c91f356ae43b634f0ff7d5764829a4d20d265cc2b17e28ddfe6994e011bd40df

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Size

4.2MB
MD5

2ea18902a4fdfcf92f6508a5a86190d2
SHA1

8d1f2a0353bc9fda8bf657fea4fe929168e921c3
SHA256

c91f356ae43b634f0ff7d5764829a4d20d265cc2b17e28ddfe6994e011bd40df
SHA512

99c46e8ba72739736d29a85944af0b32eab09215ec6419e0b66cac296ecba3c35eef8b562a2a6b4f1c3dbb496529d9c24e6420150698ede5a6b26dcc366ecb40
SSDEEP

98304:DvBTsDKv9ir4m1Mjl+V224MUKkSLismWstaQCUbJ:bBTsDKv9ir4m1MR+V224MUKkSLvmWKtd

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
2532	5qsrchmn.exe
2660	5qbarsvc.exe
2396	5qbarsvc.exe
2896	5qbrmon.exe
692	5qbarsvc.exe
2868	5qHighIn.exe
332	5qbarsvc.exe

Loads dropped DLL 64 IoCs

pid	Process
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2532	5qsrchmn.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2896	5qbrmon.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2868	5qHighIn.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Zwinky Search Scope Monitor = "\"C:\\PROGRA~2\\ZWINKY~1\\bar\\1.bin\\5qsrchmn.exe\" /m=2 /w /h"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Zwinky_5q Browser Plugin Loader = "C:\\PROGRA~2\\ZWINKY~1\\bar\\1.bin\\5qbrmon.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27488090-768a-4d20-a938-f223f71c344c}\	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bd3ea7c2-3af8-4463-9a9c-6eb8e136cb02}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BD3EA7C2-3AF8-4463-9A9C-6EB8E136CB02}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{bd3ea7c2-3af8-4463-9a9c-6eb8e136cb02}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{bd3ea7c2-3af8-4463-9a9c-6eb8e136cb02}\	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{bd3ea7c2-3af8-4463-9a9c-6eb8e136cb02}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{27488090-768a-4d20-a938-f223f71c344c}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhttpct.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qimpipe.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qPlugin.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregiet.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qskin.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qauxstb.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qmlbtn.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qskin.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\T8RES.DLL	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qsknlcr.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qSrcAs.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\CHROME.MANIFEST	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrstub.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdatact.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qfeedmg.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhtml.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhtml.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qidle.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qimpipe.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\INSTALL.RDF	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\NP5qStub.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdatact.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhkstub.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregfft.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregiet.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbarsvc.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhtmlmu.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qsknlcr.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qtpinst.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qreghk.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qreghk.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qskplay.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qSrchMn.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\LOGO.BMP	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrmon.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrmon.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qmlbtn.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5quabtn.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbarsvc.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\INSTALL.RDF	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qieovr.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qradio.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qSrchMn.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbar.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdlghk.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qieovr.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qmsg.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrstub.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5quabtn.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\Settings\s_pid.dat	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\LOGO.BMP	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhttpct.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qidle.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qPlugin.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qscript.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qSrcAs.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qauxstb.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhighin.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhighin.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qradio.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregfft.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\T8RES.DLL	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qskplay.exe	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdyn.dll	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98623c86-e768-4c5a-b23b-ee8ce3727cd3}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b803084b-b069-485e-b5d0-f9a6d318af02}\AppName = "5qSrchMn.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789f17-b8ed-4867-ba4a-dc19dac8ef5b}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328d6f78-0dbb-4f17-acd5-26a2ea4ef251}\AppPath = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98623c86-e768-4c5a-b23b-ee8ce3727cd3}\AppPath = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789f17-b8ed-4867-ba4a-dc19dac8ef5b}\AppName = "5qSkPlay.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789f17-b8ed-4867-ba4a-dc19dac8ef5b}\Policy = "3"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7695996f-9846-4a09-a037-632e45737712}\Policy = "3"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789f17-b8ed-4867-ba4a-dc19dac8ef5b}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{cc2e2b99-14d3-4516-883c-9ea147f594ef}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b803084b-b069-485e-b5d0-f9a6d318af02}\AppPath = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98623c86-e768-4c5a-b23b-ee8ce3727cd3}\AppName = "5qSlSrch.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b803084b-b069-485e-b5d0-f9a6d318af02}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{b803084b-b069-485e-b5d0-f9a6d318af02}\Policy = "3"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{61789f17-b8ed-4867-ba4a-dc19dac8ef5b}\AppPath = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328d6f78-0dbb-4f17-acd5-26a2ea4ef251}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{3033124f-06bf-4829-873a-310a125b4d4c}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7695996f-9846-4a09-a037-632e45737712}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7695996f-9846-4a09-a037-632e45737712}\AppPath = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98623c86-e768-4c5a-b23b-ee8ce3727cd3}\Policy = "3"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328d6f78-0dbb-4f17-acd5-26a2ea4ef251}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328d6f78-0dbb-4f17-acd5-26a2ea4ef251}\AppName = "5qimpipe.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7695996f-9846-4a09-a037-632e45737712}\AppName = "5qmedint.exe"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{328d6f78-0dbb-4f17-acd5-26a2ea4ef251}\Policy = "3"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{644413C0-4090-4A84-BC29-DC69E91A7D73}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}\1.0	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.ThirdPartyInstaller	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.ThirdPartyInstaller\ = "Zwinky Third Party Installer"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4a75066c-e359-4ce6-830c-e09830a3cd2d}\InprocServer32\ = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin\\5qdyn.dll"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35dab87a-026f-4503-b5f1-6774e16eaffa}\Version	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.UrlAlertButton.1\	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8DC06AF-7BC3-460D-9C7E-A4594FA453DF}\TypeLib	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCA39EF6-65F5-4FB1-9210-1F3C4ABBD39B}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B3CA1AE-28B7-4D93-82C0-0B424E22B4F0}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.ScriptButton.1\CLSID	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.XMLSessionPlugin\CurVer\ = "Zwinky_5q.XMLSessionPlugin.1"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{315c7727-2b4d-4ef9-95fa-ea6cda9aeb9d}\ProgID\ = "Zwinky_5q.XMLSessionPlugin.1"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70658616-d7ae-4f31-bd19-4f1775792e9b}\InprocServer32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.PseudoTransparentPlugin\CLSID\ = "{8c775dbe-2382-4eab-a48a-6859c3b9ef29}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15D6A7F5-0A22-4CE0-BA41-54BB5F62C02F}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{148dcaec-c91d-441d-a0e7-519a0673e7f5}\Control	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{644413C0-4090-4A84-BC29-DC69E91A7D73}\1.0\FLAGS\ = "0"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.MultipleButton\CLSID	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{315c7727-2b4d-4ef9-95fa-ea6cda9aeb9d}\VersionIndependentProgID\ = "Zwinky_5q.XMLSessionPlugin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.MultipleButton.1\CLSID	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70658616-d7ae-4f31-bd19-4f1775792e9b}\MiscStatus	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B82BA62-32FD-4623-BB38-464D186E7453}\1.0\ = "TEMPLATEBARFEEDTYPELib"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23119123-0854-469D-807A-171568457991}\TypeLib	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69470931-F756-4CF7-A02C-A701C2B1F453}\TypeLib	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{76745572-7E46-4795-9BFF-38EEDB8ADE5A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F2EAA98F-F182-4F5C-B38E-A371BB0BDCF1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF48FD80-B19A-4589-A8B5-0F3C9922BC8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA01DD23-7B56-483E-9655-0613D0FC7479}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8098DA46-D5D4-4FE5-82E8-9915FD5F4870}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3B82BA62-32FD-4623-BB38-464D186E7453}\1.0\0\win32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AA25D2F-B798-4050-BD09-640EEDC774A8}\ProxyStubClsid32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{148dcaec-c91d-441d-a0e7-519a0673e7f5}\MiscStatus	