab5f25390d5b663b0760bb8

SHA1
5dccf0b59215e47bd477ae563db9fb53fd1970a0

SHA256
20af4ea25c5bfb6cf5ae236d2f213402c6040ebca2e7ab5c0983267d34ca1673

SHA512
a7a12744afb89ff52d7cc5785edc9c42da0c796d3389cd39e7815623d9bdd4735f2410885714bc25e8fdf74e5cba8a1e3e691c0e47b775a2dce05bd0a5662a93

Download Submit
memory/552-354-0x0000000000E40000-0x0000000000E64000-memory.dmp

Filesize
144KB

Download
memory/844-118-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-125-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-117-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-121-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-163-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/844-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1116-188-0x0000000001E90000-0x0000000001EF2000-memory.dmp

Filesize
392KB

Download
memory/1116-184-0x0000000001D90000-0x0000000001DC0000-memory.dmp

Filesize
192KB

Download
memory/1548-425-0x0000000000170000-0x0000000000362000-memory.dmp

Filesize
1.9MB

Download
memory/1548-730-0x0000000001EF0000-0x0000000001EFA000-memory.dmp

Filesize
40KB

Download
memory/1548-544-0x0000000001EF0000-0x0000000001EFA000-memory.dmp

Filesize
40KB

Download
memory/1548-543-0x0000000001EF0000-0x0000000001EFA000-memory.dmp

Filesize
40KB

Download
memory/1548-516-0x0000000001FE0000-0x000000000200A000-memory.dmp

Filesize
168KB

Download
memory/1548-489-0x00000000047A0000-0x0000000004882000-memory.dmp

Filesize
904KB

Download
memory/1608-711-0x00000000010F0000-0x0000000001114000-memory.dmp

Filesize
144KB

Download
memory/2244-328-0x0000000000810000-0x0000000000840000-memory.dmp

Filesize
192KB

Download
memory/2244-332-0x0000000000B30000-0x0000000000B92000-memory.dmp

Filesize
392KB

Download
memory/2580-360-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/2580-589-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/2580-365-0x0000000003240000-0x0000000003260000-memory.dmp

Filesize
128KB

Download
memory/2580-363-0x0000000000A00000-0x0000000000A1A000-memory.dmp

Filesize
104KB

Download
memory/2580-362-0x0000000003E80000-0x0000000003F42000-memory.dmp

Filesize
776KB

Download
memory/2580-359-0x0000000000990000-0x00000000009EA000-memory.dmp

Filesize
360KB

Download
memory/2580-358-0x00000000008F0000-0x0000000000928000-memory.dmp

Filesize
224KB

Download
memory/2580-357-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/2580-715-0x0000000004320000-0x0000000004340000-memory.dmp

Filesize
128KB

Download
memory/2580-364-0x00000000041A0000-0x00000000042BF000-memory.dmp

Filesize
1.1MB

Download
memory/2580-623-0x0000000000A50000-0x0000000000A66000-memory.dmp

Filesize
88KB

Download
memory/2580-686-0x00000000042D0000-0x00000000042F4000-memory.dmp

Filesize
144KB

Download
memory/2580-676-0x0000000003E60000-0x0000000003E70000-memory.dmp

Filesize
64KB

Download
memory/2580-675-0x0000000003D40000-0x0000000003D4E000-memory.dmp

Filesize
56KB

Download
memory/2644-342-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2680-356-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/2720-157-0x00000000009E0000-0x0000000000A10000-memory.dmp

Filesize
192KB

Download
memory/2720-161-0x0000000000AE0000-0x0000000000B42000-memory.dmp

Filesize
392KB

Download
memory/2940-353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download