ardamax | ec0b5bca6ea894134fdd3a32802926545c553f4efd8ba3da6bcc478f46b98cb3

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
Size

5.1MB
MD5

25d67f75b4d084e42dd73d5c390d0823
SHA1

06766c171ccd2f112c940d3da68e7f4e8f813521
SHA256

ec0b5bca6ea894134fdd3a32802926545c553f4efd8ba3da6bcc478f46b98cb3
SHA512

5078296fb933006a36f8aa27b2310aac3704d4f944bc7fd07f932a2a7636eb74610fa55e8b4f0322ed153ad826486594903c1ef3e16578391a753bf9bf7eb195
SSDEEP

98304:01DlSeoF3npu2egcYM8HNAkNrWdIZ3DpSeoF3npu2SKEhUXiNCdpNTjaGzQX:yg5pucM8HG2rgSs5puwESXTNTbQ

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001939f-34.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2524	Install.exe
2772	JDCB.exe
2056	Install.exe
2372	JDCB.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe

Loads dropped DLL 26 IoCs

pid	Process
2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2524	Install.exe
2524	Install.exe
2524	Install.exe
2524	Install.exe
2524	Install.exe
2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2772	JDCB.exe
2772	JDCB.exe
2056	Install.exe
2056	Install.exe
2056	Install.exe
2056	Install.exe
2056	Install.exe
2372	JDCB.exe
2372	JDCB.exe
2372	JDCB.exe
2372	JDCB.exe
2772	JDCB.exe
2772	JDCB.exe
2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2416-0-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-2-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2936-11-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-10-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-77-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-88-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-90-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-94-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-99-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-106-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-108-0x0000000019140000-0x00000000196CB000-memory.dmp	themida
behavioral1/memory/2416-115-0x0000000019140000-0x00000000196CB000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JDCB Agent = "C:\\Windows\\28463\\JDCB.exe"	JDCB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\STemp_01.exe	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 set thread context of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\WTemp_01.exe	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
File created	C:\Windows\28463\JDCB.007	Install.exe
File opened for modification	C:\Windows\28463\JDCB.006	Install.exe
File opened for modification	C:\Windows\28463	JDCB.exe
File created	C:\Windows\28463\JDCB.exe	Install.exe
File opened for modification	C:\Windows\28463\JDCB.001	Install.exe
File opened for modification	C:\Windows\28463\JDCB.007	Install.exe
File created	C:\Windows\28463\JDCB.exe	Install.exe
File opened for modification	C:\Windows\28463\AKV.exe	Install.exe
File created	C:\Windows\28463\JDCB.006	Install.exe
File created	C:\Windows\28463\JDCB.001	Install.exe
File created	C:\Windows\28463\key.bin	Install.exe
File created	C:\Windows\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\28463\key.bin	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JDCB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37C817B1-85F3-11EF-8CD4-527E38F5B48B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434608380"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Implemented Categories\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\FLAGS\ = "4"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win32\ = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Microsoft.Vsa.tlb"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\ = "Akefizit.Parihence.Bizaz class"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\FLAGS\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\TypeLib\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\VersionIndependentProgID\ = "MsRdpWebAccess.MsRdpClientShell"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\ProgID\ = "MSVidCtl.MSVidVideoRenderer.1"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Version	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Version\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\InprocServer32\ = "%SystemRoot%\\SysWow64\\MsRdpWebAccess.dll"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\ProgID\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Programmable	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\InprocServer32	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\ProgID\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\0	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\0\win32	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\HELPDIR	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\InprocServer32	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win64\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\TypeLib\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\VersionIndependentProgID	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\ = "Microsoft_Vsa"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\InprocServer32\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\0\win32\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\TypeLib\ = "{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\TypeLib\ = "{689B21B8-2B5A-8DD0-306E-D23BD5F78442}"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\TypeLib	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\ProgID	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win64	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win64\ = "C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Microsoft.Vsa.tlb"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\FLAGS\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\Programmable	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\0\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\HELPDIR\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win32	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\FLAGS\ = "0"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Version\ = "1.0"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\FLAGS	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\VersionIndependentProgID\ = "MSVidCtl.MSVidVideoRenderer"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\ = "GrooveCommonComponentsAlpha"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\133"	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\InprocServer32\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\ = "Ajejidhow object"	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\FLAGS	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{689B21B8-2B5A-8DD0-306E-D23BD5F78442}\1.0	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\TypeLib	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\VersionIndependentProgID\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\Implemented Categories	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1536FE-A96B-0C88-A5C4-A6D5365BD581}\8.0\0\win32\	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7086C964-03B7-4EEF-4897-6A047A4F81D3}\VersionIndependentProgID\	JDCB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\ProgID	JDCB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{955645F0-F204-49C9-918E-090EEE18BC70}\Programmable\	JDCB.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2372	JDCB.exe
Token: SeIncBasePriorityPrivilege	2372	JDCB.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1256	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2372	JDCB.exe
2372	JDCB.exe
2372	JDCB.exe
2372	JDCB.exe
2372	JDCB.exe
1256	iexplore.exe
1256	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2936	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2524	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2524 wrote to memory of 2772	2524	Install.exe	32
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2056	2936	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	33
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2056 wrote to memory of 2372	2056	Install.exe	34
PID 2416 wrote to memory of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35
PID 2416 wrote to memory of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35
PID 2416 wrote to memory of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35
PID 2416 wrote to memory of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35
PID 2416 wrote to memory of 1256	2416	25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe	35
PID 1256 wrote to memory of 2428	1256	iexplore.exe	36
PID 1256 wrote to memory of 2428	1256	iexplore.exe	36
PID 1256 wrote to memory of 2428	1256	iexplore.exe	36
PID 1256 wrote to memory of 2428	1256	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\25d67f75b4d084e42dd73d5c390d0823_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\28463\JDCB.exe
      "C:\Windows\28463\JDCB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\28463\JDCB.exe
      "C:\Windows\28463\JDCB.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2372
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9de0c5faf70c99ec2037c911645fcce7

