ab37ebbfa9e5dcd0bb71a7d54d9c1b888b67e04e76ab8e16f08d73d23ffd5d1b

Analysis

max time kernel
154s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c997117b302c55542c864095d5808726_JaffaCakes118.exe
Size

176KB
MD5

c997117b302c55542c864095d5808726
SHA1

d80e2d0877237794c7253a89601fcc7836fa86a8
SHA256

ab37ebbfa9e5dcd0bb71a7d54d9c1b888b67e04e76ab8e16f08d73d23ffd5d1b
SHA512

0672c955d0eb2baea4fbd591519355e561d8f8bbaf880e5f8c31bd0b14aeb01eacb03b81fa3d473e104f13998c5ff3dcf06083d2029c663bfb22c890f631750d
SSDEEP

3072:v15R5R6y8uNXu2mmf2jqy0L6b1VFOGbayNe44/ieL+sLxZSa7nMuJy85:t5R5ky8uNXZXy0gKGbXZeo8zJR

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	c997117b302c55542c864095d5808726_JaffaCakes118.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2488-3-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-8.dat	upx
behavioral1/memory/2488-20-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2488-107-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2488-123-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\polstore.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\tbs.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_1145.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDRO.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0020.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\oledlg.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\spwizres.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\tapiui.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ucmhc.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\auditpolmsg.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\EncDec.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDBGPH1.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDRU.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iscsicli.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0416.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wdi.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\AuthFWSnapin.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msnetobj.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\whealogr.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\WsmRes.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-file-l2-1-0.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_720.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\find.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MediaMetadataHandler.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\colorcpl.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mtxex.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\printui.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mciwave.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\oleprn.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sppwmi.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iasacct.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDDIV2.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MSMPEG2ENC.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MuiUnattend.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\storage.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wmdrmdev.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_1142.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\hdwwiz.cpl	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iccvid.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm140.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\rasdiag.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sxstrace.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\tlscsp.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcomp100.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ACCTRES.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_20424.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_950.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDIC.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wmdmps.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cmutil.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_1254.NLS	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dssec.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\oddbse32.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDLT2.DLL	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msrd2x40.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sxshared.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\basecsp.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\btpanui.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cryptdlg.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\vpnikeapi.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\license.rtf	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100ita.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\perfproc.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\win.ini	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\mib.bin	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\twain.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setupact.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\fveupdate.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\bfsvc.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\splwow64.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_16.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\HelpPane.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\explorer.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_32.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	c997117b302c55542c864095d5808726_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Starter.xml	c997117b302c55542c864095d5808726_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418449803"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000e27b15fec24646cb4ba57847120adb54d5c524523b77a0446796d70876fb55b2000000000e8000000002000020000000f722f71f4e689ef0ef7e937c425545833e40785a8931ba488406eafe29b4c3aa9000000093445ff425ca2cd5146b424a396af4d6067a65d63f9e1400ceff11a3aa14640801a13cbc81951184566b60937db50fefd45a7a6dea9635618fee587033481af91d359fce1f69bc7338f4ffccf1420cf9c3aead90f0935b0cbea020dd95bbc816567119dd60e2949caee3510b4d6d01e43eb9bb6cd4f13ac81fa9ee0ac09e0ef49813183e099ef136ff5e501ff4e7252a40000000ce1c5b0f1b654a3f14bc7049b36d26e0d1632c068f246735ba6b5aff30f0367da34ca05f9c27d83a190dfc417d839d2bd3bfac815bff3e2fa9290fdc562a8cd9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "122"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 300b6ff20987da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17E57F21-F2FD-11EE-B142-FA5112F1BCBF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000d5cd3fc4f528cd52abb815d3e005c248a2a0d337b0cf1ca7e9f4b30beb4ac3b3000000000e8000000002000020000000d45ca9d6308884200273cf4b0e61b854ad065c9cc20cc2cb88b768ad54b2dc07200000004ed35af6c0d22531547299df4e8f5ca76266d63f388539a1a5e98991b14e1b12400000002392fb9f132795a424de4ce6144d90063ce4aa75da08e5cd261c7932236eea7aeca7cd3fccd685aec0cf0ffc6ff9be9e8e0decd644821bf115ea2a8d2b0709c4	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2376	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	2376	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
2376	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE
924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2780	2488	c997117b302c55542c864095d5808726_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2780	2488	c997117b302c55542c864095d5808726_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2780	2488	c997117b302c55542c864095d5808726_JaffaCakes118.exe	30
PID 2488 wrote to memory of 2780	2488	c997117b302c55542c864095d5808726_JaffaCakes118.exe	30
PID 2780 wrote to memory of 2376	2780	iexplore.exe	32
PID 2780 wrote to memory of 2376	2780	iexplore.exe	32
PID 2780 wrote to memory of 2376	2780	iexplore.exe	32
PID 2780 wrote to memory of 2376	2780	iexplore.exe	32
PID 2780 wrote to memory of 924	2780	iexplore.exe	34
PID 2780 wrote to memory of 924	2780	iexplore.exe	34
PID 2780 wrote to memory of 924	2780	iexplore.exe	34
PID 2780 wrote to memory of 924	2780	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\c997117b302c55542c864095d5808726_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c997117b302c55542c864095d5808726_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:1455117 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
40307a5748fe7f4ae24384fac0e9debe

