1bebccb54fbcbf9760e3c69e6e0f1f536e8a1ddc1c0215a4e3b0267b59169942

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe
Size

554KB
MD5

9615abb76b9b67aafedad2065cf33125
SHA1

a4f4b0f4d851ccdfe28e2c94f5254a14cbcd6f5c
SHA256

1bebccb54fbcbf9760e3c69e6e0f1f536e8a1ddc1c0215a4e3b0267b59169942
SHA512

e853600897a2d6590f1643b40900cc2a3e08e9ad6deb488b1e55ee819fd024d003ff1abfc4bc5b5467826d2e55cf691ce010c04d8c8da18d35a483e48b0b9a68
SSDEEP

12288:sSxGGU888888888888W888888888887/cwy6aB/BX3QZCVFP7J6KDThmI0S:jxGh3IBJX3QZEpdNRmPS

Score

6^/10

bootkit persistence

Malware Config

Signatures

Checks for any installed AV software in registry 1 TTPs 35 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile\InstupUpdatePending = "1"	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe

Downloads MZ/PE file

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Executes dropped EXE 5 IoCs

pid	Process
2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
2828	p_s_t.exe
1412	avast_free_antivirus_setup_online.exe
1596	instup.exe
1360	instup.exe

Loads dropped DLL 30 IoCs

pid	Process
2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe
2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
2828	p_s_t.exe
2828	p_s_t.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1412	avast_free_antivirus_setup_online.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe
1596	instup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	avast_free_antivirus_setup_online.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2652	schtasks.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "46"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "98"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "62"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "14"	avast_free_antivirus_setup_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "73"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "91"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "49"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "25"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: sbr_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "50"	avast_free_antivirus_setup_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "66"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "82"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "88"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "50"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "27"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "85"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "8"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "59"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "83"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "70"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: servers.def.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "21"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "97"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: setgui_x64_ais"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "28"	avast_free_antivirus_setup_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "80"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "95"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "7"	avast_free_antivirus_setup_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "9"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "19"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "86"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "51"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "15"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "23"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "85"	avast_free_antivirus_setup_online.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "90"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "36"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: avdump_x64_ais-997.vpx"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "3"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: avdump_x86_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "DNS resolving"	instup.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	p_s_t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	p_s_t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1412	avast_free_antivirus_setup_online.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 32	1412	avast_free_antivirus_setup_online.exe
Token: SeDebugPrivilege	1596	instup.exe
Token: 32	1596	instup.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2040 wrote to memory of 2956	2040	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2652	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	29
PID 2956 wrote to memory of 2652	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	29
PID 2956 wrote to memory of 2652	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	29
PID 2956 wrote to memory of 2652	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	29
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2956 wrote to memory of 2828	2956	9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp	32
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 2828 wrote to memory of 1412	2828	p_s_t.exe	33
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1412 wrote to memory of 1596	1412	avast_free_antivirus_setup_online.exe	34
PID 1596 wrote to memory of 1360	1596	instup.exe	35
PID 1596 wrote to memory of 1360	1596	instup.exe	35
PID 1596 wrote to memory of 1360	1596	instup.exe	35
PID 1596 wrote to memory of 1360	1596	instup.exe	35

C:\Users\Admin\AppData\Local\Temp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\is-P6LRV.tmp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-P6LRV.tmp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp" /SL5="$40128,169923,119296,C:\Users\Admin\AppData\Local\Temp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.exe"
  2⤵
  - Checks for any installed AV software in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /tn oprtra /tr "C:\Users\Admin\AppData\Roaming\chte.bat" /sc onlogon /RL Highest /F
    3⤵
    - Creates scheduled task(s)
    PID:2652
- - C:\Users\Admin\AppData\Roaming\tpst\p_s_t.exe
    "C:\Users\Admin\AppData\Roaming\tpst\p_s_t.exe" /silent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\Temp\asw.85012e40b44377c6\avast_free_antivirus_setup_online.exe
      "C:\Windows\Temp\asw.85012e40b44377c6\avast_free_antivirus_setup_online.exe" /cookie:mmm_pcv_ppi_003_605_m /ga_clientid:b394feb1-7c92-4122-8e69-f1f800385d80 /silent
      4⤵
      Checks for any installed AV software in registry
      Writes to the Master Boot Record (MBR)
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\Temp\asw.7dbe43f8f50c9eb4\instup.exe
        