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2EAA98F-F182-4F5C-B38E-A371BB0BDCF1}\TypeLib	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D71C4580-C7B1-47CD-8A9C-4C575BE02790}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70658616-d7ae-4f31-bd19-4f1775792e9b}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{70658616-d7ae-4f31-bd19-4f1775792e9b}\MiscStatus\ = "0"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD48A3C7-5201-4093-AB66-04BD35BAC3D8}\1.0\0\win32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}\1.0\FLAGS\ = "0"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E8CEC7BE-04BA-4C1A-9422-E0865796F13B}\ProxyStubClsid32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4A8AE59A-2F19-4777-B0B4-177188AB839B}\1.0\HELPDIR	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15496D19-91EA-4930-9150-B24A27FE3DE1}\1.0	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.HTMLMenu.1\ = "Zwinky_5q HTML Menu"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f346cf98-fa03-4e7a-81b6-eb19b718f9c1}\ProgID	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{98623C86-E768-4C5A-B23B-EE8CE3727CD3}\ProxyStubClsid32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.FeedManager\CurVer	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{644413C0-4090-4A84-BC29-DC69E91A7D73}\1.0\HELPDIR	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.XMLSessionPlugin\CurVer	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{fbc663ed-1560-421b-bd71-f5b94dcea09c}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35dab87a-026f-4503-b5f1-6774e16eaffa}\Control	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{782D4CC0-74AE-41B6-B445-3D4C23AE6B9A}\1.0\HELPDIR	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.MultipleButton\CurVer	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{315c7727-2b4d-4ef9-95fa-ea6cda9aeb9d}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00fb52b5-0779-46dd-afc6-c6eb55f21a26}\InprocServer32	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3B3CA1AE-28B7-4D93-82C0-0B424E22B4F0}\TypeLib\ = "{3B82BA62-32FD-4623-BB38-464D186E7453}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.MultipleButton.1\CLSID\ = "{f346cf98-fa03-4e7a-81b6-eb19b718f9c1}"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{648CEC5D-18E0-4445-9A17-C1589D0C9169}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.Radio\CurVer\ = "Zwinky_5q.Radio.1"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B721505E-F0C2-45E9-A0EB-D4EA951B4263}\TypeLib	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00fb52b5-0779-46dd-afc6-c6eb55f21a26}	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f346cf98-fa03-4e7a-81b6-eb19b718f9c1}\InprocServer32\ = "C:\\Program Files (x86)\\Zwinky_5q\\bar\\1.bin\\5qmlbtn.dll"	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Zwinky_5q.SkinLauncher.1\CLSID	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A283A85F-ED85-43CE-9199-952A2D106802}\1.0\HELPDIR	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{644413C0-4090-4A84-BC29-DC69E91A7D73}\1.0\FLAGS	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2532	5qsrchmn.exe
2896	5qbrmon.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2532	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2532	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2532	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2532	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2660	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2660	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2660	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2660	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2396	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2396	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2396	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2396	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2896	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2896	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2896	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2896	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	33
PID 2668 wrote to memory of 2868	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2868	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2868	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	35
PID 2668 wrote to memory of 2868	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	35
PID 2668 wrote to memory of 332	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 332	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 332	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	36
PID 2668 wrote to memory of 332	2668	2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ea18902a4fdfcf92f6508a5a86190d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qsrchmn.exe
  "C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qsrchmn.exe" /m=2 /w /h /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2532
- C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe
  "C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe" -remove
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe
  "C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe" -install
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbrmon.exe
  "C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbrmon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qHighIn.exe
  "C:\Program Files (x86)\Zwinky_5q\bar\1.bin\5qHighIn.exe" 5qtpinst.dll,#5
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2868
- C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe
  "C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe" -remove
  2⤵
  - Executes dropped EXE
  PID:332

