449d3ed1d53bec5b44743a7bc10722475fe903543f9245959f46b7b99f4a86fe

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 16:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Size

114KB
MD5

1bc6160b62466d21d205ce7ef0ae2e19
SHA1

5b645dda7aea829b6fa2d4fcf192b1c70901181a
SHA256

449d3ed1d53bec5b44743a7bc10722475fe903543f9245959f46b7b99f4a86fe
SHA512

24c313f4dec91227fca015967bc86d680b2339fe2c2908ef541d05ec1a7f093fd4cf1bdc8db0f77d325e5a05d8013a8df5bbcc7519b7afcc4ece77602e82a3e9
SSDEEP

3072:74eYZ4+1JXJJufLirX336MdsD/+7j3ElxlrBRiQ1smsNzQc:05O8+Lirnqqk+7rE/zRHSmsNV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1440	Au_.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	uninst.exe
1440	Au_.exe

Loads dropped DLL 15 IoCs

pid	Process
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
2312	uninst.exe
2312	uninst.exe
2312	uninst.exe
2312	uninst.exe
2312	uninst.exe
1440	Au_.exe
1440	Au_.exe
1440	Au_.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\am_IE.ico	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\am_dy.ico	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000015d28-37.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AFD77061-37CA-11EF-87C3-6E6327E9C5D7} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e017ae84d7cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000605bbc4d544dd4f9ac65ff15f5d1f1400000000020000000000106600000001000020000000208fdb9a59fc32205f1d086015028e74fc3b064c40bc6f4732b27568136b8890000000000e8000000002000020000000fa48d15a1b71b3332ff4c3ddadabce3c71fd30f9b06278b6c9e846a8d00a8f6d900000007b9feca75e8b72e88edd07ff5f4eba63284bccf43564ab45785dcd8e1560463763a6d759a944129c41297a739be51715cda6927ccf787a64d059c72fb8dacc30ac57757f1167c5e24fddc0b9ea6449e4ee01ac416e8b23f834a4ca46d5a9cae54e56b74664a090f39c732dfae74a41a9aa32669e1911465839e653c48dd2d7382a530266e0c9d639175f2ba3ab7ba4ff40000000846b5249f881c031077b45e8800e16140f07b7fc50940c370b2d710f9435c20a162da8d35a41de0c21117618557441c290e3269e0fd5e931e1a11decdbdf6e50	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000605bbc4d544dd4f9ac65ff15f5d1f1400000000020000000000106600000001000020000000c79582e5530ceba9af7e1c131cb82a32a430cc9a82f8d91f8d816e944dd5920a000000000e8000000002000020000000a67bc2df7baf6be93f0ccf2ef4e75c30cfabeac933f542370620a458dc158197200000001e041d99a8b5e5bed8117314fa52ab77a7df9a6f7a4d3168aef7485f809524914000000052c097cefd70ad7d37bf856aeb71fb3df78b462ec4e78fa8602a4650206897fbc028cf6b056b274fc8ecde432c49552e47fa76c240281ea9c3a160c2d595a86a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426014783"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\ThreadingModel = "Apartment"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ = "ÔÚÏßÓ°Ôº"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\shell\´ò¿ª(&H)	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\ÊôÐÔ(&R)\Command	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ShellFolder	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\InfoTip = "Ãâ·ÑÂÌÉ«µÄµçÓ°ÍøÕ¾"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ShellFolder\HideFolderVerbs	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InfoTip = "²éÕÒ²¢ÏÔÊ¾ Internet ÉÏµÄÐÅÏ¢ºÍÍøÕ¾"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\shell	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\DefaultIcon	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ShellFolder\HideFolderVerbs	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\ = "´ò¿ª(&H)"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ShellFolder\HideOnDesktopPerUser	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\shell\´ò¿ª(&H)\Command	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\DefaultIcon	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\´ò¿ª(&H)	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ShellFolder\WantsParseDisplayName	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ShellFolder\HideOnDesktopPerUser	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\shell	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ = "Internet Explorer"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ShellFolder\Attributes = "0"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\InProcServer32\ = "C:\\Windows\\SysWow64\\ieframe.dll"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\shell\´ò¿ª(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe h%1t%2t%3p%4:%5/%6/%7w%8w%9w%0.%1q%2i%3n%4g%5c%6h%7e%8n%9g%05%1.%2c%3o%4m"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\ÊôÐÔ(&R)	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\LocalizedString = "Internet Explorer"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\InProcServer32	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\shell\ = "´ò¿ª(&H)"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\LocalizedString = "Çã³Ç»ðÓ°"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ShellFolder	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\´ò¿ª(&H)\Command	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\shell\´ò¿ª(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe h%1t%2t%3p%4:%5/%6/%7w%8w%9w%0.%1o%2k%3d%4i%5a%6n%7y%8i%9n%0g%1.