SHA1
9cf7d2f0ce9273790f6e4fc7c5187b259f320a82

SHA256
e349ddf9faeea4ad2122cd0bc4f288707a01bde90c20950f930dad8dc219c643

SHA512
9ccef4787adee5246d020ed25ba9d1df9f0b81bd00d1a57e4ccd1a337d930e901ed8118947fdcfd468286d816ac131c6dae24804c403293e5f1e299b2bdc16b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd46096f40f021e2afabdcde5f6411c6

SHA1
6b209248fb094fcc8eb927c7e2f32ddb10d3b915

SHA256
71fd6c5905e2c7cd97461d0f21aeea6f875b2bb2dcbb549e8caecaae41afba18

SHA512
a5a570d7d6835b6525d016bc267acb006041d0a4495d554dffbda39fa66387bdc085eaa1724a0252cc5292abca8fd514a6d316ce6ea5a1bad038957f2a1fe9ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d4fc8b56a8844546ae5fc3d9be8982c

SHA1
9bae86fbecb3380db0760bf573f9bce54c38198e

SHA256
2e0788f60efc98d1a70780a775f226af0dd4d97fa534ffe541e0b6e2120854d2

SHA512
2ece8a3886107f6b02982eb58a9f24493d8ea82fc3af4c9eaa5f38aafae04eee83db52628c6e1044dd8fb903fe5a55406d99b276e78f9fd130bde478a889ac51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c746db27d4a1d718ae181b0b8715564

SHA1
5e244a35e239faaa26c796861852eeb634ff3c1a

SHA256
c14fe3ccae550973f056d9e246bfa74092d6607443e2b826d74d3e27ee464014

SHA512
feedfa95738ab0a7e5c24ad45f81d89cc0a26dc5181490afda4f14e2cf0bdc449a3fcef77d3b571112729fd9700293292af4acffdfae6638da516ca1668b8bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1facf49b2f20bbc49d083d0a05ba7951

SHA1
3437e1234ea729665671feaa5b88be72d1130625

SHA256
fec60115038810db4031b7cbe72fe5b00766eaca90ae80688acf56e9b55ddb26

SHA512
f8e026ae8af2879ec5cc3a4f05c196586b28feb2661f7de18b8a5456735f0ab616ec502435340ad85693212b0b35e539630404c076a34adaf27a5d2281be9746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78ed5f7dff711a30e5a870fd2b368f0b

SHA1
76ead7cdfb216f094b5f5b1722a1e133af383fbb

SHA256
da87705a7f1425be3700eea569ddd56779aebd54f95a32cbab0d4b395c9e24b7

SHA512
e7441e586f6eb5504a49adffaf9abf2dfe8efe522c5b314679e551b5d27a536868657b6ff2f688c38e1b548c3c77b8ea8bc0f503aef8ef575a07473e6feb9965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62fb96794edef6a62742e996628d52ed

SHA1
2cfd178d7d27ab2b7141f39371a6052bee7683f7

SHA256
6288bad54285be5bbd56e61c7db3b815cd0faa5c1baa1ababb1807ce65424492

SHA512
cf9367924f9b638d0455311887961afcdce7cb19ae435313d51d464e5e7b10f21a0cbac99a6b0ea129e0ab878877ec73be3482fc36726b61278865f86cda7323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fb51422bedcbfa283d5ec47bedf4935

