df112e32296232cbbee9e0da6b4d40659604b654de9f65500c97a7576c0a0060

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
Size

232KB
MD5

d5671add722cdca65ce15f29600eec47
SHA1

bc417c926569205a12204446b966d72ca199e73c
SHA256

df112e32296232cbbee9e0da6b4d40659604b654de9f65500c97a7576c0a0060
SHA512

78be8ed94fd2e18280a9f8fa43b85569f98548901b7f924f9b49e72576b9cfbf4a34b8c74124381615549f940e2ac9f36f969cb142c8c9475dd665e42aecff65
SSDEEP

3072:h7//9yazxLySP4/LN/PCeSuwz2b4g3+40cLxucVyQU7g7a7/gt9+JzCTL8BbRSCc:hM3SPsZ/Pe2b/3EcLxuHF0mU9vA

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1300-3-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-8.dat	upx
behavioral1/memory/1300-106-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1300-122-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1300-123-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1300-2194-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\msiexec.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SystemPropertiesComputerName.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\comres.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iassvcs.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\softpub.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\winrm.vbs	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDJPN.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDTURME.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ksuser.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msafd.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\WMVSDECD.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_936.NLS	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDTUF.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDGR1.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sxproxy.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\d3d10core.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ieframe.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NAPHLPR.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\qdv.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\vccorlib140.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\winrs.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dot3dlg.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDPASH.DLL	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\autoconv.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\shgina.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\tasklist.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\gdi32.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\odbc32.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msaatext.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SyncCenter.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\PlaySndSrv.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\TsWpfWrp.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\WerFaultSecure.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MRINFO.EXE	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0c1a.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ShiftJIS.uce	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wlancfg.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\imapi2fs.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NETSTAT.EXE	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0013.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\shdocvw.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\icmp.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msorc32r.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\docprop.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100ita.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\pmcsnap.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\polstore.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_869.NLS	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Display.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\packager.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\psisrndr.ax	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iscsiwmi.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mmcico.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons001b.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\rasmxs.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Ribbons.scr	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\spopk.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\d3dim700.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\esentutl.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mspbde40.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mtxoci.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_863.NLS	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iasrecst.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wshrm.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\twunk_16.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\mib.bin	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\fveupdate.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\splwow64.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Starter.xml	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_32.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\bfsvc.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\explorer.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\HelpPane.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\twain.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setupact.log	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\win.ini	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000009b942c2c512172396410c4d4702e7f0e035fba0447384baeaa54dcd82bb9cd50000000000e8000000002000020000000f75945eb96ec8b7f6d6445804ced1c53138871f0104a214382923b91ccae741490000000bd549d4605aaf68a5b2eb05983851705321cd667125346458976b449dbac620ad8793914ede4832943882cad98b420acb1f0ecce5b7f3ed43c7d74931d4c7c688681ed69507c4b493e3b9a520bc06acaca7219d4bb6962345aaa6c2c5326c24842b64a96c9a4a40ec54a0b1fe25500798c21b8f698b8e833e1a7678743e9fd196ff7096959b64005aeb8d5fdb95cea5240000000c08b5e74d4ea57e93c39bf32409eb6d574eaa359266922ba10a0183dea314b241f37883de10742344dd9480db6f318aae6ad21107b3ea1585148eff186f9814b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{370B13A1-F353-11EE-8C47-FA8378BF1C4A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418486791"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b0000000002000000000010660000000100002000000087ccb5f65865ac4e69bbe4d9db3987bea1b5cf14411d05c2649818018255a091000000000e8000000002000020000000f2009dc51a00a3a0a2818db4d27bcc1c5d4fa0e8aa4a7dc9741f4c2c4238e5ba20000000d27ae8e9f7470cd03961b34336b97e0f27ec00e70e53573678b4ed506455775940000000001240872c3ae3bca0bfcbaa5e982ee5d768024ae22be24dd1bb84096366ec057ffa3c9ac383aa4d392582f3b64f35df03253cf260bab7608f9abfff14eaec58	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9061c1106087da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	880	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	880	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2928	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2928	iexplore.exe
2928	iexplore.exe
880	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
880	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE
952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2928	1300	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2928	1300	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2928	1300	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe	30
PID 1300 wrote to memory of 2928	1300	d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe	30
PID 2928 wrote to memory of 880	2928	iexplore.exe	32
PID 2928 wrote to memory of 880	2928	iexplore.exe	32
PID 2928 wrote to memory of 880	2928	iexplore.exe	32
PID 2928 wrote to memory of 880	2928	iexplore.exe	32
PID 2928 wrote to memory of 952	2928	iexplore.exe	34
PID 2928 wrote to memory of 952	2928	iexplore.exe	34
PID 2928 wrote to memory of 952	2928	iexplore.exe	34
PID 2928 wrote to memory of 952	2928	iexplore.exe	34

