Malware Analysis Report

2025-03-14 21:47

Sample ID 250205-lyd4xssqcr
Target JaffaCakes118_9e6c22af0433a806517fafc0e83e1574
SHA256 dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc
Tags
discovery sality backdoor google defense_evasion persistence phishing privilege_escalation trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc

Threat Level: Known bad

The file JaffaCakes118_9e6c22af0433a806517fafc0e83e1574 was found to be: Known bad.

Malicious Activity Summary

discovery sality backdoor google defense_evasion persistence phishing privilege_escalation trojan upx

Sality

Sality family

UAC bypass

Modifies Windows Firewall

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

UPX packed file

Detected potential entity reuse from brand GOOGLE.

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-05 09:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-05 09:56

Reported

2025-02-05 09:58

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 164

Network

N/A

Files

memory/2080-0-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2080-1-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-05 09:56

Reported

2025-02-05 09:58

Platform

win10v2004-20250129-en

Max time kernel

149s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Sality

backdoor sality

Sality family

sality

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Detected potential entity reuse from brand GOOGLE.

phishing google
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
File opened for modification C:\Windows\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\~DFF068013D52DB8329.TMP C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\~DF5FC40AA1148B9108.TMP C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\~DF9802212F85814368.TMP C:\Program Files\Internet Explorer\iexplore.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{75A49A7F-E3A7-11EF-8189-FEC9CAF5062B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "445514360" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec9c09ee8d9ab846acecf8db7631dd810000000002000000000010660000000100002000000078a97141ebd6042389c414ad46a2a591e31d66f272cccc61fcdb23b480398ed2000000000e80000000020000200000002c2c42c17aac25a1c664f2fc4c9126b7b8d2e436cc079f1b97240e6205ecc7212000000004591fb65ca1b5710c5c37c63dad602a40e3a99766657975acad4890014a98d740000000ea5c6d46ed5034dee8a1282478d1464f070ea7ab6b35b4f1e2154575a06b36af694bcce0939e546989ea53200615740a822209883d5e64a80b7d3ef7016d608f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f8e54cb477db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60dff14cb477db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ec9c09ee8d9ab846acecf8db7631dd810000000002000000000010660000000100002000000064c6bedd1eab519d720f22014148dd26a13f72d72e656c0268cc99de09c92280000000000e8000000002000020000000550d2f062e90867baf670c0d26e1da4c17b2dc102ed9e66347ae6afa39f92f0c20000000fdad547ff85424d00e5a59aefeeaf937195973bc1b6bcdb3a17e57a2c9861286400000007c293f1cccec118e8ca993db6bb6b2bbf6d972b8a418fdc7e46e87724ca8ba4018a933bc281962723c761fd25799659dcf54bdf7585cffe7c32311f85bc6b36d C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\fontdrvhost.exe
PID 3360 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\fontdrvhost.exe
PID 3360 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\dwm.exe
PID 3360 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\sihost.exe
PID 3360 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\svchost.exe
PID 3360 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\taskhostw.exe
PID 3360 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\Explorer.EXE
PID 3360 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SysWOW64\netsh.exe
PID 3360 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SysWOW64\netsh.exe
PID 3360 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SysWOW64\netsh.exe
PID 3360 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\svchost.exe
PID 3360 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\DllHost.exe
PID 3360 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3360 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\System32\RuntimeBroker.exe
PID 3360 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3360 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\System32\RuntimeBroker.exe
PID 3360 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3360 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\System32\RuntimeBroker.exe
PID 3360 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3360 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3360 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Windows\system32\BackgroundTaskHost.exe
PID 3360 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
PID 3360 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
PID 3360 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe
PID 2472 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\fontdrvhost.exe
PID 2472 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\dwm.exe
PID 2472 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SysWOW64\netsh.exe
PID 2472 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SysWOW64\netsh.exe
PID 2472 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SysWOW64\netsh.exe
PID 2472 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\sihost.exe
PID 2472 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\taskhostw.exe
PID 2472 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\Explorer.EXE
PID 2472 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\svchost.exe
PID 2472 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\DllHost.exe
PID 2472 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2472 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2472 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2472 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2472 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Windows\System32\RuntimeBroker.exe
PID 2472 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2472 wrote to memory of 3392 N/A C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3392 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3392 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3392 wrote to memory of 2596 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e6c22af0433a806517fafc0e83e1574.exe"

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode disable

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

"C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SysWOW64\netsh.exe

netsh firewall set opmode disable

C:\Program Files\Internet Explorer\iexplore.exe

-nohome http://picasa.google.com/support/bin/request.py?contact_type=uninstall&hl=en

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
GB 95.101.143.203:443 www.bing.com tcp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 203.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 picasa.google.com udp
DE 142.250.185.196:80 picasa.google.com tcp
DE 142.250.185.196:80 picasa.google.com tcp
US 8.8.8.8:53 support.google.com udp
DE 172.217.18.14:443 support.google.com tcp
DE 172.217.18.14:443 support.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.186.67:80 c.pki.goog tcp
US 8.8.8.8:53 196.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
DE 142.250.186.67:80 o.pki.goog tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
DE 142.250.186.163:443 ssl.gstatic.com tcp
DE 142.250.186.163:443 ssl.gstatic.com tcp
DE 142.250.186.97:443 lh3.googleusercontent.com tcp
DE 142.250.186.97:443 lh3.googleusercontent.com tcp
DE 142.250.186.67:80 o.pki.goog tcp
DE 142.250.186.67:80 o.pki.goog tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
DE 142.250.186.46:443 apis.google.com tcp
DE 142.250.186.46:443 apis.google.com tcp
DE 142.250.186.42:443 ogads-pa.googleapis.com tcp
DE 142.250.186.42:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 174.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 72.206.58.216.in-addr.arpa udp
US 8.8.8.8:53 97.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.181.250.142.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 46.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3360-0-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3360-1-0x00000000023B0000-0x00000000033E0000-memory.dmp

memory/3360-4-0x00000000023B0000-0x00000000033E0000-memory.dmp

memory/3360-8-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

memory/3360-13-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

memory/3360-12-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

memory/3360-9-0x00000000036A0000-0x00000000036A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A~NSISu_.exe