%2c%3o%4m"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\InfoTip = "Ãâ·ÑÂÌÉ«µÄµçÓ°ÍøÕ¾"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\am_dy.ico"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ShellFolder\HideOnDesktopPerUser	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\ = "C:\\Windows\\SysWow64\\ieframe.dll"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\shell\´ò¿ª(&H)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe h%1t%2t%3p%4:%5/%6/%7w%8w%9w%0.%12%20%30%49%51%60%72%88%9.%0c%1n%2/%3?bd"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ShellFolder\HideFolderVerbs	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ShellFolder\WantsParseDisplayName	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\InProcServer32\ThreadingModel = "Apartment"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\shell\´ò¿ª(&H)\Command	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\DefaultIcon	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\InProcServer32	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\shell\ = "´ò¿ª(&H)"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\ShellFolder\Attributes = "0"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\LocalizedString = "ÔÚÏßÓ°Ôº"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\shell\´ò¿ª(&H)	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\ShellFolder	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ = "Çã³Ç»ðÓ°"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ShellFolder\WantsParseDisplayName	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\ShellFolder\Attributes = "0"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\am_IE.ico"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\am_dy.ico"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000002}\InProcServer32\ = "C:\\Windows\\SysWow64\\ieframe.dll"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-0000-0000-0000-000000000003}\InProcServer32\ThreadingModel = "Apartment"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2936	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2936	iexplore.exe
2936	iexplore.exe
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE
1036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 1972 wrote to memory of 2324	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 2324 wrote to memory of 2392	2324	cmd.exe	30
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 1972 wrote to memory of 2236	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	31
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 2236 wrote to memory of 1692	2236	cmd.exe	33
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 1972 wrote to memory of 2288	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	34
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 2288 wrote to memory of 2544	2288	cmd.exe	36
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 1972 wrote to memory of 2636	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 2636 wrote to memory of 2716	2636	cmd.exe	39
PID 1972 wrote to memory of 2936	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2936	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2936	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2936	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	41
PID 1972 wrote to memory of 2312	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2312	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2312	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	42
PID 1972 wrote to memory of 2312	1972	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe	42

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon = "1"	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2392	attrib.exe
1692	attrib.exe
2544	attrib.exe
2716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bc6160b62466d21d205ce7ef0ae2e19_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib "C:\Users\Public\Desktop\Internet Explorer.lnk" -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Public\Desktop\Internet Explorer.lnk" -r
    3⤵
    - Views/modifies file attributes
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib "C:\Users\Public\Desktop\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk" -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Public\Desktop\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk" -r
    3⤵
    - Views/modifies file attributes
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk" -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk" -r
    3⤵
    - Views/modifies file attributes
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk" -r
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk" -r
    3⤵
    - Views/modifies file attributes
    PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://myspdown.3322.org:1888/ie/?id=9339
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2936
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1036
- C:\Users\Admin\AppData\Local\Temp\uninst.exe
  "C:\Users\Admin\AppData\Local\Temp\uninst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a4372fc98ec9f7bcbb6cb33fb9f304e4

SHA1
6c9b3ddef07281f5bb292e991e1b6ed40c5a8de0

SHA256
f48885cba36598c2c344fcc0d1b5b6af6f6d6e94de388069c69fa848429ee7f5

SHA512
70d005d2c6041a103d887525cfaa5c2a5d3b2ad7038acc1301c67621d8b4d999f498bafc004c35f859bd4799616f5bc3a48c754c7b4430a2d41692925291a23f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
901667cd9d75b74b0385c999ceb3e6b3

SHA1
5b625f23955ec6f7b14b34dd779d0524f433e7f2

SHA256
325c1a09aa0efc8a4c59179d7f0ceb08e81ca84aaa1eaed39b6ac0dbd529d636

SHA512
d8a0944c9baae2d322c2a84ec3b70a2df70c201acb395d2f8b11982e933b8b798d60575fcd536d0c95c74cdd65aebff9ee7d65b2188d03c6878e75940fd96467

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
48ef4db4aabfa3592efb8f5deedebee1

SHA1
ad3a4f1c4ba4093f530851ec69b70cbd37f3e563

SHA256
10345d4dd8e5d3cfcee6faf28db926dfc039f3377757fe17099cb64661c91794

SHA512
91ca2f572e8936ef7019150528db75d4bd066d53b7f3b14cf63de8b27f74388cfe260d56d50f0742d9d91545c19518d928695d079986e9de129ab08cbc283ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
589b2427cb53d181a2acf9a5d465e36a

SHA1
b38ab878551cb792c0f019d0b2da08a574ff27cd

SHA256
d994eccf8c49a4a9639c37cee595788eeb17a4644f8567a0ff80577e5c14260e

SHA512
b089dadfc778fb909f4227698a850135cfeae3e6a30b52a319e262efc8bf13587502a8c403f265b5cf9fa16910bb40a656e55d7a284e925f721e13f3896d8f84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2ef25a4f62d14cb15d409e46a557d454

SHA1
82fcfba2701bf1d37f14e45daccbd746d6d720dd

SHA256
e22b68d75787fd6eca9693f2c0213c21ea2b4d1ca638f59512f6275a152fa92f

SHA512
fd2b20c548024b0750cd34918214f3e05965e1ec3ec4160b4c80555455d02b49868b05ef480ec20927c95d37f5c1e909b09ca7a39126e2877a4d3ea8f6dc59ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
446cdb5d06deac9685234433f62220b6

SHA1
322109c6e9cf7845a8266ab57561e08f56184b05

SHA256
77aff676dbb51ce19d6d73698e97abbea87431ba5df0f3399f9843ed4201113f

SHA512
2847bc05c81e372b267fe04361616c7f08b7f8f37e0dadd0d3b8d59a4a0354e7c5fa7731969e734189459e71de8d62b81bf68747e894246b08f997abe3aff76c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
cc7dbc8e8cffc5222604de24c6e92998

SHA1
a5357496d545bc935b2860a66c66578814340732

SHA256
2c4eeeed6fcf74058e3b5bd50d3f612a4c770244b54da54d91f126af33e1af13

SHA512
b4ee6329c66394a5016f361712e611aa342177a509009e16595dd0a3daf88b873401687c2d448d667758baad759382f3515005f7cfa6ff1ea714af67f7998f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fdcd18f140fcb96cd7ac734ced888eb4

SHA1
b20db43de0bb12121a0c46b054cc976c91a79b2e

SHA256
af14e199e818e56984e51de92f46c6f941a865bf5cf0dc757e2f9c22156db01d

SHA512
8789683df5b203a8807d534f11333e0e91ad633575fd298f9e1e5460ad1c3ccbb1ec2172a6d2e1698f77e059c4b28a88b56df9b9c6671eaa296842b15f788b4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e44701a9922bfecc28b04925e0bd6d76