C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5671add722cdca65ce15f29600eec47_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:734231 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b23a602681f15e654622ddca27c90b04

SHA1
b3a69ce87b261154b33cb7e88e0f2d976c1eb74f

SHA256
860d3b6f4cd7ea93c920a2ba50053362353c55fea17670964df360fc69e3d6b1

SHA512
5e3c2a560208894677b323e720b31bba53bf5eae110b6de62fad6c6e4ec1a1a5a97ca7b9b07cb1801e826f23d7724aa9ac48e0f1c1ad1409e67eb0be3c06c44a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46a379a05b006210b97864ae365620a4

SHA1
d910121e6262d946be9b90f49d4660579f31ca87

SHA256
70a811cbdacc4a5550f7508d68b6484be54ccdc0fff3a4a6d9876e4939eb09ec

SHA512
9ec4403ce89d9dbf99b98d5ef67e74232d5fcda9d74cedb4bf1af3f6dbfbb2bf68ccbee3f15bb8f8fb52e6c9fc89370b25434e63508af344c686f5e86345365f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6aff497131bc2de3e9ff54dc1d01d2d7

SHA1
a3afee63a48411c689d930fc0c131536a0355c03

SHA256
683f5d49f0d487e6e4084c0abf9ab0465537eb2b07fc761498e207517542fde8

SHA512
e530956ad306a3f27d898e86352a8b7c3675cd26f5acb4e6dda87aeedc2d4f188276f5718453351b86dc8671ff0f665e6c27224e51d83c294a1c647cc65060fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a20f99cf98fe0045ba1a9cc7590bab5c

SHA1
3dda1015e5ecec5d868817d1607f87bde76ffa62

SHA256
66de9f15def69ff666d4d2111cf9fbba4a9f81820868cdcb8fcde10b4088d4ee

SHA512
7fd4d9d11bb6b16670048ba322790ab032077c0e7bd4eac81b2a2642f3f3ea0f8e62df65cafb4efadf2192fa0120d48ee86751947df15d7703cd46a8c210797a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
99a0e7aed05cbe6c5961e682450bf633

SHA1
857a91c04edfa2207ee3cc1e1d0dbdbca2fd7439

SHA256
6add1e771e59bff77333d0e391e275df4e0fea4e9230c87bc659e18c7041bfdb

SHA512
dc6f70d374579064e60a5b3518f6451f835d1c7dcdfe4f26b54c3124b20d33a47230253aa20ea636a0d3bb199bdfd78f7a3d5f459b7de98b71025d0a490b1650

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
608f4748e9361b19f0a8e98ec5de8099

SHA1
8ead50cd776e2f6500c2ffa0b06b58c1d93d2296

SHA256
52e873e1a43fb8ffb4bd5a61bff6d756142804c6d2a5a5976688cb244a8e5890

SHA512
582e81df7cb036c1d9cca816b6e1235fd1a4f39dcf055dcb67a57d631abd07bda320384642b2cec88d579db42dfe24c5680a1ecc238ba3b0361865c4a6af14e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b97da4d71469cbaa1ec3819755262e6

SHA1
14878419c6ec8d3465136506d92b35d4d357a4a0

SHA256
87e3e0fb634ee203255dab54f0fe23acdb9261df9edafc684cc70afcbae8ef45

SHA512
a01b62628ec70e60fc93c63b468cd1b01d7344790a33b80af3f65d9c579863483ace562943864a3e47d46d55ce3efcd9e43e3c783957dd23fcb4a0acaef7ccc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b15e39ef8f3b78d38ce3b1ac468dfdb2

