64197e0039e3c21e521444b713047c1f91692fed9e265350bf97cc141dc622b3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
Size

1.1MB
MD5

154318b9f7bb8b29a565a7a897cb7745
SHA1

7cb9ae7669a3ccdb76c2c24eedecf07cd6af8cf4
SHA256

64197e0039e3c21e521444b713047c1f91692fed9e265350bf97cc141dc622b3
SHA512

da52eeaef7f08025c5c65a8c3f175940acfdf1878c0d66437d3ef834f1c154d89e57c430825066939e23cbf05a45ec3147793cc1b1780f48972e30efe0840116
SSDEEP

24576:jbfU+yAGbQLIDXB20iTqF43bkrbE9Nu5n0Q5f25:8qG0abiTqFykHqNupO5

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
2668	YontooSetup-Silent.exe
2532	YontooSetup-Silent-0A6C.exe

Loads dropped DLL 14 IoCs

pid	Process
2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
2668	YontooSetup-Silent.exe
2668	YontooSetup-Silent.exe
2668	YontooSetup-Silent.exe
2668	YontooSetup-Silent.exe
2532	YontooSetup-Silent-0A6C.exe
2532	YontooSetup-Silent-0A6C.exe
2532	YontooSetup-Silent-0A6C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\P:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\Q:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\R:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\S:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\J:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\O:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\E:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\N:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\M:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\T:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\X:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\R:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\H:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\L:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\H:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\W:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\I:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\Y:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\O:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\U:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\V:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\E:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\K:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\M:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\G:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\K:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\N:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\Z:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\L:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\S:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\T:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\Y:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\J:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\P:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\G:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\V:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\Q:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\W:	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
File opened (read-only)	\??\Z:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\I:	YontooSetup-Silent-0A6C.exe
File opened (read-only)	\??\X:	YontooSetup-Silent-0A6C.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo Layers"	YontooSetup-Silent-0A6C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\NoExplorer = "1"	YontooSetup-Silent-0A6C.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll	YontooSetup-Silent-0A6C.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YontooSetup-Silent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YontooSetup-Silent-0A6C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\Active	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434245408"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BA78C51-82A6-11EF-A1FD-CAD9DE6C860B} = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}\ = "6c490123-7e11-4b95-ba9c-dfb7580de39f"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ = "C:\\Program Files (x86)\\Yontoo Layers Runtime\\YontooIEClient.dll"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\Version = "1.0"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods\ = "17"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}\ = "YontooIEClient"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CLSID	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\Programmable	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\Version = "1.0"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ = "IApi"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID\ = "YontooIEClient.Api"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID\ = "YontooIEClient.Layers.1"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ = "C:\\Program Files (x86)\\Yontoo Layers Runtime\\YontooIEClient.dll"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\ = "Yontoo Layers Api"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\Programmable	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\defaultEnableAppsList\ = "DropDownDeals,DropDownDeals,"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID\ = "YontooIEClient.Layers"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32\ThreadingModel = "Both"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\ = "Yontoo Layers Api"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ = "Yontoo Layers Api"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "PSFactoryBuffer"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CLSID\ = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\ = "YontooIEClient 1.0 Type Library"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\0	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer\ = "YontooIEClient.Api.1"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Yontoo Layers Runtime"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID\ = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"	YontooSetup-Silent-0A6C.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer\ = "YontooIEClient.Layers.1"	YontooSetup-Silent-0A6C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\Version = "1.0"	YontooSetup-Silent-0A6C.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
444	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
444	iexplore.exe
444	iexplore.exe
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2096 wrote to memory of 2480	2096	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe	31
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2480 wrote to memory of 2668	2480	154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe	32
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2668 wrote to memory of 2532	2668	YontooSetup-Silent.exe	33
PID 2180 wrote to memory of 444	2180	taskeng.exe	36
PID 2180 wrote to memory of 444	2180	taskeng.exe	36
PID 2180 wrote to memory of 444	2180	taskeng.exe	36
PID 2180 wrote to memory of 1288	2180	taskeng.exe	37
PID 2180 wrote to memory of 1288	2180	taskeng.exe	37
PID 2180 wrote to memory of 1288	2180	taskeng.exe	37
PID 444 wrote to memory of 1700	444	iexplore.exe	39
PID 444 wrote to memory of 1700	444	iexplore.exe	39
PID 444 wrote to memory of 1700	444	iexplore.exe	39
PID 444 wrote to memory of 1700	444	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe
  "C:\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe" "C:\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe
    "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe" "YontooApp=DDD" "InstallSource=DDD-L" "EnableMoreAppsList=DropDownDeals," "OptimizeForIE9=1"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent-0A6C.exe
      "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent-0A6C.exe" /q2 "YontooApp=DDD" "InstallSource=DDD-L" "EnableMoreAppsList=DropDownDeals," "OptimizeForIE9=1" "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Installs/modifies Browser Helper Object
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2532

C:\Windows\system32\taskeng.exe
taskeng.exe {56804526-E9AE-48FF-A5A1-1B5591B07AFC} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- \??\c:\program files\internet explorer\iexplore.exe
  "c:\program files\internet explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:444 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1700
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\launchie.vbs //B
  2⤵
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3a316defd2e19d85ec0700966e79d1b

SHA1
9fcbd36257ed60ce2826cc37d6a8f191702415a1

SHA256
049ad44a96f1d93ed7dd4f1388b61cb2682af5622f36ee330963db89460eda7f

SHA512
f4e14fa7442bd341f97b2a873e69048d06fac33c1e784e9cf0470ede9eea74ee076bd8f201fad15e05fa4d4cef0b303c5ad688b24423114dd437ffc32f928712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7968b20f613bd580766576392e623211

SHA1
6d376849d1136ae88a10bdebb3648b1e532cd9b1

SHA256
e55b5601d27360039fff342317862bb78ea93edf6561fe0f947df722504905d3

SHA512
638c5a4253c9c52745053eb27a2e52dae33351ba18ba950bb7cbfb7132d467be3ec4d233d169df99d2e04508a6bd81f75cd73125d7e7a1306f31f855fad18498

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87f438805003028bd06a9e99627cfe21

SHA1
bfd034384cfd6c515e9cfa6b37e48f9b27e35fba

SHA256
aeacf8998278f2f81851622e1bdaaad98942c37b667b7a5051556f759e0971a4

SHA512
24d1c94e11280bdfc67babeebd77a3c1fa5db3a6b0a92b33ddda135eebd4e92d7d2593a112e4a384778e616b2a19cc86aec5785046d778130fe41b01f4cda1ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bad61fce0baf7f6c381bd31e7d78e2e

SHA1
f9071c65f21b6a72bdff784e8f8cb51df4b069f6

SHA256
f0cd5b7ac1ca947a504b831d7cd0c88ddda7015fceebcf0bbdf2929b210912e1

SHA512
734d4a71b53b840fdf0caf744d5b50d34191af8b8640dce3ad38cfaa5ac6c7d678c9653e9617a445ca64e74492f0f2a6be920383c61485db440513354d8b01f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bed22180747943ac0f867647836f8e2

SHA1
c22bca87d886d299d2136202b941d2ff449026c3

SHA256
e61163d7a04fa9672a72af62a84c01dc9b3488ce2fb09decedb023e64c5c045c

SHA512
50aa504d8cff3db162d1f67d441d8cb22f8025691c112f8116ee0f0cb33f25f268436dcaca257878032231bb1fcd28d3b9a98464e95b184ef4d15f727da62cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab9267bd8c20bcd39172420b9bb8d1b4

SHA1
08f8875a398e60c86735cc074e19fcb1785dbbdd

SHA256
d527c610a45d67d3c195c799f619d0ff12bc685ff1e156b4eca53471763afade

SHA512
add63f4d4a3c37f2fc565f69e96b60d499c3790b0cefa9b2b3c4c84483ed9ba86f132bfa361e8e89964ee62e0bc9a22ea26413e2d4ffbcc5437c377dc124d02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc4f67a3f66bdd1a837b2544a363e84c