SHA1
d0dfb6d6cc12880f58b0a4c03814e7ae4ab9806c

SHA256
014d1436dea03edcbc32bc5172c1ed256f44d78bd616c45080ffd18138885f5b

SHA512
e82036805212eeafb4efb82b2f236d3808ac31a191f8bfc1949af024ee95b1c82659487aa5e9ff28bca358e89132d6d6c2045b3940dacd0ffbd00a53eb085cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c9a0003798fec6002dd0ebb0d0ed580

SHA1
251d565dbcda51e93a0b48dbc4ff8a9091e9a8ba

SHA256
879491a930febc3373e8bbb14aafaf2c7bb57f881918795d68e3891aca2c8e3d

SHA512
78b751a9b25efbc06bfbcf63c070baedad5580e6cae1c694ae8a3ab6aa57ab459e3c45e249678cf0c516dd093af65e0224a70ca6bd2bf6c648aab31b7ad684ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9c277f120ee3445fdb2999ac2571222

SHA1
2b182f8ad48bcdf621690b054c8061339a4551aa

SHA256
3c3d8a1af32ae9ce870476f354f3845780cc2cb709549d5278e5b786a9dc70b3

SHA512
5c566b115ff86e30791cfb835824d51777463c668fb84bee0ca73ce50b3ec399c635889d6885b794cd5665e3ac8df8917c88fa661672461061802f6fa5eea2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35e8a61c532b09ce30d9bb0b6cb6fd53

SHA1
ea1721645774e1cc1128b6bf5c75c91ca7a5fa31

SHA256
c6717228c386e2db111dc48738caa4bb7dbd7200c3ea5339b4e96765bcb9ac30

SHA512
f59bad3424064eb368d72a84c8da28bc59aea31ee124b3f9369970e36459a01a934e1a4ea395c6bb19fabfde2c1650ed5417f98c6e4930fde626251238c34d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7284bfe77b24cd5bd11d02cbdb63943e

SHA1
2a6b9b6cb5fc5e6b1cc9d632768e451ca6d83270

SHA256
ae94ef55d8eed98bf12de9a761eea7b2b80abf948bf7c49d955b9c2eecc0d997

SHA512
a436de814c82a9ee7e25a88cdeaf567105e87b696ff1e849dddce7c7231fdf0862ca93d13eead41ebe7563d7fc865476af9b7e5db462e0e929605eef0d63cd30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f5428207bc610df04ea73fd681fbca8

SHA1
a55ecae46bce111f9ff7e99c5c3a2afd4e07410b

SHA256
cd39802f3d3b62d29a93a474922410a9a0a48b8259cd25c30722ff4abe626dd4

SHA512
81bfea0d5198d261a82126cb7c2fcb73ddb89f17ce992a172b29a47f5e39d0d2c8c46f1ed0a9530104ca0091e88103d2c1409b9bf43776c90f7104d066cb3329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85f39bb7ab214bb5a04d6e25f182ecb9