        "C:\Windows\Temp\asw.7dbe43f8f50c9eb4\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.7dbe43f8f50c9eb4 /edition:1 /prod:ais /stub_context:12bf6382-5951-439b-a652-beeae4ac5270:8824032 /guid:7439ef20-08f8-439b-8d11-8ffe8a3192ea /ga_clientid:b394feb1-7c92-4122-8e69-f1f800385d80 /cookie:mmm_pcv_ppi_003_605_m /ga_clientid:b394feb1-7c92-4122-8e69-f1f800385d80 /silent
        5⤵
        Checks for any installed AV software in registry
        Writes to the Master Boot Record (MBR)
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\instup.exe
        
        "C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.7dbe43f8f50c9eb4 /edition:1 /prod:ais /stub_context:12bf6382-5951-439b-a652-beeae4ac5270:8824032 /guid:7439ef20-08f8-439b-8d11-8ffe8a3192ea /ga_clientid:b394feb1-7c92-4122-8e69-f1f800385d80 /cookie:mmm_pcv_ppi_003_605_m /silent /online_installer
        6⤵
        Executes dropped EXE
        
        PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Setup.log

Filesize
1KB

MD5
cd5f69d658d9ae18c95d6b9d1992e933

SHA1
4ac7f8e8e81fe0f62cd2cc490f1c49906a52b4c5

SHA256
fde5be8b2742ff0530034db532f58924bb1d0a115f16169493faaae165f923e3

SHA512
f8f41bf7833fb20df41e1e9392d0f66f05c0d91603a8394aad8ef908f4529baac3fa7e79375fbbab217f96333c97c1c308e001e5f6c14cfddcc345dc7824aa48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
551babac533110af521611a9abf48ef6

SHA1
7301231db037aa24bb16721421eb3e0f07c2f68e

SHA256
fd2acd739165a15e77097ec374a31d310a958f5c9432b9b7bb7d20161dafe38d

SHA512
03aa24b4e34a3b4bb5af174d4cdf26a35dd1e97f6634e22af29b6fe47ad3efcf4d73886c2644a792ba2720511bc6ba7d24067090da20c723834b11e984352dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar16D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\1ac.txt

Filesize
65B

MD5
37510eabcb004ff7aeed490016fc281a

SHA1
d2eb8ed35945fddf99b23100dc8a9f9bf6f676f0

SHA256
5b701ba454793ddaf364965c5865b661e6d2ede32b97224d7e892a2a71037247

SHA512
dc0ccbad24ee5c356c18eb27ea1c92964491758d5b2b1066ba0c9508f390d77c255c4c4628162f4d2cff75aeb5a849bc62a8fa8a1ba52660fa9258eef22ab1e5

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\Instup.dll

Filesize
16.2MB

MD5
373dd1429610fd75ffacfaf2c46116a1

SHA1
d1ab825e35b15bce57641470ff6dd683a27c1970

SHA256
66089fe5aaf43fe987bc606a9097d802006ced13fa63803854489bbc6cbb7d79

SHA512
583320bfcb7df9344cb7645e182b2fbb1946aa134e6c03f5d3af07a5df50d8e266b76ff30355aa73f17e8e78a8ca4753c3bb9eb4950deea599e1ce84ae0c4380

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\asw0db6028d9c538b49.tmp

Filesize
4.5MB

MD5
ef035189604e7f5d68a62827b985ccbb

SHA1
c094c6eef2640a71aee9f4b27123c2080d38136f

SHA256
64fd38d5697a9119cebc8fd5710a452645a09d076a4b2863a4383f94d3496740

SHA512
32f2af9929598b5eaee6de3a95f755da27622c3a791e43dfde41c470dfb278b843e67327e0d0d2f7b49b61b94dc8e4a1e9eadd3a91664ff339d03448d0c881c9

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\asw7d48cf4327df33d6.tmp

Filesize
19.1MB

MD5
9ee6528abdad768fbfa28bd1bb80ebe9

SHA1
f5582697e068ba1d56825fc32bd5ab1a71bd4d38

SHA256
61a7bff3d789aa29add514052a0ff1703079ce427705ead5ce7dd98a0df9ecd4

SHA512
de22b846a13390eda5940c7f7de7ed63af22b16b4add149363d3f3d1c4cad4c2bb99b6ecb9fcab08dc018d36fe4d8b457a5e7edba7a34e62e915ff6f2ecabfc9