SHA1
f7f92e3566aa1c65dd59642b3180f20248ae3e52

SHA256
fdbed306ac1dd7a988613bb4f0e7f8e5335c516812d19624a5d7d7e3e63b9704

SHA512
56b7ce06441d32595a85481e3144096d9a7107daa1d0d4b5a4c6aa9eb54c7bb3b2b9656506f4caf6516e4aa50b75e93e49310822ca81ba923f76339911f94d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c06074906677d8008ce0b012dd24e3e

SHA1
9d2e9011cd00f8aa8b18e2a065035307708b13be

SHA256
ded202169cc122f349c6be26987151f0a850a8e89c7b2c0a3aabcd0360c2293f

SHA512
706aea59d9a6123a612558f49e124f7dd11d283d94b3a7e0d26e36cc02a8547bbda1cec8f4eb0bd6db61539bffdbb89fade1201af1fd8719a1c61be49cd59b36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f7b6ae3afafcea9a198d70b71e16afd

SHA1
eca71c10327224b1a05884169b5819e48191133c

SHA256
d52502e6deafb3e5b1288d7554d65c675a135aa7b4d2cd328313e35f754f8b97

SHA512
1d62b04618f90e4f49051ff0a7525471024e86d7886d7398671df70461f6f8643086a6a412742c2ed6948561f10fcb7157faee5d396aa89b0cb4bf86788d17bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c03eae28f6fd6e5eb872096e7b708bbb

SHA1
5f5332d84f2899e185ad8b4e9bbb49acdc0c51e9

SHA256
c7247374a3a894d13dc098ee793678bb4f1bec314c30ccaa664957de0c718303

SHA512
5928731e7e354640f586a25fd4b63f2c1db0a680c0e6e3a413902301b9024b6814ded6d411328c92c0b1192760120f8197773b30a288abae7caf3e0b51a8af63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba7d743a54cd5c1a5f3f42241ab49ba

SHA1
65a07030bee904fd9797fec9cbaf5a48adfd73d3

SHA256
8e9c9e03ed45ca48f43b0faba8fe2372564749a69b802ccb512a232d371e0a47

SHA512
028a326e109460b7e4d6323b6cc1df95381957293230f1a38230385af487d42f5d16da36391ca31529b28571ce2d4a9a1dc150cec74681dfd667bf640bacbea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b04253d6b7dc13b2339cbd8db7bbba5f

SHA1
da0e41eb24ea2d5493c9f586abf2dd63834210e7

SHA256
5a84a71363e5981105584ef9b55c2ef6e202b96d9ecfab7d37a3fff705d45d88

SHA512
3f8b5bdb64068facbc205579e5dd08ef1abef0a67335287290de2b365794212eccde76a096e66c14b407e5fd4441a3ab107a098150bad009ccebe75377565057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
224c5805d01a56a7e6affbfa144b678f

SHA1
a8e0fc3562c98a9b58d4ecf5e2296c6a31e09742

SHA256
f285627e524c3d6e4814eb3bcf0747cf82e5776d0bb2e3605f82d69b3c21e9d7

SHA512
b5c7a5c68a91d4d4543420e2b86023aa35801f327be6a2f621e6cb309071260efb8ed862cfe52550d06993d4b2e4c32628c7967727247154c9a1a29e9f6b0829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b38161b73da6967098826e7ca5f5ac6

SHA1
bf01f3cbaade198cf283c2dd9bf8901903d66e21

SHA256
3ac3317e508c497778ada2b4aaf966a9fe19ef8b0069e03f09cc76c16dc93aa0

SHA512
3b0ef5a0770659ea4a4a5ee1983c45589d71a4c3742869a4f6b194f1aa7e25f9d4a9e5f622edcacb31c6a21039db478cb35c0298d7ff8393066fc84bc33ed84d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b61edaff7f67e9025b642901c7d9ed8a

SHA1
62ae37cb6e9b728fa4f28097d5b5bf5373478613

SHA256
223d14f388989afd51899c2e05731c76466814337112d5e1695727c3eeb97f8b

SHA512
b92dc529f0dd433d6e12716b0100c5d61f98ee96e972dd1d0776d1bcad8fc461719694285710e0f7050ffcc46babb8c156bd6344e1b35993f56bf2a3da3f6bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a130b7487b90171fcc7f60c23f86a2e3

SHA1
844bbf580deec06bf46606b8c52c08e32f364c3e

SHA256
fee35d40f7d7fc845526eebda2b5b01c6befbdc88a790c82193fed1b6886254d

SHA512
7e19c6536a6dba08fb67073e6d5df29e479f9ed9ff89142f0ec44b59a7ac32a24009a70fde9fddde739a59c66f91907559667f054561cc1647de238fe102fb37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b78db7772bf42f3bec817f00be282c4