SHA1
54c42b566deca66c12c1117949a7ffb76a081896

SHA256
d9da091ae48be6090e447e727c66e7e2b18ccad2ae3aa243c57c83181d979c60

SHA512
7bf8bdfac00d8de314110bce3969cc92f06864e2a0cfaf44092c94f6d5a8f9f87cb63d95b3c9c120a7373499bd946b0e9e6d2949ad554727bddaa12d696b3efc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
654d08e276a5f48fb7c67ea29c9b1e51

SHA1
daf94d46c8e97d35c3d7aebf77bc1a5996af0343

SHA256
41456131f4dff3e5f9293ba4a28fff7cfa66addb6542b3958a0c56aaf1fcde9b

SHA512
449565fa348e33f80688c996040a269c2b575f9257982f891c8c30aa95d0901f2b0b933d5b7d74f46a09c780a697071c98d6b9600f34ee5ca295fc8191eec9a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d22f843e49b4a84ed9e13c23c97bcb17

SHA1
4a3cb1e478d62c300869a7b5c57bff0a60349377

SHA256
fb06786ff5b81b780edff5b984ad3ec93629956c7cf53aa2b5b1824a251af7e9

SHA512
0c1ada18598e115a4185a520817bb496d55279c719f4266eeedf0e898ada1995746bb40beb5d4fad7360a946c14d4b9135d2673c3fef7a77ff33283029d7f349

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
084c54cf3a77e0839b3223f2c3a070ad

SHA1
65d28fde0dfdd710120dec28baf32c63a4d78a1e

SHA256
0eae3c5f2bbb33772cb6b32668462d214348a5f255a9d6715d90d831e4156a97

SHA512
881e5967e2890b019f908b8be683d49cc70e3aa47e0dbcad5a55e1a15cc777904cede4195cd7e0ecb69ad569b55ea295fd1105706201fd08d0830b4c2fa4b1ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
903c25b65435be4e777b98dc60df2525

SHA1
eccec99314edefdfcd01944143b045e9156d13aa

SHA256
eb1ed842c4c1fc461788ed5b7318365e72e49691242f67fd02fb911808362f51

SHA512
f512cb2656f016e89316f0bf653778abdd46866d2157f970de6515788a3026e67c8aeac8f28b6a7ee581049f151d8c3df4d548aef47550f491db1c95fcaa79d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb4c2e77c16199b8627cf05758a5fdee

SHA1
3498a14640107a69e0a997432b72eb8b34701492

SHA256
0099d62bf8ddc6b78632317460550b82ddd54c47cfcde96e3261243e59c6c5a5

SHA512
aedc46e0ac34b028e64b43ff2e46d3380de524c1ef3ba48aef8e8d3db9d301efdbcf35f4ef581388eacca3f53e478f355282363552acb47f2489062a8508aa4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7f2c8d9218774b949cf80a40ba65823

SHA1
bebdfb410599b88af634e7a071d1820d1b6e8ccc

SHA256
0e3d8e9aa21619a4299f24e59a373600153a93064c54dbf809dc463dfa5b44cb

SHA512
e5f90767a4722346e1f2c71cc121060be42df4ad4f56d38a29bd5bb4fb658e61a5493b3bb0e105a4163338cf44a49ea15b8d6c878e347c085362f81a68e789f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1856f6fb6464c35bcbba7f1466920de

SHA1
bf4fc22c51efdf40cbacbd3319564bd3063c13d9

SHA256
bc773e16a34e737433ef47c7714fc611a80fabe428630bd4f5ee04cb1da5f44b

SHA512
966f5f4c024fa7a74ee15f942a625a9c83213f3f731705a9826dd4e275ab600af4cbe0144831dceb93dafc9da7719fa6274e40bc5d5aebb45e1621d4d21d0661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70f3c34e723b62ddc3bfed44241d05a4

SHA1
80bfb30ef41fc1e819a57aa77944a425f15d57e7

SHA256
a6ef7e0e16b36955ce36edeefafd28c7946cad525a4a6d596d4b3ee6e8dcb5ca

SHA512
5d04b491034e908ad23dac103cafc6d712f01409408bf68487bed11471e2f0357c7da026ecd0ca07ca4a4c88456243a44f356b594ad716d17ba743cd1196c5a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45b8c0554a2529bb274cf2a3e28b1572

SHA1
d6823822215f1258b3b815cbb7eb94188169c87d

SHA256
17b692acdf6c224b262ffb50d34c12b02ce199ca7b9da64bbad2cf80ff24e7e9

SHA512
425c6ad6fbd4451bd4ce36aa0aadbd4e4097e5ccaef9414c95e1a4eca0c705dfb86bddad180d73c2303dbced83dbde2445865c2f44310d4588b2bd0e7dfd6bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1515216404597f6fb745b5f6b272b04

SHA1
9a36a6a2cb1a0644a279ae59a1e4a2f3d10008da

SHA256
58617e1f053a40790753a20139f36b6534b7937c26b05dcf87a78d1226681968

SHA512
93bb3ab02c3be65adb3df573a4985e56c7adcc71ae52ba55e38de907b6cdd3cf0bf4b27e9b3066f9fb038c53b470437dcfa540dd059ca1aa436c8755ea59f242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2933845e4d5cb4654c0f9d2cffb1261

SHA1
42341d98e7f220ed56d1fe84aa33d175d89561fe

SHA256
c0fb224ab705eea7b0ae059288a9475669eda3f13f56dcb44364c7b7c68ca041

SHA512
fa2dcf7c6021a16f9d30d671450294d154375fa44b0ed772035f10d6b6defb5ca70d5e6b25941ae3952a2d1850741507644f4bc7be0a2c64c2767b679e6cdef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d8800b3cb33f24a70b8a76a69b59d1e

SHA1
1f929d307011aa2c1668e2aa0c4bb30b3fb44790

SHA256
d9528ff0a4eb1d4969f1da1da21f76ef1a77911411d6ac60de598305670792c9

SHA512
a0896bc1b246e302fd71ccb1605f59662839ab89a36d90e4ee53e8cd9f22b7b6f4920e2d27ebea6cf23d78d0eb9694727353226aa5f142eab6aae378174c1d36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9163de5640125b01974db3e7152387d

SHA1
8f526ad508ea596fd42da9973dda5e3604c0be88

SHA256
4828cd5e08d111298d1f0db1f1a894c72e36da903f5706aeaacd347c0c797068

SHA512
12b78540f56206e46f12f3f0cee6292e6c6bc407b43773766cc7d639cfdf7c67f571de3517988a146893dd1d208c97d6adc056a534bbb3241745ac61d98fa0a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55688f3af13483286f8f93cf2dca6863

SHA1
f0160ba66853a2c238ae5512dc888d26a1711a7b

SHA256
db8085dd3870a93812662dae2d112103d5ca9b1b858a961d520c0c40add81945

SHA512
5a1ab008899ae9ce2627e5d4ba4da2d71a39132173c28a113207a2aa4c0f98ce76d4d7ded86971207e59660e793de1a3ac7dd45e629ed1b459ad88cb6e20011b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5860a9483a5604293c846707ffc9064b

SHA1
7f7d7cd2bdf65ffbda64ab469ce0bf5340fa008d

SHA256
59398dd00635678def8007f7aa6261269d0ecfa7f2644dd3c575f2973455946b

SHA512
352def3a542f6614d8dc7d1a174a6e43eb3757fa14bfc0c54dd98d02b3ecef682bab1c747a49c1945032148c99733562c03189c0c5862bd7ce6772c18859b14b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb626e8b2b787b31e6a7d1d05ff95d88

SHA1
91b07bdab01006cc691395a546e06a842543c4fe

SHA256
a50e5d718b0baf0cfd2861cbd8710dac46fc321efd9289c32ce83fde0e78c516

SHA512
9c0ad83a4521f5a0eaf008a2a87d5e718a231ebfabaa76ec4ceab59a829ade78ef864d6d81464ca07b357aab2f5f9fbe501b4b7324f9f02abbac770ddbaa4528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66ca228357ec1abf3b431910c66bcdb5

SHA1
5b14691815b9a2e19054d1caf905b2ae64f69d2b

SHA256
b68d2c0cf44141af67f8ac79ee2908d16e63af6f1b9a97c184936dac86b9b21b

SHA512
ddc2529f349377d8021ad12bf398d24d950b590e006534ff1941ba9fd47b3f608eaf1be73b0bb2a1f080a1de554e0ab54c21e399a901539b9bfa12c946faefca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
33bb80c5245b3664bdaa403faab256a6

SHA1
c7bb1f7ba2d5048a0626d061f3be448bc8f20246

SHA256
519fff06aa2443df7bcd8dd7d8a33b74ff89c3b8dfc3d229f53c95d7339fb725

SHA512
b6bb1b5d4af389915d12fa1e66514dd6c7d735a5e0c8f4f85701e02b097e202e30cb8a505c156e301b61fa0930e587f4d01a3d0a9d1d25f8dfa33797ddeb478a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c168e9d20a91b3ea6639dfc20411f24

SHA1
3983aa41c692dc216d29baf698d7baae07244555

SHA256
e829fcd456e2880f20acf65767ec84bfdf97d7718b82549c2263ea9f4a52e014

SHA512
c4f603524afdc4419bdf547917a34f5df3ee911b73d11c44d15ebca754a64dcc65b753efdd3312c3f0e873a5079090a22132e8f9d89ae7dd1133fb6d5d20c716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
292d0232c2e5018d613e5e4082137adc

SHA1
de04cf3f9456d57a8d3ca10fa0b92342bef154cc

SHA256
8a8513bb9ab7dae5fddfd1d5187d9a3e1b4ddb1deb0bda4b391e6dc8705be650

SHA512
602b000332dcce29238f4bd615e9c21cc890a943f9acf5ecdd97c8e4e19e8d9851dfa589ee985dc23fc1311a399b8de75cb470577176de1ea1c1957105256e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
999d750ea14a3f0c483e83ff6d890fd1

SHA1
d4f63b6f3482e015092263ca8f82854ce3587414

SHA256
e743a97a355882b3790e1c9f34b2c10a64e4ee6ba606edc3016257cc4f60ce92

SHA512
71c29c9ccf673fdcd756a4c3312ecddf4bb71aa8da79df9d22fa69b15cbeacec217eab5f7679b4ba62536c33d108f8c768a4946749d8cdd737f5b670bf9fb050

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e06ba7f87e5d1b94ce6f6f29475c9b1

SHA1
44b939c35ee4499eb8113f06feb8f3c54daa055d

SHA256
648915ea44ed8e859378d68d907691712390c7a8fce7b135c42d4bb3e0da53d5

SHA512
a1b0b325f3dd96dc98b6af5d7b0a0a9528db8b1172ffbe4df74656c977dbf6d2032d38dfd14a95ee3cf2b0f26abf612a5ae472a0ade3f0b7c589e9fe00cf1742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4187eed6c10918d268d7cc9e9df1eb4

SHA1
03ab9af34f86900fff7e91c2a75c4ee9214b66ad

SHA256
ad7c4b552f54d213063a93faccbb7cb5caa46e0ce142bdf730709126da3e962e

SHA512
e67d69edd5ddec8a349b135a415ad22b5b20f353cc40fb608679d05d69ee2f929f3f84226ec79ff42fc6d4ecaa4c8421527955066ed767cd99b3277ad60bb6f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d7c25fb51e37a3fa49885a64b9e2c1c

SHA1
fe305582de91023058d60e86ab6db3dcacc9f3a0

SHA256
b17687efb557967bb17fd613bc2d421d9492bcbbfb53b1c168b6f24ab2b9e3b8

SHA512
c3101fd39dcf25895d8cfd3598be0e1783f52e7ad4153643e973294b220cf98f5b0c955f425e23230b7d238ce978460aef235f892973edb806223e47ee9d7e9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2bd39ad948c7f1efee27c7a09c71f44a

SHA1
acd1fda9b04783870b4c307b582552b5145ec855

SHA256
942f47b4c4c2ef9ddd239b1f3a7597b3d15cdfb085bf58444a2e3bdfecf6483e

SHA512
07da9ccc28e25e83fbe6db2179084c09909bcc2d83085d0c1bb498c7b536cdc57fce58b75e8b6532baa1bf3e75fbbe3a0023e74328e480e10b66c2819066b9b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5c71837bf933c2e4e9bf80e73ccf86d

SHA1
f7b4042284346ec54c5a6b90fa894ce327eb2b66

SHA256
4b60c2a5f998a0bc3a0722c855cd87b644528a5ec94dd6de7a5ec2614680bb0a

SHA512
4b362ca26b44a2c7d686de7b46415c05a67d11e58909398f768efdc8411bc9c95ed3f7dec7a55cc18659f3e199ebef253be8e588a4eab5b0c0e44a5796c5f8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0104fdb32ae33e70a6c2193575fc09d

SHA1
6b97f062520a3fdcf427ac5f32a20d89f1de8019

SHA256
81bd11c50c3e382478f204c27fa8d724ebcce6368e3e43e1ad3087deaedd5a24

SHA512
2259a12d29f7b3c25e87e786618fd96059b798750bc9b5a04ea6ff7e40bb3a0cf7af0095f8d4cf95e0eb22cca3a595fe234e7f3de0fb52134645651d0b29c912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0eda79a57a67ed0955e352018cef3832

SHA1
1d399dd0512b38521d7472a56932029d238beeba

SHA256
4019d4fb33c7347775cece3d68f6b4151f8e8c4e65cc529070fd33bf69364139

SHA512
a22f2f254c0c162ef962821b12e12ad7575bb951a0df448e13aabd7edd07ed82a83d7e9b1370f4ddac8163281b3b3cfaa601f4fc127f4568a7e9824a04b81c25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b767a54bb21db04ec1eb8ccdb522431a

SHA1
8320157d0c55e31cf5d103ef00a6cb645cbeed35

SHA256
37d95869dcdc3969dd6b2d99ae2e6b8089148d69285bc7bd6d1489d8af96d5ca

SHA512
c2f7398ff0d1e960b61d1bd3bf4627f548847f18668f361b88b94733b27d75da631688eac5d90c7d51d30f06198b4c168b2d0848f51ed40c516ea1922e35df06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d49dc977b56c026c4a60d9496480da6

SHA1
9969302e83c8d5883e3bef1b69f357b87753af59

SHA256
eb376366d341a642422d807b93ce5083c88005e805ba558a011d15549f889b0f

SHA512
1eb0ee86d3e0679406bccf65ce1cdb6c177d6a4c0f3719a0402a1ccb411031c4dd52d31388e3c3967c75592cc6861f20c058187fe53ff8dee40ce5cca0eb7006

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abd907883545f7b043702d800af4c16c

SHA1
43de2c5f2996c5f67366c79712baf5e8352f79e4

SHA256
548d4402cbaa52d6496c41ff8dc60885fd2f3ccab87b1ee87e598d2f0b0b26e0

SHA512
93a51ae46ffa8eac71542d97e8e6072636a74d1cc36f4059ab26cd3e6e31e927a61b724dcf747f737abd032f89c17d781bd736045b343a1a384c55d0370900e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
423c48693e42f43412dc29fdfa5bec34

SHA1
d09a080a305aadff3cfd0ad2171fc6b62f0f4504

SHA256
0fec1e5d31f53182399fece04753eb4ce0022df15c414c03cf1dc214aa629d69

SHA512
ea4368779787839a762b2207893192af245aed31f244987da4bd8ce27099058e523875bf5e3bbda7c91b3a841ec75402da39c66da89584ccb49b735efbc9c80c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0ed1977f54d02e1dbbcca0b94215464

SHA1
ca271a6f61f29f7b9c3894bbe330cc8e794d3eb6

SHA256
b37da20b16e051dcb9d73e569ec6bee957a9a7a9c72f383a264ce30dbfb36f51

SHA512
81d527e69807a2b2688002a204596eba28f1d90b9693d34b273f0a0f7a0daa445c6ff9a32cd2cb12aa8d8e490dd9b5173c315078e328f97088bf822f313c68c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66eeff02090ab49e3c81724b6b86d294

SHA1
9669c863944608023760ccf1c8025850f7b6932d

SHA256
e435c0a40499915b6cea61f0d83fbedd63fc521be6be3deb7e4df650c0f1f5e6

SHA512
43d6c87aa55811bdb4a6055efec417dd47f7e084b67863bc5049273cec9eb10cfa33bbcecd61b86da28c7fff6432412199361687a119224c893af482030d4810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a87db8134f94dddb609e6c757759852b