SHA1
040e99a807d067703e637666c1b599c4b89eb3c7

SHA256
06b3ab6f2d3b2c4d0c83184cb59eac6420b16bb7a12f5fbbecfe611a3ce7a382

SHA512
9db26729c7a16b8291ad40f595d212dfed39b9ece20ee9057aed5a279513806d282335829f2f3fc669e877743f3354d697acb3f14168a1d7cdfd7fb421d1b00e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89c4fd41e97b4dc55a9fa8600fc50632

SHA1
a4cb073ce6c8849b5ab5a9a38647d37414577966

SHA256
a821583cb87c7c728389bcc5c94f1bdac075dcf159a2c50d3aea0eb4512e1f64

SHA512
4c7ff580b3961212340ec915802fc874d9ccb5f306b79e7f39bec56142139405dfeec7b1a29d54c996d252b49be743b72ba9b7ddd688c99d613c50db18c5e3f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5016215c514891975ae1399bd4c599e4

SHA1
904e0cec9de919e65848a3de13bf98fdd7d43f8c

SHA256
7e17715d445a843e8fa9ef4ec7577af5ff1c251af3896fb969bea30ea38bff28

SHA512
3c2287269f6f567df7f7084bb9518b57581f80b2de2195c8055990dde9338af4d8b038988c8e4fcf16fd14eebf07eea2e833dd5c58a6cf974bafa2bd26b458cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d9f467218c3334b52d9499adc061edc

SHA1
cb326420e6dd54c614f4394130ec889e4d89e831

SHA256
f34238bfd31486717c69b1a6468a9d8db69cbaa819baf1e139f25bc665e30e2e

SHA512
49829be582f2e4982da735f2970a01f0966e0ca94a4ada3f99a9ea1c2fb12efbedd4a9f64e1ab2a0b6c7a22735a4a011c3e25524a1ee208ab6f910a7770abb0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f60209ad598d5d51d49f99d4e2bed16

SHA1
2783863e10ff937cd8eb38d16fc0de2b91316026

SHA256
71a5e26bbf281be977e6b660236bb502cebe98c0d043a4f1017eb2402a5c54a6

SHA512
7a7ce381763d3282f31f4e4cc4c1249fefdec22f81d4eca87f8801f8b553b52042614437d4eb5c9ce433baacde360340322baa64149c16588eb7b153af9f60d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c439d0260982960de21903c30baab14b

SHA1
ea92613eaeaac0ec5d5f04f722e0bdc5ac097c3b

SHA256
5e57b24183b730e2d9e78a53f7cae3e0c8d77bd1cb2217fd0a054b529d58dbeb

SHA512
7604cad499fc4acc38259aab6f6a76fa1b9bd5bb44a17e725ffef62585671e44191fb085d0a6a22c5317860dbaa73e5e58195b1ee00b5887bd431d483ecfa21a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d51f9cfac2f0c5bf7e5c76f500a225f4

SHA1
8e0ecba205a94c69010223dc0a6e6d8e94c14f36

SHA256
c597a54e3d0f7b09831140378792f63340c19ddda78907d642f9cf7ff57f4188

SHA512
98bc00e6288e98d91984a83333f6983720ecddf4f172b56aa4746a002b227963385b91d2cca83c7d28008e5a218c289c0b576057646b2c8e98de09ac643b0816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
170440c06894382ae4a5fc4e2306cd89

SHA1
11a13b164fed58dd5d5f400262950996498b91f1

SHA256
df3ce9423f05568283d36e4152500303f01534b63f1a7be242c462afbb3c585f

SHA512
fdbfd92473eb7eb9ee0b0ab08770ab10a52c714371e0194644a1cb8a1e36a90010e27bffa544b112660d81d93577a4c1f950e8233072f8e28818f4a1cf5a7811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5923b204458a8b40884ccfc7dc3d88bf

SHA1
91dca94574e6fe0846d4c746490b620277542892

SHA256
7230f13e352aceff0734293ece703f325d974a44629b2ef9af8ab93a4e711147

SHA512
004ce00afe830c766f1083774d4aca52dc3bc52d9253d5261d517f216d10d5ef28e7d66a29ec1ae48634d41aea89d34211dd245da1cfbb8a5e9c4fa965c72812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
422c3a8cbbc07b61bcc581dae198c8b4