C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe
C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe
1⤵
- Executes dropped EXE
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\ZWINKY~1\bar\1.bin\5qhkstub.DLL

Filesize
33KB

MD5
9f9a40b54044c57fbff3cba20a4804e9

SHA1
042eb029ff62a60699ea460f315ed511807cade7

SHA256
bb723d9ff88876c2fa2a01e3c6736727f6fa704f6ae2dc0090e89fd4b47f8144

SHA512
c9f8fa5db00518fe800b5e469e0298e0f7a2fb741073c3a40ace513ed792bb43d7783211be0075f8057b37f0635b2e8b60d15573abe48aaa51001f0943b961de

Download Submit
\PROGRA~2\ZWINKY~1\bar\1.bin\5qSrchMn.exe

Filesize
41KB

MD5
41b14d42ebd62c07fb42c9c32908610a

SHA1
3cc773c2ef5d221dc74a1832e7b575bff5b18a5c

SHA256
b5a0cf58d8613b4e7b7c2ec95bff5420a1fd05da83e96a05170933e2a836328f

SHA512
181207406aaa1fe4979349ad0f5a3e7ce8e560498be7a90d67ef88fe944bbf94694037c38d945a74940ef165710cec72d6be7bb18b9a4d172e235146b685bc30

Download Submit
\PROGRA~2\ZWINKY~1\bar\1.bin\5qbarsvc.exe

Filesize
41KB

MD5
72f8c1568a56c7059cb1074a7e529dc6

SHA1
a2c21b1f2718a7d022910af00a741ed01221464d

SHA256
c9df31171fa410895972d19ea51f6350fc3b51cb02a51e42e17ae341563b4d4b

SHA512
c54ff392b538c731617acdc6adc386cb4ff2a411f27ac04cb5804c3f4578dd39793722ba42722f9ff15e34c842f68447201cf47b9281d59396ccd128d73c6ef1

Download Submit
\PROGRA~2\ZWINKY~1\bar\1.bin\5qbrmon.exe

Filesize
29KB

MD5
0bbf9b5e16508f6e4451c90f53ffa8d0

SHA1
4ea9923fdac403fd41e0cdad86e3d54e3846d674

SHA256
c9a9aeee317c96af1f30d8679df96b17ae9211601ea44f3b15bb8b3c15c908a7

SHA512
2e03790947ec4d4bb03c13880bf12c0a96bed123c12abdf2f98898ed85ce400837909a41cad534f598f65509ea9e5f108f973dea7b5c5c469de5ae2204fcd63e

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qPlugin.dll

Filesize
61KB

MD5
9e30fd15ac59b0f1a00495b482e1ef97

SHA1
3cba6fb91a1908e65766dbbdf0879b2d9a03249a

SHA256
073c0f402d1dc50c27a716cbb747df7c23694aa8f3fd9e8aead187a272b11d56

SHA512
36b2cf2987b2e93beb5f9be0924afbad7d4d491d3ef117286d0749534d3bb627ed0fa4e45a13e6df5a4a817a299ced8a0236292aac1ca47514c6a388af32e356

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qSrcAs.dll

Filesize
65KB

MD5
ddcb76b02fee7015b5f396f43f3ea9e3

SHA1
5610c4df81e42584dde27f7febc4993791b029c5

SHA256
82de86e07bd27c6218664554dff29a31a91e9a06a3f81c90acd5e6d193f866ce

SHA512
3a15ac7fc89061dae1d7d012bad9e245504e6e05c0c353733a632ad11594feb9b7dd1cf4320c6f6a165f42d90a0ea4d46d049f7c4d042905064f1d822f16bbee

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qauxstb.dll

Filesize
29KB

MD5
b3a95e526c71a5594e43bb4b1292683b

SHA1
2f5d3a9f4588f63a8ef06bce82a1c1664ab5f898

SHA256
190751b0c222d0c62fe240518b7b0501cf38482213d1de5ac8b9478e537b581a

SHA512
79876e436f11903f58d4b60b04558a0e9d0cceb11a066990dc5e0937f58c5c7d9f6313adc35d9427643c1f28e66c597c4853a38c9b8e69f4c6f274458755344b

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbar.dll

Filesize
677KB

MD5
d8ccabab9424caf74341905d273a8361

SHA1
1a3ad1993fcf8c08c3e3112eaa1e6227470ebfc5

SHA256
1cb735d4662c2c2dc71c3c8587e6f9e98c55e42cdf4836b4dc70915699685139

SHA512
892e6af42ed4e7a21ec1acd858d87f3c20859b4c5c643f421156c5db4b0dbd471b55934dc448aa9971930d58de8bbd503addbee17b11bcd8ad53b5c51356ec35

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qbrstub.dll

Filesize
33KB

MD5
933286a7bc611337271bfe6f69383feb

SHA1
546e5804e61368f4af9e26cd52a469230aed05cd

SHA256
feb077866ef7ab32bd37d5c2bda7816602b86cd607833eb5a7f6365a05403b1d

SHA512
e19db7bd9fbc8c05d196bb5e5038be7d97f77525e91fb3d41110b7307290a5d9681644a2f6a7515c6af5025b13e4e0e6893a3c390b0a8dd6932a39da7a5a1764

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdatact.dll

Filesize
97KB

MD5
3f9f9fc69b3cce50c72ca3484362ff6d

SHA1
792e85ee362552160ad7632d71f2d4eb6206912c

SHA256
eb610df34a493c9caa5bff9d2fa8f30711ba3e74318e8ca5b43283c9432c8d51

SHA512
d6c9a75f2b4898e2d0223c43da65950e1dce7c70706acd223b8273dbd711b4a0b597705f48e91090a909d29ed98c049226f5f8f4a2f4b945cd97447953fd767b

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdlghk.dll

Filesize
49KB

MD5
d53d26fd4b3ecc3b206165f769b64e71

SHA1
a4f2ce2ba65faf8154a65fb4266cdd429f95dd8c

SHA256
e5dd1b2d123618c7d5e3f9ca9f3bf8ff8a94041e891e907193637139e1f10c3d

SHA512
846d6960549d94e3a6240d555d2433247fb3cb8a7a9c8e614ce1e505fa2387a05033d0aa01d39f22d836b82b2e4bc15a424d160038bd648e1974def84016de03

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qdyn.dll

Filesize
53KB

MD5
75f254c9310846ab32655b47edd795f6

SHA1
c791e62f68e51e6a942b106809a3478f2d9bb8a3

SHA256
9900a751df3b55ac80152e007eafe26aa26fae63850eb3152c581cc80f98ddae

SHA512
02eb1885e4cad44696b5b26da2566d4294678ce3345e32e79b051a57b6d964390b08ac04917c6f8a759d9a8c4a5c4e9331040f1fb9c088f02843306d866de1a3

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qfeedmg.dll

Filesize
89KB

MD5
2e5fcdda2506bbbed68a3eb6a09888ca

SHA1
5ba51a58dd8aef51376db0b4253dfa17165f2bb9

SHA256
bd504146472b35c0c2fa622523d9a4e03488dbfd2455f0c3364cbfe6177cc095

SHA512
fcbfda17666c7b870a6643d697038d2a72eb9bf9665f8629cd7e5f7ad60a1cb40ee0c5b60f3db7ec15e3ddf2b89c31970b9b9bf356a9ac8e270255212c29004f

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhighin.exe

Filesize
21KB

MD5
3de6281a5e06e9fea20282b0ceec2993

SHA1
b714afe68f2a7cacc274493f8b4ade00300cfd50

SHA256
db90558b56e6f8b5a3123604762cb372f5e8f32fdb1a97bd76e461cea49d87dd

SHA512
69b47c14b44bc218231d2eee051ce5dd1ea7c74041998dd476dbc6dadd0734f2e79223b11be4f2498698013fe7e91fbe9bcd59b427986c66a0f8227aec966369

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhtml.dll

Filesize
93KB

MD5
36680283735d6843b93830847a03fc71

SHA1
e988f8e3b364ab299743127ee01c4f80681d43d2

SHA256
6421324eab392decbf769acb531b7f16ce297066f4b45e053d0e987564e2d0bf

SHA512
a7817a711ea42fae5c1c166d390baff4ba6c07eda7a28b82cb20be1f44dcd45ed71e032e56d3be1f31f54c540bac5838e849378bc5b9e85667c856636ec6733c

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhtmlmu.dll

Filesize
157KB

MD5
3146b92cd6e8e2382ee8b573ece87e8f

SHA1
d3a3aad17eaeaf2adaa20b3deb5262d9f7706b9b

SHA256
6c9741a34f71ad6043e35fe6c63076606a23b9fa2098a45c69a7db7809fa2705

SHA512
6ad4618b982577b3cbf3aa76d07096649c654519e3a74a055b7bac258ed995777d7c3dada83a46ca22dc24dfecacce58de99a18c88173653ae008ae038dd4794

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qhttpct.dll

Filesize
81KB

MD5
708f9c6a4ac71098499382c7fcf4e0fd

SHA1
3cfcc6717268eb940782c322aeb08fb82e9dd36b

SHA256
d6496a936156e037add78c9fe67040029e683f98fc5d1652e754d485030c6d1d

SHA512
894f4dc9319b59e3bc4c3bfe7c467b9bbfcf120620a31f57c82a92dc02831e289a5374187ccc96decd9a6e9b9768caabc6d22a906f5372e110272da088916f7f

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qidle.dll

Filesize
33KB

MD5
c47fe8a3791b62a31c264cc19b965008

SHA1
7bfa6cf47f6be29ed0c0d98935047dd67c2bbce7

SHA256
b27f763df8349fde7d3a5d87334d351bc0273710a76508734c4475da2788be33

SHA512
17eba8045ef88d334040764e698c6ff2d22a8caeb6be31aabfea5dd352813c687dc5299b17cd0fd4fab2bfd02dd92b0b36557afac26d25bfb5496bfe329e5ef5

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qieovr.dll

Filesize
41KB

MD5
88980535c860eb7f039ddf431e2f96da

SHA1
b10078c9d9ac493fe9ad4d4827d28896d6557764

SHA256
412e74a5e40fc3d0eacf1d273683073e8d4a881a31bc3e62627d776e68801eab

SHA512
ec28017ca245e30d8c8f98b539455d083a821bfdce431bb6962bcd7d3af80866c4200eb7f0e61df6f7daf475f495d3a5a5fdc06780c59d2e62bfe41a5d0da79e

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qmlbtn.dll

Filesize
45KB

MD5
8e3074b8a4f013cb015839ebc6c09122

SHA1
6700b74f0e93837eb24c05b703c91f3a177a81b2

SHA256
6a2d00ecf847f683f03d2c02ffc5dc00c89d5551359ada8de9c2bd1c41026ed8

SHA512
03624c1edeaa9efac02856e287db0eca64c96e85c47aa4938235ebe321f37132932ae5879db66b4470bfd3d488b5b100b6c04521538bfa7db7778eac954672bb

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qmsg.dll

Filesize
157KB

MD5
e00abfef3f2a19c2790543fc9b481046

SHA1
f39a36a27af0786853017ed30f17ba4f51ea8e06

SHA256
6c76b7c93e0f621af17b197811b2f4db69bbfbd92bbb2decb91151b2dbb894a1

SHA512
ab950fe1189a5b159ce5a60bcb4ddea07a3bc5cd5ed8b44ba3ecf5eddd9b7067424d79ebcea7ed8f55e4434ef916f5a09b6a7b92820581a1c9409fd9abdf3115

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qradio.dll

Filesize
121KB

MD5
3015ffa29d07b7a4b87664f8d76c4a28

SHA1
9a4d911c38fb8b0a4e230c6b54a5a3ed2e0743b5

SHA256
719d80d767acc149d084859c20249f3e139d2e6282dcc4d486147701b84a0487

SHA512
440e1e5aa2c605b5685ab4562733f4915bcb14f63961990a1b2d372df6c446796e3c9d5e18466e9fd9139c14f1a1d92f7e620b0715ecbe064824e5edb7a2f03e

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregfft.dll

Filesize
41KB

MD5
ad81a01d8773f22021d2d53d0dad25c2

SHA1
375bf755af28c636f11a0b15a9a7043fc77ea41a

SHA256
0d44ef6c7fc6aa696744edd537983a0e7d98f6c667990fead43a789c86c3e0e9

SHA512
7b36baeee83057ec09c8d3842c42115122ca17e9f4486bce381dbc7c647e1800ffdbd08db2c4d12dc72397a4bcc11def3008f3a2e96930fa3852fb8618269272

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qreghk.dll

Filesize
45KB

MD5
b1df557546b5741a73053c37704caca4

SHA1
d8f238165ec12f319dc727bdbf4d13a14133e855

SHA256
bee4d1499636d508e4b81bdfe4333efd9443c301f42e6af92766662a7efea73a

SHA512
e3c2d3f232fa1d2bf0e4d0433be3e9ec44b5c8c438520b9dd8cf4fcf88b73c49409ae3edb8e1df3079fa80d0f6d620089251ee88152f1bbc88b07e24a66f67b4