SHA1
225795c437e501ae28742b10e9dd655fa2108ba9

SHA256
6f729d5768f1920d5e3685b4fe79f462886b8350fd1acef9dc6d89cecc6d5f3f

SHA512
48f29804294d3ce84df3b26709d926a55b25611b78b5eb560a6d5ee6f398b6410e485ce0163eae9f2c3c9f70e06229e6249bdd7ac0ab48a9ec66d07d2151c391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9JUK551W\www.avira[1].xml

Filesize
224B

MD5
333aa19c239a5e9fb9a70ec921597b2b

SHA1
5a9559b66fa9c0a1b5dbbd63ad3cfdd0f2150dfb

SHA256
62bf908b53f54b6b106b475bc02c537d9460a2b0d1c8ea0277fd9b42be958b83

SHA512
4e76e6fd32ba5a3e63397269658e78c2760126f6df115adf0697da6aa687179f0813889eb8bb7bb71c51019e9888c0c8ea2b4d4cc7390720d3ffdde0caa3df6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9JUK551W\www.avira[1].xml

Filesize
437B

MD5
0aa87b1be009f834a02221f033bec99a

SHA1
8f29d6fb39021f84cbabcacb9802f5a1e7827662

SHA256
cd06ade59d974a559fa35ef816349f49878a1dfaa5d04698329230d3a24e17f3

SHA512
7b602d34dafe8038bd92a7207339106f4e6319bf1e396d8ffb6e613df0f4c39d59c25aeb3792afc916518704aed09a538a294c393e4450f1b38925ea49d494de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q905y6j\imagestore.dat

Filesize
1KB

MD5
24874c846854b11a73f67225ad82dc1e

SHA1
30bd180e3afffeed7789296525e9e8d6167f09ab

SHA256
72ac1d951b4cbf4e0aac398c87bc415ea1d96551622be9d554cbda26735a2fe0

SHA512
7cbde170df1adec1eaf9f9c3c66d209489efc6ae7e22243bb99bda109b9126be4202a84803a84df3351d309b5f29702994b1bf38942aaf878af3ea85800937cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab823C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8545.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar824D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8569.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3XCB7CN1.txt

Filesize
580B

MD5
1676d21c93d452150ee8944ef4a3bd41

SHA1
c5f7394e1e13864d97a8068720e335489b88dfbc

SHA256
e69db3bba2a03e70858508ecd8b2727f9c26f237add8922a3224ee5edd03ffcc

SHA512
031e949b09a82550909d81e368b942f422833da40c6b686976c5b055655055160de34cae223f88580ff73372cc7758af6d631e6fa1af5db35317338f65d45fc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KHVTJAF2.txt

Filesize
392B

MD5
feeadb2d2558eb825b2b4cd7e9827a84

SHA1
7daa51b4547cd745c7385c19195a7a9714f7ad07

SHA256
8afb888df2c0e7ffa2f22978e15787c58a7a7069ecfada9820aa7237c706dd06

SHA512
7a714a8c35536a263884ddf4b845ce951b8504359fc356dceda4cd957f9f405428f229dc1e35fcddf5dab4aa18d031c6888608d48448eb26efc12117cd5d743b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KUZ0DX0D.txt

Filesize
897B

MD5
482b1412f9d4b009a7a25c297a1cfe8c

SHA1
13f8871e4545708865b940d94aacbb4704329306

SHA256
00a812afb3ca13de614c61e1e541016e7c7c25cff579ca7f8bbe557915dd462c

SHA512
2c4d85e9ca90939b524442064f9c8ce48fc3099f032e0d02c1bb9b7ded3283d9465f02107ac9d5737b876dc26e650eef4bcab14115bb0d364260033527abea86

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
90c4e51f52b3f022a0469a3bcb7fd3a4

SHA1
ae67d7543d2a1cb42860afef6db8f0e4b4788bb0

SHA256
554e95e3c9ddd470e6500f778af50b08de75ada1f94e8e853a2ae7455766a2a7

SHA512
12a56fa7a8bb4bccaf5da330b42274a1873f8c231e507129718c7088cb3c937a96b593989093562288b9e5423212d156e2a43d031e6d17e967a59162241ffe4e

Download Submit
memory/1300-122-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1300-3-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1300-106-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1300-2194-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1300-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1300-123-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download