SHA1
84563761eefd86d5426edafda4bc6a478bcff379

SHA256
4ddbd360b248bb925f8ee07c3fe7552679479d6cf124cc7614ff3affd4cc55d2

SHA512
c543823b84be75fedfdeea911b746021a87229442e52f195518284187675275a81a0b015291903501530884fe093cdce4e56965ff633c5907da94e52158a8aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa70ca50b20941e6b3c486b62e144539

SHA1
6d824b7f9999012416997065447df043c3cca043

SHA256
a9d7fce24e3c08175a9c29810980c1e4665cdb40659ed3a7342523ddd15ab914

SHA512
e54788e9bd32b9dd98384d49f34e59c63f94920411c88a1e2cf3df102c1e2ff7909e04de6d350282b7d90811b4e92a528545c691cd2831fd1956d85eb60a9fdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf219d999d05da715a3dec1e8b3983aa

SHA1
4f7185e7de13aedffb5beca36c534eb59ae46b43

SHA256
99389d3b11001419ac299065e6df66884d040f221e1fc6a0d7b227df1a0fe790

SHA512
028e38170dc9b5c934a655845a64eaf5657bdcff31cc9ad3c5d47e63199fd8b7e4fd4bf036649507d905ef75b7793b2e8c18b17282557d9cce53ec5c064039fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d37039f64da87babca927e1e20f63f83

SHA1
c77562565259aadffac31a576f325d52f24d00b2

SHA256
484dd6fd2f470cc14c304a1214d61df0443cfdf3d97c636707b63f86ab7b26e0

SHA512
42246c9e5980b54575f585ac60b8ce6cb581bea074c9627d6fe5360fa59f9b8a52bacbd04e296684d1f22130856d85a7a4aae2133648b18859fc92291dad7d27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7cc0dbb1be6560998627c15d56deacf3

SHA1
3d2ed292b63e57b228f182be99f5b67f35fb978d

SHA256
35b07abdf075840cb7431c91765572f88738e01caf8d4ed16a941b2aab5713b9

SHA512
dff1b31ba66a0cd1fca1c3bdbb1d74f2ec83cf34f40de80d555689e4d32cda8ca99c6249a90c2fec67bfb769adc41899a76aaf1aa93b6fbe64a895122a577d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b23d5fe69050be246d7ada43b33eb87

SHA1
1760141819a23d1f95d3044b04957c5fd15e45bc

SHA256
82fe4ad539ac5827cd97825030bba27383f5e622f126a9559778bfcb18ba513a

SHA512
fd2e499822e825572ca1f78224a7de216f7bfedfa7c2f34e9832544d87f0e89ede0904ce956cc55938d0e83a6aba0df409591dea9e667b6d8100c997371aa0ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ac0740de0b883f2ca08a2af1443e37e

SHA1
0013bdaca92d228b435b4dff0c702ad8a6c0633a

SHA256
14f642d1d2c44d7621721be3a6740f977eea3ed24d62d8eec1a2e9698e3be743

SHA512
f016c252059bc3f118cfa19d73d7217052fc414d73c188e965c823091280319633344b8ee72786d4a40a77c0e986a802ed07ad69cc88cc08b747a303b1d6369c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffc987e8fdabd85f70dd08f7255615c1

SHA1
c146d57e4dbef087ca690cd0d3c1fb073313f385

SHA256
97b4f0739c6fd28f905b2b3020c09a424cec5b17f299adeddd16fd079569ac2e

SHA512
e3f8ccd1922de2e0424dfedbda138dec80d96f0bf733f22769666d399d0346426b7984482f68d77d35b9de8ff66a8468b331d526cb3923b2dc99abba19c192c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfd24aef5c667529eb59284a2a002f9d

SHA1
d7a4447f92c8f99a0f609639efa11c09c29059cd

SHA256
6db33e2bf5e0447e549a33f1622ce3f08125c96a25ffa76b440e658b45506e63

SHA512
56535f27e63d7cfc0f4dd41cdf04da161f7e9d4a5a93e6a6a134574bcda454b9fd28d5e71193b83535641ff2aded31e631dbba09cb1512ff9b5208aba02e1cd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f76ab0978de367107b732ca4a73a954

SHA1
27d66dd09907b39e607c3c2c126f4f03eaaf0298

SHA256
07ffec2a92ce2a16ff219980685f972df1b281f51bae20fefdfeb583f9db67bf

SHA512
3ddea9f845897d83247577f8104af1208aab25d8523c2415ee4ec23f0bbabd3bd99f7be871443bc85d31a302a0bf5822d6ec58414c0496397ae8e558175d9a36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e19e31d86dc6f63185320fa98a51ac4a

SHA1
4388d44587c7ee0ccc0374f3b1d12beac8de98ef

SHA256
f0859a181bd41df26a4cb4f8c4f99e9e57a6b064096f9ddc9b63b904e95afec9

SHA512
010f035af04f0ffd9aa1537376c839bc70a3ea4a26089374f3abdccbc463eb2e04d3e31ffcf3ee64ff72dc8f7f7aa61ac291f5e59bc36ab0895c7718a52147ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36dd4d4c9996d5baae9fd12278adc6bf

SHA1
1a76e45f5c504bdf44833888f155f4a09dce03ae

SHA256
9b2971485803024f6b74111c5c9a585fa4dd891d724e8e9a14f5c60748c737dd

SHA512
a2761fec018698cbe38fb31f0607c8b1370ec43b4637df9a50b958524ab8961bf962284830f55e5a15106e11534adee523fd3125e9662f56aba777f6a8916d34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9721903f6fc1cf8c7972cf9cd732d43

SHA1
7301754938f1f98f8450151f261a722fd7a0aa5e

SHA256
8afb2ae2cbbfa9f4b3cdaf3ef6b9237f588728940686a8267bd6a4752a35ef2a

SHA512
4f404f5c669ad5eb0226a46f4cfd84ea02e953e51fc073040665bda29705e05db078df708e5062529e3589f6389dcdc70fe5f2bf75b71ff7c3f5559a2a0d0994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ff9e5aef3e97051b1968fb6dedb4662

SHA1
c0920b9978855d8e3a16c2edf0bb7094e8fbba92

SHA256
f02e4724276d4df67de9544387088f815c25350880ae7a43a22780361cecb514

SHA512
c89b1044cbf9e7030cb92ac93c2105b2f68cae05d3840e00c16e1e79ae401e8c485e8f15e27d195f26f17dcc61820f27041d2fe959037c70b7cb2bfa37628c69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d666232fb3b2846fe3fed26ec1125e98

SHA1
b1a1ff3bed99f182e4e4d7e9254cf06aa9625ab4

SHA256
7244914f8950608097cf992f7592c4a56a82e6867a0ca637a2879bc06d01f238

SHA512
cb639c4c013fdf944a47e6ced650ac97511ac69291b4d70b13ba06a5d6e0c3de242182f953a9c575a5857ddc760e15d758d54fdb529bc67b023e055b23327852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30e87bd5249a904fcca124ca23bffa3c

SHA1
d693923f29936bad42f1aa50cd832acdb249f137

SHA256
18ee0e5b5821a7ace81369fbd78c5e3759e4899fd95696c92a96115c675f9d47

SHA512
60a43e320cbebe6a4a8232639fa9120262f53e324fa61a45d70f50ef39e7dc584c140f2e407c2056faae5b66ef02f55bcd0b73891bd35b1a832401dc7bd1a399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a5f6bf674b3fb840465dc77c93dadcc

SHA1
87fe4ca11594c115651fd3d7469d2353389127f6

SHA256
1288458072b32cfe8f2c1a9fa71fd65f9995797f34c757447870caa121f4fe12

SHA512
d43a4a0dbd53af0d2cc9ede9ca05988f2082e29bfb296d40901c4af4a5c32447eea3d7e649e9f52911e634b42f7eb767641082824e43d1fff6527ddbf3824abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
684432cc0bdebcaf824c2a35a783d37a