SHA1
f26b7dc6cb1a69a18b446d8f849ec02985671039

SHA256
5e35fc8c550892472ec781c5d31f6bfbb2152f16db41cb7667d0bf1d4a528510

SHA512
cfc05cb39d5092f24bf566409328586f3efb94c88e3241eccd9d015a92035b78b5cf699aac0563221a5bcb6722d4d9a7246be7bc7ed356f41ed7479298934460

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
617ad6367fb68f5855663699d1315749

SHA1
fecf4d3e185431a5a5e2aec6bba66a5ca6b7a044

SHA256
2d9044230d6ab07e6a6b21f2a1806eff83d206735e9429e2db1e1466d1773be6

SHA512
620e19878037b0f09c7900dd1a5fedc21345fcfb21515c9a3d8b3176b8afabcf0103843bd1f7ee9636bd5526436f1b45ba6b8bf1497ee6bc192b59b69245b024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef84bfe4fb9fc495f162cfe667ba7008

SHA1
267f63a316983ed1bfa82f792e42a8dfd7d4a736

SHA256
2fa5024c89d29298c702092f7ce16ea06fbd09bc177a745dc89dc7df57a951f4

SHA512
8bbb4c4a4ea32ccbacae48053364dfdd7bac2ac196bc96062a6a6bfd0a88ef99d8a5630c819c1c5acd1cc54407d9094bbab32bc12336340f163791a509eec1ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bea6d5f5c71d5af32649f72e8cf30e9e

SHA1
16f73749c464bd47fdc34068a4edfdb02593ef2d

SHA256
67f8fb1f46259a04db554f583c7baf69518c4fb8e866e85be534ea9ab4d9163c

SHA512
fdbe8739a9d9719a5e52ac5e86528056d4b808c3d450e8402ca9e97b0c0e15975ecf572f27724dd6410f92cc374cf1ba67ffd78dd5a58c762c6335c10c18f3d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba42afe6ed9649fad8e447f119b91a2a

SHA1
f94ecb56c3c0e96d3f560cd633ab5ac2a3018420

SHA256
d44f55eb4e65e932f904570e670ff8bfee1d75447b8c19e1569d0f68bcb0aee1

SHA512
d4b585822a6f5652c58531f4079581a1e69121772921b925f469341c6f7db448be2a6513d1c1c7ee2ef9d1776ccf91a6e957bd0f0cdb87827f98027be7549c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d478b62203547a52036f9584bb16a800

SHA1
c8364ef0885cea39728c60b364cb7535d3cbbe8e

SHA256
161a11a5e4581107b6d719fe02ced11d5a611d606cb004b79e43f5831d7265c6

SHA512
8dd442094debf3d0a038aac6da76c44844b142ceb27f1754cb31af0c002b5b43c168301460990ee3f0efdba3a33ccdbfff96e99f3970a384e82bb3aa5b10b7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1be5db7f1afc7c8e40c782aa2f046a1e

SHA1
3e09c528b98d8879f2d71c80b1313865dcc5eb6d

SHA256
9c600b4ff345ead8633b6f33f002033014a57c0f623b9849750797e13c5b448c

SHA512
cd2c28b87631a82758efe7f40dd90e298a16ebb151df8388169ce93c43a7ee45198b413af91374f0b2c3bce2d8312a9f217a96de3c8338a3964c21cecd5e50d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
106877cec301996b08c0c7ea4ee87008

SHA1
7ce91f0bb5896c9e22328f1274a236ea29a2d541

SHA256
94e3c67f3473bb4adfa3e21fadbe1ab513e4175805de17d07a67b1bbae1bc5c4

SHA512
920496cbd145d3f5ce6df078f2981c0da41871afc57a617174770ceeca1aaf6f1206b97a8c0a8726f4f3c6fba0c4aa2dc62bd69b31c4543e26b8b1e276801f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
723931a6a4b55d6dfdeaaeb6b6b8d7a0

SHA1
4640bbe187cf24cf058fa200cd3746adfb12da8f

SHA256
545f1fad172d4ba4a709099a9f1e58890a2bea013c055e81cdcd39919dbc849f

SHA512
3893c6a89dff7c2dff9ecb7e3e59869cc5e9a903f11203fb607ada32a296594d44ef857c93cde8ab51d938a0030b65e56d69d23e4f60e1730f53dc352b995222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfa051da3c9d3dc9a7a8f1c9af3b87ca

SHA1
5b2118ea7af36f0e8b91f2d8d89aa8cc0139e10e

SHA256
bbf3448a54220c06898e8bc20f20ef84660bf67bbd9f8cf24a95dba92229723d

SHA512
4a5bfd7f5c819055199d2ead4102a8c6c453cf783efd1a2bdaf355ba68e52cb3e8683cc462b2e598ba9f4a2016057f435678e235af82cbf0fe41cbf15a5b4e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1adaadbbb2dd8abe7af5e10449ccd38

SHA1
f8c9e67acf0b1b1d6e69e543666324c1122902ac

SHA256
0e593e46433017d1329e4f818b466dfb4c922a75831f10563981237dc4ae4199

SHA512
282ff019710430d4fa2212e43f85cf12dd675dc1e302b981fb848148d5cd0bd62e3e931910332e7cf523390c9825533d10813497a04d1d68014b51e6f16685b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc9facbd98b883a8b1dbda0f25fd4f28

SHA1
9a8541d12c90e9a51b855d29dab31f1965edbcfe

SHA256
fd3968036a94a25f7966ac86792c51ebc46f251730a56bc119ef760ee976c9dc

SHA512
be67bbd8128cc51c0dfd0c411eba3eef509a5cd4f667028d7ad625a56c035fd4e54e5e34842b42845cb6b6094ef4f27a73c287e33ba15d6ed88a76c48d87c42c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b62d714cfb40c99f848ac00617eedec5

SHA1
84b5dd0e5b85731a12ac933f9ec6e5525d7e2880

SHA256
f83917b3458fa2a2f79f95e43ccf719858dc8a9d9f703b4d2b7d84d1079ea3c6

SHA512
f44f4901262d59d570a83518c00ebf3958dd5025f6b2050470ed0e4ad5c0ca3f2acf1f369013344d55a2e26f3f3c871c6b6ca8f042aa15277732d8e8c4c7eeda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a2bc0116245582a421b24aed80a204c

SHA1
db66d6b2a6df2548b7e1d8e7474bf7f1f7bf850e

SHA256
faf90de3e89fd53c98412d1d8c706f6cc509ddeb392763ed6bede0e1f7d7c848

SHA512
066e72285a3a7b982ccd9dedbe94ca7d82d2351999f75e8632d4440f9410128b8e621c9dab99028ef8226ff156ac40db502c1f6abb941391cf0717c67b57e292

Download Submit
C:\Users\Admin\AppData\Local\Temp\98512A8D\Setup.ico

Filesize
4KB

MD5
60e3ef9326e8c3f574a2c7b5a31fd895

SHA1
d3aa40f8de5c549e6abb189421d6cdcd75ac64f6

SHA256
5e8c38cabd089ecd573d953cf2ade243459d7c06aab7b9698975e10dd7f34689

SHA512
9a9be32fb1b4355f37766c5296139012d2fd931fb0db871307059cd0afc063a334165f34069a27ed8850889175e2f5f00be65ac2e8b9d22903754a043ae04906

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDBDF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC51.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooIEClient.dll

Filesize
190KB

MD5
2a9f7520aa15394ae479957fd38d8a70

SHA1
f180defa96a16da39c7989a35bf5631b59c3dbbb

SHA256
24710c591c225e7857b49ae98a06f41c367f14608c14bd6885db6dc370a7ee45

SHA512
e498d7e49b5e472d7cb7714b046653c64b98ab0d9399125e5528cfef862d83d69302afa2cc8382926c7879f463cf1f6087ebd95673abf7201b6ac11d4029e8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe

Filesize
747KB

MD5
c3185aa7e41d258fcbd855ad1da117fc

SHA1
48cb2ebff1265b8a0ff062b028687819e7e293fb

SHA256
fe338e659801a2822f028ebecc10c315dddc826d3d9dee6ca967bd449d32fb21

SHA512
e2a268c8b73a14b782a0715a33cfa893940cf2f41e2a34ec6dc94ee360a1cf7fe96f27ab3884109a77f48b411d2f59c1ecd195c1d70ba1b9e66235b3837d0ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\launchie.vbs

Filesize
530B

MD5
a4d1c82ab54598de2894071ddeb3be1a

SHA1
50558c23d41487c90f3ac18d6e4d6c9fd719a1db

SHA256
bc7798b3504b378cc78f4eb524d34e1811e2e21b60171e1770d78e886d430e24

SHA512
eda0a5e14bc91426c54c1ae5671e64ce1c32819d1da9f7d70aed47ed72fc79a9a0f7eb136e2a23a1cf83bb2249b967c5b80e236d5209ad5e45d99501e07c5343

Download Submit
\Users\Admin\AppData\Local\Temp\154318b9f7bb8b29a565a7a897cb7745_JaffaCakes118-0830.exe

Filesize
222KB

MD5
5a8222c703b4a34f2227a652a49a2827

SHA1
ba8b1c8f341219d608a0a5a2a2c8d63c19697d05

SHA256
17936188efac05a0ef9fd87a79b268445ce307dd37a6f9206d116f195ab049c9

SHA512
7b1c200cf96ebb5b660fb11a85e3daf908a6e4d984c90207b5afa2444703fc784897160cf05a4bc592ecd908bf09f8dbd9195a4c0c07f1caef04bbd7c6624d9d

Download Submit
\Users\Admin\AppData\Local\Temp\7B69FF66\_Setup.dll

Filesize
957KB

MD5
e2c2b479150ddf4a231685c7b72336f4

SHA1
4a20de62af01a762659cbc39b9601ae10f5521be

SHA256
deaabaead32008cca991e23a71fea01af59a3a8d87ed48f327be86264280bc21

SHA512
ca87c344bbf265e9588aaa73828dc60b78c04c09b8f7a48be32ab0a50844f02464af3d2a30e193487c3d010b09c75d226f52537853899fc21aa54a32fb449f27

Download Submit
\Users\Admin\AppData\Local\Temp\7B69FF66\_Setupx.dll

Filesize
465KB

MD5
cf61335caf33d13ba378cfb1fccb1274

SHA1
48ef8b4e06e0f1d3c06c4d6e1ea2b6ce48aa5231

SHA256
be3a36c9758fa8c45988aebd7f96e42381cad303c72e79158cfd86d83414ee87

SHA512
e28b73e46c7cc6ea0b61eab80c4f8ef0cb657772f52710ba80746c40656d8f29c1b5008219a35a080d28ff869cb3b7f22ac53fe597e0c4fac876a2eb8b36b37a

Download Submit
\Users\Admin\AppData\Local\Temp\98512A8D\_Setup.dll

Filesize
1.0MB

MD5
ad0da51af6c889b03eaa889c2ed36cea

SHA1
e0f9b85b61b20955f2850c76a64154e08737971a

SHA256
be9633710001be885050a444670eebaaaf74d0105e4bfc01f02f5ab02623f841

SHA512
5a6011534392f760b60b3b90892e99fb1b93422ce03655830cc9a19d3bb1f9f351307e932ab70ee940484eb6614657b344f19616f3f2c2dc969bd1110a434ff3

Download Submit
\Users\Admin\AppData\Local\Temp\98512A8D\_Setupx.dll

Filesize
346KB

MD5
87be92bc89bd5fe4987561bf4be68fff

SHA1
4e87476dc084c0fd24240ed0540a5a2b77551ff3

SHA256
ef1953261684df463d96e25e3ef33911f61a72bb72120fb21e2c97eb1bcdd9d3

SHA512
9160c39cbe45fc48997c79eeec8f3febdef3b98eceb1b53378c2d36740f2197a6b362ec95113137efe54850142c8289b56e9cad548ab59e1b660773d93d2fc27

Download Submit
memory/444-143-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download