MD5 9e6c22af0433a806517fafc0e83e1574
SHA1 1c9bb427aa29e8be2c4258bc1393fed578841172
SHA256 dff10f255546c9373ba738c152c10251460ccd5212020aa8fa9cdf87b4eab0cc
SHA512 2136c548e24a2f0f316a97d21504e94b5c9057188546819ac5006c075537c90513c7deb389fd2273f2096aa80bc32be1c2d5c8e9ef86b670ef579d341123933c

memory/3360-21-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

memory/3360-26-0x00000000023B0000-0x00000000033E0000-memory.dmp

memory/2472-25-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3360-30-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E57BE8D_Rar\A~NSISu_.exe

MD5 e0a6135796ba57d50b38d4df8e6dfc9e
SHA1 6f497299b34f9ef779fbe4e7b9b209c760faae41
SHA256 0b0a7903527cf2ce868294311c7c060969a81428413ae6d6b9a6dba1976dcfa6
SHA512 f2cd6bd6abe19ddd75133a9a10f7bbb2ff7299fa3c2fc3c6d212b86f2db4d04ea10311cca432f849d211e9baab2e6f147c5928f91dad0198e79e9b050740d72e

C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\NSIS_Picasa.dll

MD5 34f94d6258185a13001e9a2c5860a708
SHA1 c0b69518e071f5c3b30721ad77d46da59ee75eee
SHA256 9524254f539e007bf57494d797ab24ad7659cab1df4b2164e1c0d688b2b53d23
SHA512 3dfbbc938b5922cf1b99264f9f654f2cf826ab9d66e5aa2581a99d49c5ee54f7b9337cc4f7a5835ae471537ee77c9b86a249c9425c407dbdf959529f7d04608f

C:\Windows\SYSTEM.INI

MD5 b0a1e09b80d3eb9efd643aeecb254bfb
SHA1 89892f7d4c8105b313ea561051abe88d89c509d6
SHA256 7c8c025f11172bc7374beacfbcfae1809dac4ee206c8ec82c416788c2ae640dc
SHA512 901706cd4149ba5e5c70ae204251ffc2fab149b31c68991dc85c50c0215952303077b47bc05da4528f80669760ca2f35372ff849683c177368ad5474aaa9ae7d

memory/2472-42-0x0000000004950000-0x0000000005980000-memory.dmp

memory/2472-54-0x0000000002380000-0x0000000002382000-memory.dmp

memory/2472-44-0x0000000004950000-0x0000000005980000-memory.dmp

memory/2472-51-0x0000000002380000-0x0000000002382000-memory.dmp

memory/2472-50-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/2472-46-0x0000000004950000-0x0000000005980000-memory.dmp

memory/2472-55-0x0000000004950000-0x0000000005980000-memory.dmp

memory/2472-56-0x0000000004950000-0x0000000005980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\ioSpecial.ini

MD5 6948d28e9b94dd6f082025ddad358aeb
SHA1 c5184cf05311a119f5583a0a8fa051feccac2337
SHA256 d67b114bfbfaa4c5ca3f8d7e2ae8e014890913b16a116213274fb414fc221f03
SHA512 e023856212857e0f6ed671b0ec2a6268e8d7465236ddae2fe2e987921ed0043bd1eee421e87d4b9b6b2fc35945e0f11f9f814de4e11574184e5ad787a8b3de87

C:\Users\Admin\AppData\Local\Temp\nsmBEAE.tmp\InstallOptions.dll

MD5 4c7d97d0786ff08b20d0e8315b5fc3cb
SHA1 bb6f475e867b2bf55e4cd214bd4ef68e26d70f6c
SHA256 75e20f4c5eb00e9e5cb610273023e9d2c36392fa3b664c264b736c7cc2d1ac84
SHA512 f37093fd5cdda74d8f7376c60a05b442f884e9d370347c7c39d84eca88f23fbea6221da2e57197acd78c817a74703c49fb28b89d41c3e34817cc9301b0b6485a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FZBC1AEJ\analytics[1].js

MD5 575b5480531da4d14e7453e2016fe0bc
SHA1 e5c5f3134fe29e60b591c87ea85951f0aea36ee1
SHA256 de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd
SHA512 174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2S25UHZ1\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\4wu8kc2\imagestore.dat

MD5 18a4222415a6b52ba57dfa625c90be4a
SHA1 048eaa72adf37de5fe5221b85009368a5a1cfbbb
SHA256 c83e65ceec9d62d6f9d50a508b5f221affb308bdb9d518d5dc5095f028214def
SHA512 6aa5b0246659a512bb1737c7f9e14367ddb337b1cb9bf2e18f28d543aa6e429f23a0a85ddbe7b96e19e534be2c47b2ab4719645e4e66340794613ff2483476e4

memory/2472-245-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F4VLIMJ5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee