Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 17:19
Static task
static1
Behavioral task
behavioral1
Sample
aadff36ac46c142db0579896ded52056_JaffaCakes118.html
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
aadff36ac46c142db0579896ded52056_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
aadff36ac46c142db0579896ded52056_JaffaCakes118.html
-
Size
2.3MB
-
MD5
aadff36ac46c142db0579896ded52056
-
SHA1
fa06be24d090935b39450340a715ae5292d3e3f7
-
SHA256
123f1b393995306b1934f9aeae8f932b3623681b06937f0d3d399874b09d5eb3
-
SHA512
3e921a0204248e27082bdbf10e305b1845223e92706fd7ca63668a915e0ef59a84cea26f3e43bcf42b12a567e959bf2bcdc1af92b203ef63c1d9d79513a0c39e
-
SSDEEP
24576:5+Wt9BJ+Wt9Bq+Wt9BU+Wt9B7+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:H
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
Processes:
svchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exepid process 2772 svchost.exe 2672 DesktopLayer.exe 2260 FP_AX_CAB_INSTALLER64.exe 2424 svchost.exe 2404 svchost.exe 1108 DesktopLayer.exe 2280 svchost.exe 632 DesktopLayer.exe 2140 svchost.exe 2476 svchost.exe 2916 DesktopLayer.exe 3028 svchost.exe 2412 svchost.exe 1448 DesktopLayer.exe 2004 svchost.exe 1564 DesktopLayer.exe 2528 svchost.exe 652 DesktopLayer.exe 1140 FP_AX_CAB_INSTALLER64.exe 2556 svchost.exe 2896 svchost.exe 3020 DesktopLayer.exe 940 svchost.exe 1944 DesktopLayer.exe 756 svchost.exe 3024 DesktopLayer.exe -
Loads dropped DLL 17 IoCs
Processes:
IEXPLORE.EXEsvchost.exepid process 2764 IEXPLORE.EXE 2772 svchost.exe 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\svchost.exe upx behavioral1/memory/2772-7-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2672-15-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2672-19-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2404-130-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2404-148-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/632-173-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2004-273-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Drops file in Program Files directory 27 IoCs
Processes:
svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1C76.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px6F47.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px2378.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px23D6.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1C28.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1DBE.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1DFC.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px2388.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px118E.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1DDD.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1D31.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1E4A.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px1C28.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
IEXPLORE.EXEdescription ioc process File opened for modification C:\Windows\Downloaded Program Files\SET233B.tmp IEXPLORE.EXE File created C:\Windows\Downloaded Program Files\SET233B.tmp IEXPLORE.EXE File opened for modification C:\Windows\INF\setupapi.app.log IEXPLORE.EXE File opened for modification C:\Windows\Downloaded Program Files\SET1BEA.tmp IEXPLORE.EXE File created C:\Windows\Downloaded Program Files\SET1BEA.tmp IEXPLORE.EXE File opened for modification C:\Windows\Downloaded Program Files\swflash64.inf IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000000311711d1c5eb7e678573397fb319c5cd1d53912f4da5bacbbcc4b7535138f33000000000e80000000020000200000008915b8ad96e86c6774389515a70a13d5acbe7eb4ebb5ec18eb4025e096442ddb90000000ac2c90fbe15aad2200852407adcbcb22c9cb6c15b0768631dd59a5ff1047806886afdce7b0a3005ea8d2178428413e1cf2b57067a161211064c4429331219b72d7facb3d734e2bdd2702263177a4a54d2e9dee687f3e57b0f936e19eb0fc6a7b21f499bac9aafe8c951c488a13a46c68092f1064378f625a63168021e944f190e5d40fb5d84fab395407a462b66e5ae040000000babfbcf873185090a9a6bc17d67c5af286471bb4f303b2d81f808f23ceeb2daa1d1e326eb0b00c854e94541fe182b4c1ffaad66ef527028ea03d90a961b85e1f iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{386E8461-2A72-11EF-B93A-F6C75F509EE4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000008d2eedffa97a06d54fb211b79c40d24da8db4a01f9772a46a220f228cf29d502000000000e80000000020000200000005e17c271cc83a9ebf4eb51af43e1cdd833a9ab374d396024413d5602aa59c600200000004e5122e22e8debea88e61ee0b9833ef69dbffef1f9e21d6ba0af7b0e03254a2d40000000fde4424959d7aec4909d7f87f1f4bed75e228d0b8f33e8c819a02b87387e0d01cc080da742730125ad8d67131c457811ee9140ef6ec8d008bac3f8e6ceb79c2f iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424547421" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0acf4007fbeda01 iexplore.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
DesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayer.exesvchost.exeDesktopLayer.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exeDesktopLayer.exeDesktopLayer.exepid process 2672 DesktopLayer.exe 2672 DesktopLayer.exe 2672 DesktopLayer.exe 2672 DesktopLayer.exe 2260 FP_AX_CAB_INSTALLER64.exe 2404 svchost.exe 2404 svchost.exe 2404 svchost.exe 2404 svchost.exe 1108 DesktopLayer.exe 1108 DesktopLayer.exe 1108 DesktopLayer.exe 1108 DesktopLayer.exe 632 DesktopLayer.exe 632 DesktopLayer.exe 632 DesktopLayer.exe 632 DesktopLayer.exe 2476 svchost.exe 2476 svchost.exe 2916 DesktopLayer.exe 2916 DesktopLayer.exe 2476 svchost.exe 2916 DesktopLayer.exe 2476 svchost.exe 2916 DesktopLayer.exe 1448 DesktopLayer.exe 1448 DesktopLayer.exe 2412 svchost.exe 1448 DesktopLayer.exe 2412 svchost.exe 1448 DesktopLayer.exe 2412 svchost.exe 2412 svchost.exe 1564 DesktopLayer.exe 1564 DesktopLayer.exe 1564 DesktopLayer.exe 1564 DesktopLayer.exe 652 DesktopLayer.exe 652 DesktopLayer.exe 652 DesktopLayer.exe 652 DesktopLayer.exe 1140 FP_AX_CAB_INSTALLER64.exe 2896 svchost.exe 2896 svchost.exe 2896 svchost.exe 2896 svchost.exe 3020 DesktopLayer.exe 3020 DesktopLayer.exe 3020 DesktopLayer.exe 3020 DesktopLayer.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 3024 DesktopLayer.exe 3024 DesktopLayer.exe 3024 DesktopLayer.exe 3024 DesktopLayer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
IEXPLORE.EXEdescription pid process Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE Token: SeRestorePrivilege 2764 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
iexplore.exepid process 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2968 iexplore.exe 2968 iexplore.exe 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2968 iexplore.exe 2968 iexplore.exe 1096 IEXPLORE.EXE 1096 IEXPLORE.EXE 2968 iexplore.exe 2968 iexplore.exe 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2268 IEXPLORE.EXE 2268 IEXPLORE.EXE 988 IEXPLORE.EXE 988 IEXPLORE.EXE 2764 IEXPLORE.EXE 2764 IEXPLORE.EXE 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 2968 iexplore.exe 1096 IEXPLORE.EXE 1096 IEXPLORE.EXE 2080 IEXPLORE.EXE 2080 IEXPLORE.EXE 988 IEXPLORE.EXE 988 IEXPLORE.EXE 1928 IEXPLORE.EXE 1928 IEXPLORE.EXE 1068 IEXPLORE.EXE 1068 IEXPLORE.EXE 1488 IEXPLORE.EXE 1488 IEXPLORE.EXE 2268 IEXPLORE.EXE 2268 IEXPLORE.EXE 236 IEXPLORE.EXE 236 IEXPLORE.EXE 2108 IEXPLORE.EXE 2108 IEXPLORE.EXE 908 IEXPLORE.EXE 908 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exeFP_AX_CAB_INSTALLER64.