SHA1
658f95e7bab72f6253fad0d756a13459e7c73c43

SHA256
cb3cc44abc30b3fe7a7b6434666c5b9501ddf5af1462f96f2322e09febda1cad

SHA512
6adbac563783f7da9582c35e4652d70e801288e16b11c6d2eb69bd9b0836b8d2f9aa9ce9659e39cb093e3042ba97c4f95bf34c3c1a2821bae563ec8e2557a24a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbab6b7833ddeca08b566b817475b556

SHA1
c7c19d54b2ddd6fc0d1c8cd0f6d85f2caff5b449

SHA256
1676a4c119431c2cc84e2e1365acebb177094f4da3b91f58ecfd0407e5438e42

SHA512
de4df0192934de8a24c9f1ffb58902104f840ebc730b0dae309ac0fb3c05adfd0b2a9b6d547b15a595e898af2def493bc37c39a478db3579f07036ebd2138876

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
705d64c26a538c8347f336a14332b18b

SHA1
d497c67bb0d70679705d03f8606b82e0bf868d7c

SHA256
06c5e87465e6227c240f0a41c7354e8279c3b23d1067316976379c576e8cdadc

SHA512
59710fa8251e648da9b06302cd854b047635bca99754c9468081173aac06512b65e8a3d8e77996f4f366d48e57a867776aaa7e9e6e30a395b18fd35230c8893b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7fe8cba8e1840e6a66d8a1073a4c6aa

SHA1
6af754cabf8ec04cb561e0540089da38af67364f

SHA256
2b20344628a9a8d568be6a8f4294cb04df4d95385b2f71c2454aea0ab08df47f

SHA512
750ace500cee6d6cb64f7ce9606a421956e74ec80e6cb845f438f0646637c517b6fc1e1aa4dcf4e5509114ca27f7d19efc4eca9d8d940f1a43dd51ae295d87fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad03cdf074f4b1eaebce0dc633b6dbce

SHA1
a35e59b9da44671546c2d88fd9da9ded2b6fbe64

SHA256
ac2350aff217b31272444edd4ba8261b5d6a4cdaf10ff5576f7924fb1bfcf31c

SHA512
e9a434d45b47582ac90829c23fa027bae02346719b624bd5bfb38334c6632e0c0895f72f9d6f873dc13aedf621493903284f10e60294f7975827e0d84ef9a01a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7448560910d72df7b8b2cb6de4952ca

SHA1
f5e9d1e609a54375e9b39d4c369bfa99c2be39b9

SHA256
c1889ffa87b2d6288afedd78aedc3a1ef75d56cd1ddb863fe2568e717fa97620

SHA512
e17390a2c8dac884555f0ff33edfa7fd4e55c2148e50beab2aa34700d16ae1c72058954a0845e28acf2ba0447eb9a1736732ca097fa3444ca17638f92373f775

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6a203274a9544b5861a5e69fa884127

SHA1
5455938f632a9df570ef06f292f3d9d11fd3d9f4

SHA256
f0539205a42763cbefd95409ac950d51fc0a19ac5acb44df9537a696e0a795d8

SHA512
b8069c3dd4c6309fc60c9ca39488f41a070187502809495515513ced2929c43fabbbcfa934cbfa992541150d8f0f2ddfa8af3afd411f5fca5fa6a1f6ea75426b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
931446bfd30b5aa56a2de408f740a885

SHA1
4956343ab90e505e03e7690eefbef1b8914bef08

SHA256
8375e5a8ff29aa589f8edc2b459760fa624d4dfd1d5e85c5ec25917280c68392

SHA512
53da71bb3c2c8d504e96772fde9ea7276a03932f39fdcece11358c249bc5fa5a7b656eee9d4435d041221b286894332bb872b51fa78d8fd5736875157cc02c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f4268bee8b3437aed867dee8e0403e77

SHA1
0d2b9f1870cf9a50aa6fed1a803d00d8bb444977

SHA256
7dd0d962ebe848bfd7f427ea21d410e98d10bfe3e88a0d407b77c62057e48cc5

SHA512
ff9fda0bf2ff0dfeac9f3c22dd18959a88bcbf22ce81dff75cf774dd0ff76ebd9b84c4a18ac2f18a0c71d1766de8a0f71d6e31d6fb489bfc461e5003c876a0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\O0ORLLSQ\www.avira[1].xml