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\asw9005d8bbc6d53596.tmp

Filesize
831KB

MD5
c5665f1f93d9aabbcb1dde533e2c46e6

SHA1
732389de20c600d0222d61b4ee74b0be6412a45b

SHA256
adf4276ef7f276d2178b85790a178c4e903d9776c0eb18dfe4c89a481694dc8a

SHA512
51a148db86a97fc13aa8db21540f8200dc2e9e325c7d2014cf55074d3ad6ce25d25a798551e3f0bb1e546a9f9536db512cbc9b14b51680d87848747a1fc465a0

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\aswcecc92e9740161f9.tmp

Filesize
907KB

MD5
700b6740e6bfa7729f146572d8455348

SHA1
19d80fb0251f417283ed36fc20c43079b3f6fbb8

SHA256
d3c0ba08fda4ed42c1389f6e34061b030b2b1017395308aac1d5b25eb3ad1f0e

SHA512
7786b63b8fc9c10030b5bca591378b13d05aeeac36072f52ddf24ce46cb12cfab88d9358000b15afdef0c59dbbe5fa22411b354fd0e24f3b1a3098eab3d79b65

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\asw4e99fd2751b28702.ini

Filesize
751B

MD5
510fd4252692f5ff623d6b77069882bd

SHA1
3923fea43796d4a06b9125fa7b19ba6c63241d3c

SHA256
78720aa8aa3bac0afe30d5e097caa6e642ca75a96221fc238fa2281523bf980e

SHA512
08813087b1d13d359e543b182d7d24f3382228d6e8bb46228de72a7f427f10f1edc90d1276bd52cad4fd141d5abf9262128395730aade874be07e2c1360ce211

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\avdump_x86_ais-997.vpx

Filesize
767KB

MD5
4f2f4b4cae5bc3e568a2eb165ac6b74f

SHA1
f18b957799c48f18f0be8007ed4c6d3e721577c0

SHA256
52a57aca1d96aee6456d484a2e8459681f6a7a159dc31f62b38942884464f57b

SHA512
8536eb2e4ada2920d93806cb70cc35b7879119dfffe1ddc0a4710dddea7c0234257d25fe14fff45a58c820a4389e5ffc968f81c5bbeb9b77870962e608b5d45a

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\config.def

Filesize
29KB

MD5
41ece8c191dee76d4fc1a378794fd19d

SHA1
6278cf09c95e522003427843ab36a87a0e891725

SHA256
5a5c2bbb2bde8e4555c9d779ee922838b0119d0b19314fc4e75d53d0ba949e99

SHA512
4f23dc91754ff9b7aaff518088b11f79f1bcdd09d9d26db5746f4db1c581979cd5940eb7d5a9180dae2f467302bdaaf2d49e9879746b7ad40d1d71deef4927c0

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\config.def

Filesize
28KB

MD5
da59c9092a31f572c882d563c600a34f

SHA1
0ec1cb7f7c16252d637d71e08e9363bfe96a5842

SHA256
563c4f5827c6f7a2a52d4dfe22f03e296751b1667566fe9a5ec4a7981c0f1766

SHA512
ee9ad7259df259dd6d444b6b8b933f2c6d928a3ed1f0de42598d09fdcdb0af2ae3f64dab888d3d5f4443a8b918e596f0ee28ee874fc9dfeeac422c3a9e107924

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\config.ini

Filesize
848B

MD5
d349b93bff65fbdefc1fd04bfab6601b

SHA1
7adf3ddc6c0927847cc17ab80edc9748a7769974

SHA256
6df745a292800d71b76fbaa6a9fb8ced96b3c96d4e12e26acfae3d3e3be3514d

SHA512
c488a8394a49aff4b2a02f20ce615bd5a0dc4add259e9ed02f42079a3123f1b4f1174edcd46d5db6bf9d7e56e3a95451343cdcbd6135f6d9ebda52958c014a1d

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\part-setup_ais-15020997.vpx

Filesize
5KB

MD5
365b6ee6fbde00af486fc012251db2da

SHA1
8050ba5a9b6321f067fc694527011ba00767d4a2

SHA256
01fbb98a20ed29cd83e42351aa1fc361d4513b9ade8d71f62383bc76d5f86830

SHA512
949b877dc558a9215369fddce4bbeb3c0fbec09c1b92717a8d027001337743e300a1089ff46f3b49a33f4d6b4e7bb5a2d4cb6ea96c9114e308833c7e15d8b261