SHA1
dbb6b6f1a0e88609b213b4f4cd6a61375b46f8cb

SHA256
496d09a81d55f1ac2d4a364d1b6357fceb681036e81f9ef70a51ed164a6a38ee

SHA512
40238dc2912efc5e25bfc22e826356a905e58b13c0da2b7dbb5e350e08342270bede5c2c07a3225a973b4f10a56a2519108d2d9d16ab2cce250784e22cb4da1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d3c1e02a2ebd6a1f73829a765c62c0e4

SHA1
46bf2e31a970ee2cf6b37e908a3ca2647b6d550e

SHA256
83b2af775488860c5429fb6e0d6a31edf3ad6372cbf4eaae02d9b1d2e8186c79

SHA512
f57472030de889f9ee7755140445dea55b7c47a680b3507dffc750ad1eea7fec3b9af46ba3c5ac18715d53ed0e6465d352f03c02d3190f056f039fb3bec489e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d47c9e41e2b7a69f1d8795aac631e2b4

SHA1
70811ce551365d051ffe61adc7f3c51f0fccedde

SHA256
d1249a3577412951ff16b24b1c0a545410219554cedf846648a41592e03b9fa1

SHA512
eb530956eb392ebb63a856d957d63a8d51718df474cf66a26f3a986e45db0ce3b239c54049eccd54ba419a52ca7088cd2adee641868a7fcba898b30b89740cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fc3be1cf9ca3499f93d9a932ca2924ff

SHA1
b1cff9ceea0aa22143dc8bf24f890d4339b4da82

SHA256
38d0adb44a53ba8a2cf44dd81ccf8b7bf5787e6088e3a7a223dcdc72b536f840

SHA512
b4c975f7cd9ca2a0bd96014d12b7d58ceea1a853937d9c7459f57c9b329ccbb7161d064dc869984f9a4096d2c2755e12f03abd8bd663ba23b03b09a88b68339b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
06f5445327eb5b239b84842294eb275f

SHA1
b8bade9b207fcc15849c65e6d4653efb3c3f8cec

SHA256
bff664a8ba8c33d8ae450fbb80b70200a10e4c7cddb97c5cd5200ac777dcb16e

SHA512
928d72bf243fd6fbd195b00283c7b8213c59e57c24a6d5af1f80cfedcf033e79586e86192ba7a1b268127f1d5350cef55203b78cb3c987f6399d2b1c4be82044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
907ae753a3ba5a7030c31545426c80bd

SHA1
785757d39498a1d8a5ba3e56ee9adcb571b120bf

SHA256
8621a836ef03c681eae77780119bc8b990fed2096ac13a5071a4d8d7e9c59db6

SHA512
f185a4edd34d23b57bd07c7aca616b94311daa2ec39d10efdd0111c9d75661576f3b7970b5712cd7dbe1244d6ccabd4c68a6600ad0a9824949626959faae7778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F97.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar509A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ini

Filesize
108B

MD5
b9ee1e208cfd6516ff2f0f706c449666

SHA1
1ee1c41bd20d2ead886f10fdfddc457ac3748b03

SHA256
ec7733e0bbdac60e606edc70e1c5309e0162f40c44af40309e1b0173d572265d

SHA512
7dc27aeb8f3b7539c01d322ceb8054a6346a0c088e6d7146faeed5c264282a57888ab4216af43a428a7fdd8ab279d9ba612fc7bb70092b8d175e1d9706bf5e6e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1C48.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1C48.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1C48.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
\Users\Admin\AppData\Local\Temp\uninst.exe

Filesize
57KB

MD5
9e84fb8c1d605ad12db01017d10f2c21

SHA1
4ec212a624ae94507569ad87635a44d009c513d7

SHA256
a003a12b6a2a070de9686502202f9b04d80e9258dcf6cab5b86872c6dd239648

SHA512
a39a088c0e61fa65aed52298a9dc7a9f2dcaa7f3f490d0abe35c4be92d329781019e9d0fd7e49ad5603b0470eea8be3efa1d4ff9a0aa6b15c7d12c995ad97caf

Download Submit