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exedescription pid process target process PID 2968 wrote to memory of 2764 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2764 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2764 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2764 2968 iexplore.exe IEXPLORE.EXE PID 2764 wrote to memory of 2772 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2772 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2772 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2772 2764 IEXPLORE.EXE svchost.exe PID 2772 wrote to memory of 2672 2772 svchost.exe DesktopLayer.exe PID 2772 wrote to memory of 2672 2772 svchost.exe DesktopLayer.exe PID 2772 wrote to memory of 2672 2772 svchost.exe DesktopLayer.exe PID 2772 wrote to memory of 2672 2772 svchost.exe DesktopLayer.exe PID 2672 wrote to memory of 2708 2672 DesktopLayer.exe iexplore.exe PID 2672 wrote to memory of 2708 2672 DesktopLayer.exe iexplore.exe PID 2672 wrote to memory of 2708 2672 DesktopLayer.exe iexplore.exe PID 2672 wrote to memory of 2708 2672 DesktopLayer.exe iexplore.exe PID 2968 wrote to memory of 1096 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 1096 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 1096 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 1096 2968 iexplore.exe IEXPLORE.EXE PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2764 wrote to memory of 2260 2764 IEXPLORE.EXE FP_AX_CAB_INSTALLER64.exe PID 2260 wrote to memory of 2024 2260 FP_AX_CAB_INSTALLER64.exe iexplore.exe PID 2260 wrote to memory of 2024 2260 FP_AX_CAB_INSTALLER64.exe iexplore.exe PID 2260 wrote to memory of 2024 2260 FP_AX_CAB_INSTALLER64.exe iexplore.exe PID 2260 wrote to memory of 2024 2260 FP_AX_CAB_INSTALLER64.exe iexplore.exe PID 2968 wrote to memory of 2080 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2080 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2080 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 2080 2968 iexplore.exe IEXPLORE.EXE PID 2764 wrote to memory of 2424 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2424 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2424 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2424 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2404 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2404 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2404 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2404 2764 IEXPLORE.EXE svchost.exe PID 2424 wrote to memory of 1108 2424 svchost.exe DesktopLayer.exe PID 2424 wrote to memory of 1108 2424 svchost.exe DesktopLayer.exe PID 2424 wrote to memory of 1108 2424 svchost.exe DesktopLayer.exe PID 2424 wrote to memory of 1108 2424 svchost.exe DesktopLayer.exe PID 2404 wrote to memory of 1432 2404 svchost.exe iexplore.exe PID 2404 wrote to memory of 1432 2404 svchost.exe iexplore.exe PID 2404 wrote to memory of 1432 2404 svchost.exe iexplore.exe PID 2404 wrote to memory of 1432 2404 svchost.exe iexplore.exe PID 1108 wrote to memory of 1800 1108 DesktopLayer.exe iexplore.exe PID 1108 wrote to memory of 1800 1108 DesktopLayer.exe iexplore.exe PID 1108 wrote to memory of 1800 1108 DesktopLayer.exe iexplore.exe PID 1108 wrote to memory of 1800 1108 DesktopLayer.exe iexplore.exe PID 2764 wrote to memory of 2280 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2280 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2280 2764 IEXPLORE.EXE svchost.exe PID 2764 wrote to memory of 2280 2764 IEXPLORE.EXE svchost.exe PID 2968 wrote to memory of 988 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 988 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 988 2968 iexplore.exe IEXPLORE.EXE PID 2968 wrote to memory of 988 2968 iexplore.exe IEXPLORE.EXE PID 2280 wrote to memory of 632 2280 svchost.exe DesktopLayer.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\aadff36ac46c142db0579896ded52056_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exeC:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exeC:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:209932 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:406538 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:406544 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:734217 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:1586186 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:406549 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:1455121 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:2307088 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:1127448 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:1324047 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57cce0dbec5e0f1a5fc19cd10d13110cc
SHA11cdaf392e7827578e78483c47ee0f97c66c3afd2
SHA25618e55fe918df3802f5ab03071c23caeeb08b2a34e7f69b00669b4fbb8adbc72f
SHA51262eb7308c38ee320101222fae4362d3a595eecd5658961d0e34df8ca687ce01c734ff6603d79d3d0b88ae73c738309d04aff9d3de9cba3f57026d43ab6bfd6ba
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f92ed915daadc60d9aa4de5f416f9fb6
SHA104b97bcb8b823bcc3246ddca2eb4645218e8e2f7
SHA256e63a024d0b607dcea40d53cfd11214ba344b2ff23d1451d754b5a5af0f9d6338
SHA512d5762084a04f0b55a2634395ce8aa67befbbb2f64b30b572a82c44f95727cc8d976112a75dc1116cc11656dc601432bba421d37e1275906dfe46f2568533045b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56883521089e776bfc3ad68b45cf40393
SHA1738811e869a33b9802409c38b9deff1cfd17d03e
SHA25688750f064fe8292c5e30fa6d672472de3ae2b086feea017c0c0b99e5db3f1047
SHA5121f2bf6f2c1f025c76e150fd3cc9d653ddd6bca32cbea169896c36206655005190b3f6a1ae740063bbe2c1a7a7d2b0222c8cc999d0a98029f240913c150d08322
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59f7964e186c70f8f532e868fdbc1883b
SHA1628a222aeb354e5e7bf1c4ba72e4a1580cf7df8a
SHA256fd7048199ddcdd174a248882ba9660fef589bde3b35339053b2f30f3bea74804
SHA51281dab340ea8ea3d341020249d78b11becf8471199ef2c845e72ec4f3331f173a5c63dd3b069dead3ecdd458ba990f34faa399bc3588099133988830a6eabf45c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55c9c76b7c363104f71abb5a43e1c7fe5
SHA1c981c3cd733a1146f3a1bbc4c2527603b1156119
SHA2566aca4ee9010bd2c42658f1941547175058ac74e9990c4b535d91c6bbe30af56c
SHA512e5a8c1f297ec66c10a7a11e9efd96468a0eb9e3fee316d71989bf4a9e2bfe2ae959fcaaf1904c09dc260adad9c75deee953e705b9177937ad7c22c63535537c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59e4f3547665f55c227b26a315123ebde
SHA1fb3dee4c9ed7acb55ece2149ce319fb7bd3c3e9b
SHA25625f53d44c4d52a145a55c402f587bbaa6586934ebdc7b008954a70569f32e678
SHA512c17ec670ee052a33db4df34073f361dca52863cf749e192db6de172df19cb26458ec2719e60dd9d182d5ecee4a005d1b007bceeca2cde7741a18dbac3efed447
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a5e890b6e003d8c78dfbef21f9f88d03
SHA16ac2642c8524f8e8e0b33526fc611b7a0d2a2954
SHA256341a6bc2e7a2a33223ee803dd8b90aa0bec2ca61c6e250d812902728447bd701
SHA512fd10f1b4723a50c32bc272b7aec15f2b365a926ba3fde6c82a2880560f57f1158648eea9567da9c8d6397934a1c1e1fa219c5abb7116b68fd727f804700e0164
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59567e797d45c7579f0857bd338a58bf6
SHA17be165c0d9ea898a160c91ae18dbd939ada22323
SHA256cf7b7a88be085ac352b7870d8f7980300e53b6f43a207ce69e7696a4843f8db0
SHA512b45d14f34caa7970a96c737a5e5d791930b7c936835f37bedbe719090d377a316e9c7d3748ae9b9e6b535de0f3da20ab6dd38a27ad41b29abb591a473ef8f5b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f69cea1895390961da331a1d554bfe5e
SHA16603bfc40c6c88d03338206bdc236f578d1aa90c
SHA2563b6b981c06d04320fd7247c61b9ecc12a7e7ddf9a15446772e5ee1b75a13e7cb
SHA512fd15257173cde4060d09c6a746ac115c038e7078342df503b47994d42fad359f46382965eafe72fdcdf6ddc4838588ff21d531caae8263154d16612a090e65ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5d5e10f3a9925e76e863f44f1cc8701a9
SHA1dc62c56a721c9b755343428a3a52c2805b2853da
SHA25673b574974adf9675727b58c762033792a2d3870e6b4b659c500acf79dc47195a
SHA51270224bc05571364a8ffc3c46b871836d35124c4b69e77e1e260ae5eccf0356f9df3035cdabe43639525b0f58a2693474ac85422d571d8b16f841dfb8f2d95a35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD599e190792c200d22e6b18816968968a7
SHA1750a39f71fc7925bbd369df7391f00f9bd2cda46
SHA256e60a92234214c6f7c010417065bb6c42a819b236cca16532e0f371a984adaafd
SHA5126cf94abdadfed61823c8e564b19e207f403d697cef91dedb4a638e144e673a60e1e0bbef2ab49f4f3e0318f8144c58c35f37b4424dbc727ed257b0b69f8c14dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ca0fdc4472d808626841fb062f7f6ce0
SHA152fad6412f2a27267d7072500153b3bda510fad0
SHA256f455a25bee3558cc8e48bc00c3ab80b7c8323d667515196b3c4ef97cafcac664
SHA512207e33ececae533767228c347d2e05c5862bf56e0a24a1007c26c3ba11a0c291a51b61e18608ce71aa322654279707e3f3a1e41852435b550019e8892a40a7c2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52b4b99ff201c9ecd4ef225672aec6ee5
SHA18bc2a7dd7d41001f06ba5a2801a66244f7e205a0
SHA256b5f852cab9ced4ec979888b4d44188468bfe1f03003204d11e4db7dcd1ac03d6
SHA5124bed924d7f7a2025bb06e29a381c523fe856d56e3da3a5d6ae17955ac4e174f331bd005dc167b4ac1afca82f03742e304c8c2d7cb69b07ec14a4f4d5311f1396
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD536b77c315c5bd0523c7a744d8a7ef946
SHA12cf0762e8b588eeab2c077375dac508cc199ef47
SHA25602908304b574154d5e51a49fa2e582350fb0d0eb0880d27fd6fb3095e7b6d0d5
SHA51236d2163d9e939f807c1beece8191130b75d74eacc2613bbabc14aa37fbd4a18bf27d7cd3a2f37716266298b7c2649f1ec4949e595283614d72e699666d0c2149
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58cbee740df556153a1aac6934daf045a
SHA1a640ffc96b48ab9f07084cfec13cb74df14b57c9
SHA256f0c93d316ab5ad910ab6581eb74ef399b94f07aca54b2e190dfa9a61cdd11561
SHA512966daf6fe2f949fc890fdccc89ad000fe9fa3f4e4ce8ad2ae8eb512d8ae874c5394b197c06aa02b6859b2b1f05b968fef3c6d4b65ce579118eabbe2251b1a1ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5cb1f95c63aac65dd3162b6b1ef0f12ba
SHA14e17f40e8d57866ce9ac38c69f589ff308bfc49a
SHA256f45ff434f136d8e442a28c5af68050d92ab0408bf7f2b21b4a397fc832c9bae4
SHA512057d397ceb5a5aa314a552d47513cb6241788ec25eabf161fab3799376d94bc6530b93abe4c34ba9a544b5473fe5042910b7e9f1da05818f029ff0f6467cf011
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54b24e29ce4aac6ceedb3381fd35af52c
SHA1c823cd4bad5c8bc645cec4280531d5511d302be3
SHA256eab19808d235b9262a54f95cc29286c9e873ffa6e93ab7b95122aedc45e200f9
SHA5126e17131d56d5de7f71e3ac97a99150e11dfb2e9c8d59934152a21ef477c9b9b2b74c3959bb7218b9fef9f8eacd721a02fefe50276de262275199290ea7086a50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD502164c88c6f55fe9dbe9dc1052923111
SHA17f4bb82faaa61c446c9297d5365724ccf1824b78
SHA256a7065f58f6f68e5984e2779680134169087e2bfda3ce26d5aafd9769f53da6bb
SHA512064a65102e4b0cb5a01d1addae91571a0e4c09cc858d3d18d4052100c143d8f9b97c26b332e3218a592497740deda64b0825314edf863f35015f80cbbb57b376
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD51591b3ec63ebb8c86d406ce9281e02d0
SHA10081c79e784f5ebcddc9808ec018f2088a2ed47a
SHA256c03fd66120dd01b93174086cbef9a9fd13c405796f697df45f9a1da791d2bc44
SHA512c289d10f5723d09398c1a38f78a02a49e7725780d75e26b4b4800adc834c5c3914041a19afe59ee081c521e279ad78fe2f6a71e464cfd66053d429a8e1bfe86e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50fdbe62020d830e1fad9a3a343b6effb
SHA1535c54118977fabc65dffc5b9659e6fafe6a1066
SHA256d98bfda90334933429c5406e3c1007c8782e3c1df13fdeb1cb8ff8ef0da9537e
SHA51276ab0eecfd10c2bf2dfaae82a95e4e180ffaf5897b02e2f8d470e33a292bbbaea5fae036415865ff436faee5c697f10a183c044bd8256197e3a1a241b79bebe3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59011b7f8461cd209b205c54172e8a4cb
SHA116880e55307b344c2d78f0dc9ff36a08eb4e2b98
SHA2566ef91a181b3f5be9e1f0325b8c983eb35e9ca556b131f35cafc614e9460897b9
SHA512bf1f671dfd0b62f3a382c2b6d98683d4f92faaad104e8dbeeafd0b2e9977e94963b009c3322e791a93ea748543b2758be1d6df3c9a5ee24f2983f74d0a599773
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FY3LN490\swflash[1].cabFilesize
225KB
MD5b3e138191eeca0adcc05cb90bb4c76ff
SHA12d83b50b5992540e2150dfcaddd10f7c67633d2c
SHA256eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b
SHA51282b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4
-
C:\Users\Admin\AppData\Local\Temp\Cab1528.tmpFilesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.infFilesize
218B
MD560c0b6143a14467a24e31e887954763f
SHA177644b4640740ac85fbb201dbc14e5dccdad33ed
SHA25697ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58
SHA5127032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f
-
C:\Users\Admin\AppData\Local\Temp\Tar17CE.tmpFilesize
160KB
MD57186ad693b8ad9444401bd9bcd2217c2
SHA15c28ca10a650f6026b0df4737078fa4197f3bac1
SHA2569a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b
-
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exeFilesize
757KB
MD547f240e7f969bc507334f79b42b3b718
SHA18ec5c3294b3854a32636529d73a5f070d5bcf627
SHA256c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11
SHA51210999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
83KB
MD5c5c99988728c550282ae76270b649ea1
SHA1113e8ff0910f393a41d5e63d43ec3653984c63d6
SHA256d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
SHA51266e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d
-
memory/632-173-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2004-273-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2140-219-0x0000000076C20000-0x0000000076D1A000-memory.dmpFilesize
1000KB
-
memory/2140-218-0x0000000076D20000-0x0000000076E3F000-memory.dmpFilesize
1.1MB
-
memory/2404-148-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2404-129-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2404-130-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2672-17-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2672-19-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2672-15-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2772-7-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/2772-8-0x00000000003B0000-0x00000000003BF000-memory.dmpFilesize
60KB