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\prod-pgm.vpx

Filesize
572B

MD5
d4f72d1329501105ec7111178ac7c98f

SHA1
17bfc1e8299b43c46b18442b7e74f84953dc6193

SHA256
e2919168247b931b6f7c3274c10e4b68ea9b3a67eeab74347b2ac49bea9b0aa7

SHA512
570ee9fb319cb6a291e57abe5cde166d74b82090f818d145d763ec05810184f4548275f2cc294c4bcf395da1cbe1d138b190292b71ea1ae836004eb391353329

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\prod-vps.vpx

Filesize
343B

MD5
0066d9b938e4d92eed90d515c0da993f

SHA1
60f4f31c64671349b100505428a618c9a9033820

SHA256
bc659320e0681b00d3b5700251822db8e60e17daeeaae4b6cad83421aaf14209

SHA512
d28022752f3fe222d24eb30beb89dbecd25db7100dc362f79463afc45ace1166074ebca1a4c0931b457e1f5643a9644e268c1f0a65109a291ba3eb003f464e62

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\servers.def

Filesize
29KB

MD5
e76e81467cf59e07920fa8350f262269

SHA1
e0ab1867d50c7d6cf2f35ca00aa94564cde1ef94

SHA256
cd4ca129df4cda34752225d61dc5b810e768bdeb60b0b8fb3fba3826820761c8

SHA512
5b29f1f97e6ef1acc567beb1340d13a07c52d94cc6ae6284650c3e717f137af3db43b84a2904f26e772e524dc8e69cdb86eb8e98e9ec65323769171e0ee35070

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\servers.def.vpx

Filesize
2KB

MD5
dc5709c442df025a33cb2ca0d22133af

SHA1
5007da1e31f4705932c1f272dd4975b14bef268d

SHA256
6530f71b39a09fec9fdf8f258a488640a2094dba5e4a32cf4aa4670fce805744

SHA512
c6938f9569e943bbc04fe39acdf8e7302b77124b7f1e2ccbb20ec01242238e81b6ab83730393fe61ce716cb1c4e7df064c65bc5ce84540371fcf6a50a615cb6b

Download Submit
C:\Windows\Temp\asw.7dbe43f8f50c9eb4\uat.vpx

Filesize
15KB

MD5
af34ed98cdec9afa5a734e99bb3b3e0e

SHA1
6cc712a631aac6be0512d1673c53e83fdd82ff1d

SHA256
4c6e1e7a1946156a0ad2026428d72e4f8ecf3d37442cb6178cfb96c70c36b388

SHA512
9428e886c1048b286ecd67c49d7d0f31006bdb410856759d722a15dc8fc5ccf55f0f942bcc5eb8b383d39eb5234d6cb016b989b1da445492cacbd98e7c9978bc

Download Submit
\Users\Admin\AppData\Local\Temp\is-HV2N2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HV2N2.tmp\isxdl.dll

Filesize
132KB

MD5
0bcf8753715513385cbbe69fef638ef1

SHA1
35accad7a0edcd703239a8a2b2069c0e77042ebe

SHA256
74a4f2f8aae6a0970e887d9eae3f200172508a0d217392dfb387256dd853d350

SHA512
ab44a1e245a595d53f028e5c6f2778b8322ee487e73263300685e3f766ac8dcc5cc989d5a788dc5d9934aeab0ee96c08e1297670f2a0c3f0cec454632e727884

Download Submit
\Users\Admin\AppData\Local\Temp\is-P6LRV.tmp\9615abb76b9b67aafedad2065cf33125_JaffaCakes118.tmp

Filesize
1.1MB

MD5
6a96bef4679e16a54b4090e74664dcca

SHA1
c8631c1624b98f6709b1ac37ce3956faed29bc30

SHA256
cb095356ddcfcbace96c6252fb73a267ed011c15ff206a7a9302007baa68a783

SHA512
924ab1e5c6ea72342eab6e78899a56c415e90020c46d3d8a81ae4da9276db7ea1df9684965a81fb95a6f2f9cf103b31413d67770eb15725ad04198c5d00037d0

Download Submit
\Users\Admin\AppData\Roaming\tpst\p_s_t.exe

Filesize
64KB

MD5
24526f6631df9d64444f4ff21f3997b2

SHA1
79e31adaf18ba4b7365b7f95bf5f955093de0c41

SHA256
d4c7adc2f35c5d95ea8a3d6a99ae43f0a9c696456737da51729608ee424fe47b

SHA512
8ba3a258eeae09f37d166b243eb2db3ab6b3f713dc68a65fce84a2e396c2f482ee66683224b366ec4b515c6de956deb5ad67dc97198aa95dc4bba59c1b3cb9e2

Download Submit
\Windows\Temp\asw.7dbe43f8f50c9eb4\Instup.exe

Filesize
3.3MB

MD5
8d15464d003bc697b7f447cba547a029

SHA1
83364819221edfdd1c07d50d00c45be5ecdc7a4c

SHA256
23ac78a0b16079dc2ffb04f44e56c1f063acd966eb11fb7454724f9a45d6cfca

SHA512
12525093e2efec70b826cef9eae9f73e4330c38fe3d156d5b593c2ca0f9060b722b80ac96b7e396efa794cdc58b3818b82dbdc95d2206d51e83514a8b184c4c2

Download Submit
\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\asw86117f131a0a43e5.tmp

Filesize
3.1MB

MD5
b216fc28400c184a5108c0228fba86bc

SHA1
5d82203153963ebede19585b0054de8221c60509

SHA256
7827bda61139b0758c125de5f31e38025ed650be86bb8997dce8c013ec89e5bd

SHA512
6af7877e46e820dcc5fe67ce94393575d0d4b39d0421679b34bc25e8a62254a3dbce29f9de69d2fa4506235748dd919a91c875c90ef950c9d3a6939bff7b3294

Download Submit
\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\asw9f468ae83d031d77.tmp

Filesize
15KB

MD5
13e9fbb02cb7497562b59a9ef8f1ee92

SHA1
047936e9296e77939b5b23c1a2af3056eaa2ae99

SHA256
40fdd6306bbd29d680af6e6931751b3a9a133d7786d9409a47b6f115b968565a

SHA512
0d5c6d3f2465fd9d1af19c1a02c4f4a3bedb02f0e049e97166ed100964ff1ff1be28ed02542a90c4ad3e1041bb3f3cf8b65d561c6ebc41fce1f935f277d606ba

Download Submit
\Windows\Temp\asw.7dbe43f8f50c9eb4\New_15020997\aswacde44bc3f951e18.tmp

Filesize
3.8MB

MD5
d9be57d4e1a25264b8317278f8b93396

SHA1
d3c98696582fed570f38ae45bf22b8197253b325

SHA256
a90e4ffa0fcd535733b6306d701cbb975245b8253df54b277970d8b8c1cf09c3

SHA512
2f13454c7e4360326f1dc417ad24e2d095b7178d89791f5b436d134c2fe26724bc48d6de1291208800b7c93dfe7082e8300b2d545c5db3e2590603dd3f8a5697

Download Submit
\Windows\Temp\asw.7dbe43f8f50c9eb4\uat.dll

Filesize
26KB

MD5
c8135d223627a68ae77ec6e572bed5de

SHA1
a29a18516ec4ded2a5c22e4b568f988de7e7629f

SHA256
7da845e76737ffd0da68d8b6c8fdd7cbaf19502f1fb32b0cca735d8e30f26d15

SHA512
41efdf342a6cbed204b9540a54952aeaa7993152a2c0416aa08d48b8d621c9f707671fd2cadfd495e08523be1e0e7b0bac1ba9b6d874c79ce1d43b96208b0bc4

Download Submit
\Windows\Temp\asw.85012e40b44377c6\avast_free_antivirus_setup_online.exe

Filesize
8.4MB

MD5
d4438acdb5cc9a63570faf0e4c102012

SHA1
eb5ec9065948080bf0a89738ee5bf110990ad014

SHA256
de9d2e1ca74f6c4730a3566abe2e3a632d56807421d7752e35b8a714b78f0bff

SHA512
d3a851114db330a92fd6543f012c9d80a1f6aec8c7445ef4818878ecbe5bbd02f05f04f03cc556d51ca360a5ed73eaf0710c009138ae6efc8117858c2ab88d03

Download Submit
memory/2040-294-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2040-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2040-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2040-474-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2956-295-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2956-10-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2956-177-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2956-472-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download