SHA1
c0c7613c5ce2302ea4d44fd2cdc4135a200665ee

SHA256
e71b6023fc50105780e03cd4793d9d217d24d80e812c8b8a8ed0c5a91b2b2548

SHA512
1d5124b99eab7ec9c79fd04c3434d45d735ba25dccedbc5d8a711a9f4918c629cc24ae63930cd987b22f1811583483c5d7ed0c1df38ba689dc4135248cdd84e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f805387a5b20ed6f14f4249dba8717c3

SHA1
77e3529a9dd28e973fe4dd5c0806fb72baff2d47

SHA256
07c0da8de3586206926e9689b04e5bdddf95665bfe65475330371c28de9b6086

SHA512
c94955eb8437808112e0ff752f99823b9c04f172f622442adedd7c609daab4a54707313c720bfb357b9c7bd5415332e1b940378d57a4f8247838cba5efd7de47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f64bdf091331ba92b2eafc2d35e275f

SHA1
26b77c4dff639daa39d69f28b38f2a791ffd9afb

SHA256
8ee51399e497d030b367be182eb4e09c510d90042cc7e4081cef6618506dcadc

SHA512
7b17d737a42ffd00254258dc06056c1c0c0e8ecdcd0ccd8ab9c34459b3f7feb7e66ee113509320c47b450607e3abb11f80944f19bdca933e8f5c3367078b1fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4db65cbffc0a935a555519c8cecae470

SHA1
57766cdf26580f8fc431e5a550706db571ce0357

SHA256
086390902f2406ab0dbea06c7baa52b33703ca8ab52c76be607e4b81be09c31f

SHA512
f9213802cc61513182f0b81536d68b3c57945ef6bf8e27fa5efd7efaeadfe70075e8cc038f93854f017b8c9496e53ff1feea80bf3aa29ea4761aaa4f5d849743

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF115.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF176.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\28463\JDCB.001

Filesize
314B

MD5
55eb2a2a21d2693cb3a7d7910300ce40

SHA1
dbcc8099373de59154359795deb0c7ae550e2aac

SHA256
af7ab86ad057fc1016be982ca83ebb29e3795991fdbc6d817d8a7c696bc77d94

SHA512
e0e495cc250b198026c1ba13657cd5b3a566123594b6f5d3521c570fcd9062d26ad530c495fb00aa61de7f6d6c0ee583df9cd21e0ebc27e0c1f560446bc479c2

Download Submit
C:\Windows\28463\JDCB.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\28463\JDCB.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
C:\Windows\SysWOW64\STemp_01.exe

Filesize
841KB

MD5
d094d7a940642b46f2d5b9bea31e1fd4

SHA1
934245acff08261fadbc169f2a116ac8be1e77f9

SHA256
4d2d4b8360898aa33c5792ccd907a40df724fb0a53221aca335a9d0f0fd54a03

SHA512
b6e30ce06dfe8b86524e4216743a0b9fbd8cc2370f74961dfc3574962c22027dc3fbe0f6c7869bdf9df6536958c42648fd254a2400c7574b4d3cfb553a16fc51

Download Submit
\Users\Admin\AppData\Local\Temp\@3237.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
817KB

MD5
6a36af86d1ebd1d677be1866316050e7

SHA1
8424a2a82c12d1ad69829b449ff3620dbd409a4c

SHA256
290333e9834217329f484a04119c706b44638d797e7615610603171d391d5100

SHA512
3cc54e7024b14c86b442f0e9fa02d6cb75fff3d28c4cb9713326fe67fdd758f376f2454cc56bc6b9a79ff5a1fa1df49f4223d1c58e5302c4e3fff12c315f9b4c

Download Submit
\Windows\28463\JDCB.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
memory/2372-546-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2372-73-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2372-98-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2372-97-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2372-96-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2372-75-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2372-74-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2416-0-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-88-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-115-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-77-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-108-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-106-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-99-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-89-0x00000000047B0000-0x0000000004D3B000-memory.dmp

Filesize
5.5MB

Download
memory/2416-1-0x0000000019141000-0x0000000019143000-memory.dmp

Filesize
8KB

Download
memory/2416-2-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-94-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-9-0x00000000047B0000-0x0000000004D3B000-memory.dmp

Filesize
5.5MB

Download
memory/2416-90-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-93-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/2416-10-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2416-13-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/2772-87-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2772-62-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2772-61-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2772-60-0x00000000008D0000-0x00000000009B0000-memory.dmp

Filesize
896KB

Download
memory/2936-12-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2936-3-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2936-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-8-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2936-16-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download
memory/2936-11-0x0000000019140000-0x00000000196CB000-memory.dmp

Filesize
5.5MB

Download
memory/2936-6-0x0000000001000000-0x00000000010DA000-memory.dmp

Filesize
872KB

Download