Filesize
224B

MD5
ccb43c2bf23ea554526141b1f7ede6a6

SHA1
a60f2ec32eae279fe47f937928761722f4acf97b

SHA256
776c70aaaf52c899514b64f625770bd7aa9e8650e75bd4cda55d54236534a0e5

SHA512
f06c9f1cfcd60e05a050205beed34464c36bd3faae25b4cf2d228c659ef8d22c68f5617ed566c2b784c15c24bce865e2279183944e9853d8d7c9b31f6b3531ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\O0ORLLSQ\www.avira[1].xml

Filesize
437B

MD5
f9b20d578a6e38c0093a25d56cb2ce9f

SHA1
db0f21dcf7799f64d5e491978c27164d3ef74b1e

SHA256
9242edf337aa18dd21f63cdf088a5896c515eb62f5f91cd3f612f32a075a8d2d

SHA512
35a881ff9676891172a5a0df880d6ee4b969cc3d3d3872076fa0e948538736f98a17b2bfa1dd4ef1049fba9e50ec3f1d8db80d9eda3f2f63532b1b207db23dfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jqfjk0y\imagestore.dat

Filesize
1KB

MD5
68771020918c6ac93f39b04dc6173d2b

SHA1
69c7a53beb6a91f0d4f7d8a400794206a43e0269

SHA256
ec22994885df3cf5b90b1e89ef5a1249342587110a51e3ab2ed35052493659ed

SHA512
4fe29ac24f62fc45c5665992c583fda0c372b002cd30c0e15e5f93c8850f8933db8b5e4edc0670323c65db676325b9cf29cd052b6e098c3722b6089123c499b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD3NDTTD\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CC9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8DEE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CCA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8E21.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QGSSTENN.txt

Filesize
896B

MD5
6a53b63b88310e47b0d48fa806b7b957

SHA1
42a14590a97c1d47558324b765ac02a7a3fe641f

SHA256
3441ea5da6b64a6667f3690366a2fd496033810f955aa50d08ac0aa39b9dbb8b

SHA512
78979563b624fe4da4cabab9452835fe66cfb7073c05edd71fc4f536dd5294317830fc68c75f8629e537ba20768244e0446631111c6ef0e085852e22a8eb585d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TDXLZAU3.txt

Filesize
390B

MD5
07e40bd4254caaeaf0243b32a957b63d

SHA1
1d6fe3e619a88f730b2709e142a2a611d31bb744

SHA256
a72a5e265608ecf7e497560601d7c06e276e3c2d5b921805ac8ec04e8037daa0

SHA512
e431f4c7656de923409b84aab9c21d91b8e04b130594209ab44b16f64abe5e585d32b4481bb007bedb9aa8ba74adfcedcfc006193c1ebb14131a7f09dd26125d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UMHCFE3V.txt

Filesize
578B

MD5
4edf0b41738243fafd49b2f9b97c45ff

SHA1
93009f37a508573eb503f3a99b6763e4a74a888a

SHA256
ec95897ddda6f26a07c4d8c957664ab38e4f1b5c0689ce4a8e6d11f604a3925f

SHA512
97909af8e185d59486b689f82a3f8f4832c7dcf0fac2ee679562543857aa13175584d2b668220a2b7f8e26ce33d86e0edeed3e9a712dbaa9b8e36e24a1936631

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
a4b3d1f92f8ff2862aaa6700bb349ad2

SHA1
60fda8f9cb35766d13d4a2c7545c9a03f73bba9b

SHA256
88b0679b35806e551183ff114503cc61a8c0f2b5327438a5ddd3149d06024c0e

SHA512
cf0b7914fc9e4af370d158f441e5f887cc004132a4a1f1cf5711cc61a28be8b82fba919c574e53b46daed8a64442748bf82350a242fbe86cd23fec4b3363b6b6

Download Submit
memory/2488-107-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2488-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2488-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2488-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2488-123-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download