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qregiet.dll

Filesize
41KB

MD5
017b334952768c929bedf608b5ed303d

SHA1
4dbb23750a1d3fd941a06b61a3f1821bbdbdafb7

SHA256
10eecb75d364a8abaedb78d1dbe93e38b3fd7525cdba4b9faba07bed440141ad

SHA512
f8ba876c54cf625683da7c664e2fbbacae1a6392e173c55b480da34a4df6cf983953ccda7324e361c48f73b100dbb2fea6b79ae4872c325bab386521b9a4cd0a

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qscript.dll

Filesize
45KB

MD5
fa0d494e0654a4cb3f4abfe4176e4703

SHA1
42b1738e4fdcbab4c1c71998281ad4ca3311e1ee

SHA256
01981548f981ae520aa11c1356e4081f4320eafb57a01637c896f269126f49cc

SHA512
6847f7c4bd59c2f563cedda3cba448414949914377ebdfe90f0a83bd19c16ccc11eea19b3d4926b7a0192ad77c351391a2dfe24a3fbdac4a357ad30b169bb134

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qskin.dll

Filesize
125KB

MD5
eb64c8a15b432d1beb8ac4301d36b7a3

SHA1
b41ac465e6b19f0dc69ba54aeddeab016cc065b2

SHA256
39a166271e49d8f34e2b9ac5bc97295e083b2584a87f30d8352ab8764b2ba777

SHA512
ae79852b7dfcad996346920b6cac0f66a80cce88b7429887fb68bca14176fce190d3d3ea54ec1f59b85d0f5206d04f9bc673522203a6f0bc5e6c092a2fd45ac3

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qsknlcr.dll

Filesize
296KB

MD5
271a3d1246fd445e31bac160876d33d2

SHA1
e2107d498b5a82156d9acb4beb73517b34d6f2c7

SHA256
0a7610865f07c5973d9e0fd3451e3bc32dec8143035bbe7004313ff9f096f8c4

SHA512
e2bf0ddf21239756c745958524d7fd608dc3bd2885bdaba3d69abb209c21203a0f9661ec0ce435cf85c3f17b5f85874459762efd488f22910a33b10cb29814ac

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5qtpinst.dll

Filesize
165KB

MD5
81a7c1893e3fe1a3ebef1e0a57440cbb

SHA1
642dfc47069d0ad831efec9e9cb64d1424bc2154

SHA256
1617e44db880e3c92cbe65e53f947336d36025c628ac1465e79e960733121602

SHA512
17452f65cf0e65fb00b5122d10d39c893d558aa5513611684b98eb95f4d9b31e0803b27181aa6002c3ae98363e35e68b78e1ca8f00eacd3a1c6372fb14a251aa

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\5quabtn.dll

Filesize
45KB

MD5
ec29a38c9322692af57a54ef45b8c1dc

SHA1
eed52ab780f0934ee703e9ad20f6d3105f6a9a3d

SHA256
a729d96a33a582e65aa3a9c6ea5e26e0ce34119b82be86ffb02cd52367125edd

SHA512
eba7f8b2d54e7dfd39605f4e92d36e4f9925fbb240fa739d7088433a2696fbe29c6ec778fbc42bfba471c520a02a769a3e8e0bc7ecf5cadbd83e3e3040d3c28b

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\NP5qStub.dll

Filesize
29KB

MD5
e391a0ac3b27b83f4bca09d138273499

SHA1
710243e348e0d523b1791461f6af112556662ca5

SHA256
c3e22288a5331174e471e56dc7c1a63eea1bf23b807e650a031b7f1e1c0c172c

SHA512
ff470a4cc546d4c4dfe7db8b4d75d66966f826cf1d651dc122ea53a39d9ca3ad71b86a25223c438ab650b40651fd4ebb372b43d132bf21792af2fb701f1ee716

Download Submit
\Program Files (x86)\Zwinky_5q\bar\1.bin\T8RES.DLL

Filesize
169KB

MD5
9939ec6b113872a247d59646165e678c

SHA1
73e1f57b4ff4720098d1b6a5d0b357d00133623e

SHA256
cd1c5c0e1578f4b4b7b5c506896aac6377e9dc628acb3d21f00c05372ae5c3ce

SHA512
8a6758f9cf66eb6b8529ec1b624a5f8a7033c018c9dbbcb025537ed2b4d874ed969c0683f843385c56d15f5d3b494e4898c79b0c47218e3934aff08452fc7f09

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads