43d9e3dc473784bc870edcc9507f5626d222217d0e529a03107d45a570615b2f

Analysis

max time kernel
96s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Size

1.2MB
MD5

70af1a0f5edd633a967b6b424409c016
SHA1

c0c8ddc109da87f22126b991ce9aae2a0a666aee
SHA256

43d9e3dc473784bc870edcc9507f5626d222217d0e529a03107d45a570615b2f
SHA512

1f64e61aee1dfe3fad44ffe56f4b82367644160547dcdebef92ebfe1d335e244650aed4326772fef1fde96cae94895b0bc82b90aa6ff4d91bc9109c9542a2609
SSDEEP

12288:xCTPgrnZiJiAaMVkUet7EwBI+APutDrVkP+xnXOBI+AM0u53XC1t:xCTPMAzVkUetVI5ut/VkP+x6IS0u53et

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\explorer.exe"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\explorer.exe\""	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe \"C:\\explorer.exe\""	mr.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mr.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Program Files\\Common Files\\N0TEPAD.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Program Files\\Common Files\\tskmgr.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mplayer2.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mplayer2.exe\Debugger = "C:\\Program Files\\Common Files\\kalkulator.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe\Debugger = "C:\\Program Files\\Common Files\\w1nm1ne.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\Debugger = "C:\\Program Files\\Common Files\\kalkulator.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Explorer.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe\Debugger = "C:\\Program Files\\Common Files\\kartu.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "C:\\Program Files\\Common Files\\kartu.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe\Debugger = "C:\\Program Files\\Common Files\\freecel.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe\Debugger = "C:\\Program Files\\Common Files\\msheart.exe"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Program Files\\Common Files\\reged1t.exe"	mr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe	mr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
892	inf4D2.tmp
468	mr.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	mr.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zrt = "jtv.exe"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mr.exe = "C:\\Documents and Settings\\Admin\\Local Settings\\mr.exe"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Alumni_Smoensa_Pangkalpinang = "Mr_CoolFace"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\My_Old_Class = "3IPA2.pif"	mr.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	\??\z:\Desktop.ini	mr.exe
File created	\??\h:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\l:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\l:\Desktop.ini	mr.exe
File created	\??\l:\Desktop.ini	mr.exe
File opened for modification	\??\u:\Desktop.ini	mr.exe
File opened for modification	\??\v:\Desktop.ini	mr.exe
File created	\??\v:\Desktop.ini	mr.exe
File created	\??\z:\Desktop.ini	mr.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\u:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\j:\Desktop.ini	mr.exe
File created	\??\c:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\f:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\o:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\x:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\z:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	mr.exe
File created	\??\e:\Desktop.ini	mr.exe
File opened for modification	\??\q:\Desktop.ini	mr.exe
File opened for modification	\??\t:\Desktop.ini	mr.exe
File opened for modification	\??\c:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\c:\Desktop.ini	mr.exe
File opened for modification	\??\f:\Desktop.ini	mr.exe
File created	\??\i:\Desktop.ini	mr.exe
File created	\??\j:\Desktop.ini	mr.exe
File opened for modification	\??\p:\Desktop.ini	mr.exe
File opened for modification	\??\r:\Desktop.ini	mr.exe
File created	\??\t:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\y:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\w:\Desktop.ini	mr.exe
File opened for modification	\??\g:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\p:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\m:\Desktop.ini	mr.exe
File created	\??\n:\Desktop.ini	mr.exe
File created	\??\q:\Desktop.ini	mr.exe
File opened for modification	\??\e:\Desktop.ini	mr.exe
File created	\??\m:\Desktop.ini	mr.exe
File created	\??\t:\Desktop.ini	mr.exe
File opened for modification	\??\f:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\g:\Desktop.ini	mr.exe
File opened for modification	\??\n:\Desktop.ini	mr.exe
File created	\??\y:\Desktop.ini	mr.exe
File opened for modification	\??\w:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\g:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\h:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\i:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\j:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\p:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\q:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\r:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\z:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\u:\Desktop.ini	mr.exe
File opened for modification	\??\k:\Desktop.ini	mr.exe
File created	\??\s:\Desktop.ini	mr.exe
File created	\??\x:\Desktop.ini	mr.exe
File created	\??\k:\Desktop.ini	mr.exe
File opened for modification	\??\k:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\k:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\n:\Desktop.ini	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\g:\Desktop.ini	mr.exe
File opened for modification	\??\h:\Desktop.ini	mr.exe
File created	\??\h:\Desktop.ini	mr.exe
File opened for modification	\??\i:\Desktop.ini	mr.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\r:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\u:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\g:	mr.exe
File opened (read-only)	\??\i:	mr.exe
File opened (read-only)	\??\v:	mr.exe
File opened (read-only)	\??\i:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\j:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\s:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\h:	mr.exe
File opened (read-only)	\??\j:	mr.exe
File opened (read-only)	\??\k:	mr.exe
File opened (read-only)	\??\q:	mr.exe
File opened (read-only)	\??\e:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\k:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\w:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\m:	mr.exe
File opened (read-only)	\??\u:	mr.exe
File opened (read-only)	\??\h:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\l:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\q:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\t:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\l:	mr.exe
File opened (read-only)	\??\p:	mr.exe
File opened (read-only)	\??\y:	mr.exe
File opened (read-only)	\??\m:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\n:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\o:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\p:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\o:	mr.exe
File opened (read-only)	\??\x:	mr.exe
File opened (read-only)	\??\x:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\y:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\z:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\n:	mr.exe
File opened (read-only)	\??\w:	mr.exe
File opened (read-only)	\??\s:	mr.exe
File opened (read-only)	\??\t:	mr.exe
File opened (read-only)	\??\v:	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened (read-only)	\??\e:	mr.exe
File opened (read-only)	\??\r:	mr.exe
File opened (read-only)	\??\z:	mr.exe

Drops autorun.inf file 1 TTPs 64 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\n:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\u:\Autorun.inf	mr.exe
File opened for modification	\??\y:\Autorun.inf	mr.exe
File created	\??\z:\Autorun.inf	mr.exe
File created	\??\e:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\t:\Autorun.inf	mr.exe
File opened for modification	\??\h:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\k:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\u:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\e:\Autorun.inf	mr.exe
File opened for modification	\??\g:\Autorun.inf	mr.exe
File created	\??\s:\Autorun.inf	mr.exe
File created	\??\c:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\k:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\p:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\w:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Autorun.inf	mr.exe
File created	\??\v:\Autorun.inf	mr.exe
File opened for modification	\??\c:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\i:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\m:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\t:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\z:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\l:\Autorun.inf	mr.exe
File created	\??\q:\Autorun.inf	mr.exe
File opened for modification	\??\r:\Autorun.inf	mr.exe
File created	\??\g:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\q:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\k:\Autorun.inf	mr.exe
File created	\??\m:\Autorun.inf	mr.exe
File opened for modification	\??\q:\Autorun.inf	mr.exe
File created	\??\t:\Autorun.inf	mr.exe
File opened for modification	\??\w:\Autorun.inf	mr.exe
File opened for modification	\??\l:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\c:\Autorun.inf	mr.exe
File opened for modification	\??\k:\Autorun.inf	mr.exe
File created	\??\l:\Autorun.inf	mr.exe
File opened for modification	\??\u:\Autorun.inf	mr.exe
File created	\??\j:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\q:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\x:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\n:\Autorun.inf	mr.exe
File created	\??\p:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\n:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\v:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\l:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\z:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\f:\Autorun.inf	mr.exe
File created	\??\g:\Autorun.inf	mr.exe
File opened for modification	\??\m:\Autorun.inf	mr.exe
File created	\??\o:\Autorun.inf	mr.exe
File opened for modification	\??\p:\Autorun.inf	mr.exe
File opened for modification	\??\t:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\j:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\r:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\h:\Autorun.inf	mr.exe
File created	\??\i:\Autorun.inf	mr.exe
File opened for modification	\??\v:\Autorun.inf	mr.exe
File created	\??\x:\Autorun.inf	mr.exe
File opened for modification	\??\f:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\o:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	\??\r:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\y:\Autorun.inf	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	\??\i:\Autorun.inf	mr.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jtv.exe	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\jtv.exe	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Mr_CoolFace.scr	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Mr_CoolFace.scr	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	mr.exe
File created	C:\Windows\SysWOW64\3IPA2.pif	mr.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tskmgr.exe	mr.exe
File created	C:\Program Files\Common Files\reged1t.exe	mr.exe
File created	C:\Program Files\Common Files\Mutation.bat	mr.exe
File created	C:\Program Files\Common Files\_cmd.exe	mr.exe
File created	C:\Program Files\Common Files\N0TEPAD.exe	mr.exe
File created	C:\Program Files\Common Files\kalkulator.exe	mr.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3040	468	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inf4D2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mr.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	mr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	mr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	mr.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "C:\\Mutant.htm"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "C:\\Mutant.htm"	mr.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	mr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	mr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 892	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	84
PID 2704 wrote to memory of 892	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	84
PID 2704 wrote to memory of 892	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	84
PID 2704 wrote to memory of 468	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	87
PID 2704 wrote to memory of 468	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	87
PID 2704 wrote to memory of 468	2704	70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70af1a0f5edd633a967b6b424409c016_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
  C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:892
- C:\Documents and Settings\Admin\Local Settings\mr.exe
  "C:\Documents and Settings\Admin\Local Settings\mr.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer start page
  - Modifies registry class
  PID:468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 1344
    3⤵
    - Program crash
    PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 468 -ip 468
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autorun.inf

Filesize
97B

MD5
e0b7531a87635a0a11dbd9edc02c7bed

SHA1
74a50849add50351da332164cbf0ae74a43ce8fe

SHA256
20e16cf8b48b2bf3adc59251e7dc293c39eb87922d267a768a403fb76f13d765

SHA512
e6cbf6e11ad29d17c219ca44ebbcb43adb76bef3d688f38e43520faded492caff162e249bd477f5441858a26eb567c3f70be3cf3cc181a2fb62aaae4efd23c67

Download Submit
C:\Desktop.ini

Filesize
212B

MD5
ca815edf2e481dd83bd0cff16caaf7a7

SHA1
523fa767fac1b4061762c0262d4bc09a1fa7dddf

SHA256
f2566afa47cadf4017f82ee80f11355989fd722fbbbbed1954392bbe2aa2b352

SHA512
cef1cf04432326393cd700b6c9c4d3d816a61505a3ba99bafc935ffd52a78635130a752d091dd6511d9781ac9458a404bcfc69ca0cdec55da418b3b8bf9dace2

Download Submit
C:\Documents and Settings\Admin\Application Data\SMA Negeri 1 Pangkalpinang.exe

Filesize
5B

MD5
e3afed0047b08059d0fada10f400c1e5

SHA1
4e7afebcfbae000b22c7c85e5560f89a2a0280b4

SHA256
c1c224b03cd9bc7b6a86d77f5dace40191766c485cd55dc48caf9ac873335d6f

SHA512
887375daec62a9f02d32a63c9e14c7641a9a8a42e4fa8f6590eb928d9744b57bb5057a1d227e4d40ef911ac030590bbce2bfdb78103ff0b79094cee8425601f5

Download Submit
C:\Documents and Settings\Admin\Application Data\Sahang.exe

Filesize
3B

MD5
f04ac234da586c07d5b415bd14fa01a6

SHA1
62bb1e4bb4073afa7d381a6da49c10114f05594b

SHA256
725fda4a618511776a1c6a315b291b4ecaa9245d67cc413b97227e8642d40aa7

SHA512
e16361464d8ec220315ac4b0c2a9d750224f6a7b2d1d7b9ca7fcdc538881ba039e1cfebb5cb8c80f2f8d38b98710ef49df69f79a758977f003cdb0da01e329fc

Download Submit
C:\Documents and Settings\Admin\Application Data\Timah.exe

Filesize
3B

MD5
3f57e0b767b4f8bd38d34b31c5bfe709

SHA1
240be52032390ab9b3ca978eb9962b9aa710c232

SHA256
41660757bb276f7fdcac273aa6861ab6bb58cdde4ac29aa38b8c0e1a43c49c6f

SHA512
313e749ca013d69f035ea40253f6ba2f90c0b55adf6c9c7e720229c65f4a50e37aa76977c7b9387a09f36a4336b739c56609c1b00dd541fd95616c2e2975b3ac

Download Submit
C:\Documents and Settings\Admin\Local Settings\Application Data\Polymorph1.exe

Filesize
8B

MD5
a34e0b747190c6829b191a2bb237e0d7

SHA1
abf1cb0b6b710ad5972ef3404ae7bfa4e27fd56a

SHA256
8549daef56fe677b3fc8659d4fbce9ed310b1bab6a6cecd4cfb9d69a5e924548

SHA512
04af6ca8bcde3914f4f93b5b824a674bbd130173e661f51bdbcecc61f0aac151d708cd9b8328f6eab7f5bd8938371664bce168c8fe302bcbf072da946e5778c9

Download Submit
C:\Documents and Settings\Admin\Local Settings\Application Data\Polymorph2.exe

Filesize
10B

MD5
248fc140af1728d578096ed068a45402

SHA1
7771a2ba9aac796b21ded74e15b984c6f6500185

SHA256
f6c9e83d58c9d9d730d8aed271861312120873ffa365ce3e3576dcabe4dad26f

SHA512
0b10d0450a108cf276e0fc254b1731a4ae753af3e2680d0205fafa9388a9b724475e0b7cd8dfaa8f35eb6d4bb13854100b143dcd2a69aef2f0a99d2a6ebab206

Download Submit
C:\Folder.htt

Filesize
631B

MD5
5313060d847a33c356e4e8e286e3de73

SHA1
d2b5e89f1fbb96895371e1cde7997ff76814ea9e

SHA256
ee482ee2540efc03f1cba611170096f68e14fd4d39bdc8650f3ef6900799fafc

SHA512
8c90a8fd5372dadfe95df1deb07bbd14355620dd067b2cce58f76230e2f99129daf65ddc056cab0902ab2b70a4b838a484f62f37b0436e21a963dd1156f551b0

Download Submit
C:\Mr_CoolFace.scr

Filesize
1.2MB

MD5
70af1a0f5edd633a967b6b424409c016

SHA1
c0c8ddc109da87f22126b991ce9aae2a0a666aee

SHA256
43d9e3dc473784bc870edcc9507f5626d222217d0e529a03107d45a570615b2f

SHA512
1f64e61aee1dfe3fad44ffe56f4b82367644160547dcdebef92ebfe1d335e244650aed4326772fef1fde96cae94895b0bc82b90aa6ff4d91bc9109c9542a2609

Download Submit
C:\Mutant.htm

Filesize
605B

MD5
ddeb3c8671c177694f4949bef4bd3e4a

SHA1
12e9c6701f801cdf13dd30322be27ea5256e09bf

SHA256
52290d6aba8c93293b4a9df56db2c0a45cc963a883e0233892cdd2c17dde56c7

SHA512
2b2d16715c2b2c39a117c27003d53b48bcdcd29cb67ceb41a8cfae71dffd1c75e35f1637e07df6df0ca8ba9fe1e49275ca293f5c4beb58231514ca9be922a1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\inf4D2.tmp

Filesize
117KB

MD5
9c45d38b74634c9ded60bec640c5c3ca

SHA1
79d03b17ce9e7ff9595253a402efb856b0888ea0

SHA256
bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41

SHA512
1afa4ac8d5d9c7913d536f158573c669795bad449df0132f87dcc91f6ffcae989ed1c7cec6b4f6f75d3a8bd60a65e15eaa22afea7df7dee46cf40e093bb29a08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe

Filesize
8B

MD5
77743b9c37d45b46464b484745821912

SHA1
fa60ef6a599bade1ba02f7aff80fb6d3d4f603ff

SHA256
fa060578e19d286e8ed828b2944a95517b518b2b201f0475d8acee8367bb5270

SHA512
eb4829ea6d860769d18d9d13d4811ffd532830564f68a5e1817028f9f5c60733a5fefcc70354779ddb53bf51a5fd5574022931327b57a59d8a1758fcd79e92ba

Download Submit
C:\Windows\SysWOW64\Mr_CoolFace.scr

Filesize
3B

MD5
856bdd469fa3c802c0d00c3248844bd3

SHA1
eee4220b4165429fe6fdb5237baab0980228529d

SHA256
be6a72baab91cb1efe2f6553bd68aeb051b9b9ffe463d428be8b060fc5dda1a6

SHA512
0cc38a793bfc1c1b389d428d734b9daf7a0cd5337a13de9882e1807662bdc43bd97298a69d1fe94d13694718f42e58ac143239c079777376f51720af1bc80458

Download Submit
C:\explorer.exe

Filesize
3B

MD5
c045a5a2705a30d5c7fd97229cd5b07c

SHA1
7a7e041f878c2c3eef3ee8f2ad2cf50562cd701c

SHA256
bea79b8f691cf6227d55ae8f368428987ef2f2eaac588242e55092bf068e27a5

SHA512
0d0c7834a5e4904611215b0403229d366ae3427cab9a1f7835e06f375714bce7e4f6ee2418dbd43739543b612feebc0ae1e1e497d007961e1c5c6f196378d466

Download Submit
memory/468-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/468-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2704-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download