481ee6a2f90c62160e6bc756167b19244b60c2b449032174247483b26edbfac1

Analysis

max time kernel
138s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Size

20KB
MD5

00a7dfedc55b85f394dd907a8f9ffa15
SHA1

5d85ea259ddd65c0aac0d7960044b1f386714bf7
SHA256

481ee6a2f90c62160e6bc756167b19244b60c2b449032174247483b26edbfac1
SHA512

b2282b567056be605eb7705fa4fbd02145cb58afbaa428bd7721c1ff1b80390b3ba71a13c517576b861c39f5977d1a024aca0be0c9f4b89608f9a8ee6387b83f
SSDEEP

384:4m8w7O2vD/stps+Vf1zqehd7LL8jqNCIz+G6AVJxzQSXJQzI52:4Vw7O28pDt1zHjnLj4WB6lzU2

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 60 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDOCTOR.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\1EXPL0RE.EXE"	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\Y:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\Z:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\N:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\O:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\S:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\V:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\G:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\H:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\L:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\T:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\U:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\I:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\K:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\M:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\Q:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\W:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\E:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\J:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\P:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened (read-only)	\??\R:	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File created	C:\AUTORUN.INF	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File created	F:\AUTORUN.INF	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\1EXPL0RE.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bthc1.dll	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bthc1.dll	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1EXPL0RE.EXE	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70fd10564656c401	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1927281436"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b2436e1fa201941b74b96390b2eaacb00000000020000000000106600000001000020000000785ba70e7507ebe322fe892359cef06702bc63d28011ed2166e8fb82cd05843b000000000e8000000002000020000000cf0d5d0562831715731959adb602550823d7db13a6bb1569ff2cb6adcdcf145a90000000ab58d0845ee81e3354aea98bd81b85e77832f8bf22b3b77eb880ba529531d751a31f556022ecc2f5e35333594e40e40eb9b3ffaf8d1207117e13fb58ba8b8fc23ca703355a8eb5d7678880e2cc6e14d52d30508c8f7eb1239bd7d445b3ce958cfc2a4526ab54fd6199c12ca447511ce2403c9552a77062bfd497ce22d7952a4a4111fddd8b1ff10b40feff22cf16e2d1400000000c53564e980492ebc43e40518dcb8bbf02f429f204a3a47444432ef3047bfe5b1b9a18bb619bc5c6451235ea0ab6e79b5f50d6cc392ccebb43b749b03887431d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81676901-C239-11D8-820F-FE0070C7CB2B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003b2436e1fa201941b74b96390b2eaacb00000000020000000000106600000001000020000000612259a04464df72f5bb602ba6c14854497cc454c7d159cce161af5348c66815000000000e80000000020000200000000803c7ec89b5af2546482efefb59947bb0c2a4b1370a7c9b53d9f6a0f263f02620000000fc77ec9c26b4b07737bfd04e4dab0cb2c9cf8415acf162cd3092cac8be608b7440000000def7ba0e10841a7ea249ad6b562d8a34b70611e7abf05d6423fa26b0344799f5cc247bd8b71c93722982896d3dc7d933c85dc39196bb35e66c0700f79eaa3505	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE
328	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1884	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	28
PID 2068 wrote to memory of 1884	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	28
PID 2068 wrote to memory of 1884	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	28
PID 2068 wrote to memory of 1884	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	28
PID 1884 wrote to memory of 1448	1884	cmd.exe	30
PID 1884 wrote to memory of 1448	1884	cmd.exe	30
PID 1884 wrote to memory of 1448	1884	cmd.exe	30
PID 1884 wrote to memory of 1448	1884	cmd.exe	30
PID 1448 wrote to memory of 2104	1448	net.exe	31
PID 1448 wrote to memory of 2104	1448	net.exe	31
PID 1448 wrote to memory of 2104	1448	net.exe	31
PID 1448 wrote to memory of 2104	1448	net.exe	31
PID 2068 wrote to memory of 2708	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2708	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2708	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	32
PID 2068 wrote to memory of 2708	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2836	2708	cmd.exe	34
PID 2708 wrote to memory of 2836	2708	cmd.exe	34
PID 2708 wrote to memory of 2836	2708	cmd.exe	34
PID 2708 wrote to memory of 2836	2708	cmd.exe	34
PID 2836 wrote to memory of 3012	2836	net.exe	35
PID 2836 wrote to memory of 3012	2836	net.exe	35
PID 2836 wrote to memory of 3012	2836	net.exe	35
PID 2836 wrote to memory of 3012	2836	net.exe	35
PID 2068 wrote to memory of 2328	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	36
PID 2068 wrote to memory of 2328	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	36
PID 2068 wrote to memory of 2328	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	36
PID 2068 wrote to memory of 2328	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	36
PID 2328 wrote to memory of 2656	2328	cmd.exe	38
PID 2328 wrote to memory of 2656	2328	cmd.exe	38
PID 2328 wrote to memory of 2656	2328	cmd.exe	38
PID 2328 wrote to memory of 2656	2328	cmd.exe	38
PID 2656 wrote to memory of 2720	2656	net.exe	39
PID 2656 wrote to memory of 2720	2656	net.exe	39
PID 2656 wrote to memory of 2720	2656	net.exe	39
PID 2656 wrote to memory of 2720	2656	net.exe	39
PID 2068 wrote to memory of 2736	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2736	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2736	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	40
PID 2068 wrote to memory of 2736	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	40
PID 2736 wrote to memory of 2752	2736	cmd.exe	42
PID 2736 wrote to memory of 2752	2736	cmd.exe	42
PID 2736 wrote to memory of 2752	2736	cmd.exe	42
PID 2736 wrote to memory of 2752	2736	cmd.exe	42
PID 2752 wrote to memory of 2724	2752	net.exe	43
PID 2752 wrote to memory of 2724	2752	net.exe	43
PID 2752 wrote to memory of 2724	2752	net.exe	43
PID 2752 wrote to memory of 2724	2752	net.exe	43
PID 2068 wrote to memory of 2684	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	44
PID 2068 wrote to memory of 2684	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	44
PID 2068 wrote to memory of 2684	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	44
PID 2068 wrote to memory of 2684	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	44
PID 2684 wrote to memory of 2240	2684	cmd.exe	46
PID 2684 wrote to memory of 2240	2684	cmd.exe	46
PID 2684 wrote to memory of 2240	2684	cmd.exe	46
PID 2684 wrote to memory of 2240	2684	cmd.exe	46
PID 2240 wrote to memory of 2804	2240	net.exe	47
PID 2240 wrote to memory of 2804	2240	net.exe	47
PID 2240 wrote to memory of 2804	2240	net.exe	47
PID 2240 wrote to memory of 2804	2240	net.exe	47
PID 2068 wrote to memory of 2644	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	48
PID 2068 wrote to memory of 2644	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	48
PID 2068 wrote to memory of 2644	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	48
PID 2068 wrote to memory of 2644	2068	00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe	48

C:\Users\Admin\AppData\Local\Temp\00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00a7dfedc55b85f394dd907a8f9ffa15_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2104
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework ·þÎñ"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
      4⤵
      PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop DefWatch
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\net.exe
    net stop DefWatch
    3⤵
    PID:2820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DefWatch
      4⤵
      PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Client"
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Client"
    3⤵
    PID:2868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
      4⤵
      PID:2664
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:1288
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:2596
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2824
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:1344
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:944
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:2208
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiduoo.com/tj.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2200
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2200 CREDAT:406547 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:328
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTORUN.INF

Filesize
143B

MD5
06681241a4edbc760641b7a5654f7237

SHA1
ed06b57ab502a01ad3db9847d385ff4bb25c47e6

SHA256
cd40a37b11be27b97b1d41bc09d0946db59c2e699eec7b61d112b09b301a739b

SHA512
b7c67aeb77e28001ebec71865ba56fbfa4b279d45678f1e527528ffa0b8cfb8cedbac233ce89ab4e382495eb7c97925abcfc32ed70c82e341a0e0a993caa0a5d

Download Submit
C:\MSDN.pif

Filesize
20KB

MD5
00a7dfedc55b85f394dd907a8f9ffa15

SHA1
5d85ea259ddd65c0aac0d7960044b1f386714bf7

SHA256
481ee6a2f90c62160e6bc756167b19244b60c2b449032174247483b26edbfac1

SHA512
b2282b567056be605eb7705fa4fbd02145cb58afbaa428bd7721c1ff1b80390b3ba71a13c517576b861c39f5977d1a024aca0be0c9f4b89608f9a8ee6387b83f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecf77a5d13e65fe1eff0d513fcea2af0

SHA1
52110f0b298bc9b488d2985bb81edfed2a03180b

SHA256
1bd8fbb6dced57fd0fae737443ce962207c28441734dbc8a20ce1048ed0b5577

SHA512
c3de9ea69f4aebb3a660ff13f814501ea6e833600778127cd9f50192f0b6a9ded9902d44f0463d582ea7de57ecf4ee7eb068f4569e63b8abe9755aba1e75e567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf6d50fe8556c027885ce486b643193

SHA1
2bd63062aa118348fa0c36321e47fcd8d05cef74

SHA256
c7728c91c3a51ab5a33e76d52f1238a5d8a4c98aa20aefc82cc13a04c4fe86a5

SHA512
9f55ca2504533e960a59cc9ad130e9a8d8ec8ce3d236c7ea788b0dc5750fe325e2c908daab6894cf0e681ff5ca72d981cf9a2df2850ee1c9d61ebe77ba9e9169

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce456fbaad4a4c6c2966c0ffe6c1f35e

SHA1
c669b36506f9960fcf82e357774d4225becd250d

SHA256
0bc283b1a4f4cb9b2196344fb6a69dee38ed324b039eb0e75facae9bcb17e437

SHA512
10034f31d28289eb98c9fcd668299a5ba0f7f099d7151012c61f6dfdd8b0b0dfce3f55ac09e5339e33e1e7eeab74741a6559087b56101edc6590bf85e3aa901c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad4f237aeab6c8d877e17f00f052fd5b

SHA1
57f018f0f181deba74fbf53c04cf69b13eb672e9

SHA256
0ed8cfa760a8044e3dd4a00306296dc72a4dc64d40c31c20d01fa6c2e39ea6f4

SHA512
e2d72fad3245b962fcb670fc52e321c8dba7211e6c56a2c7e989f4881fbb4a039788e629f71349c206d53f69d921059af1d93d8665fafaab26ba7427f8af11ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff5976c0ef4bb452cde4993ceb88baff

SHA1
01ccbe6bbc9e8d564f8a17b416c4ace4dedcb7aa

SHA256
ec2cfaf275a3b4e0ae5ac27010c2746d151bddf640b6c48f07eb292d9d0ac042

SHA512
0cb2be2a23f4653bd50d7473097deeb647ba671d0edf11d4d50af4deabc44bf27d4a98253d2c8acf47460ebeb4cd2dd1d2fb2b0b80c3159ed1d640472553c38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d5f71ec5168af8024b810b90cf41f0c

SHA1
8b1c6fc84265659fe523f973efcd5cb758beade5

SHA256
7a8b32a9bd1276d82471d259ab25478df0a94f76a769be47af5e424ba47e425e

SHA512
99e7968a0a16cef47b34dc9fdc4ce790fe2d7c0a95f63c1af6b0057962fbd77692ef10847badfdbee22a535f79489e11d4981c9c5aa74b82d1a03f7141d4687e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a1b03d212218e30b23998112980da8f

SHA1
bf51eab51c1e7e0de070511e9438ed63c1488f01

SHA256
72a8217c120cdde7234deddcdff5ec1e6522429b54d5b38ad359885fa8d7e961

SHA512
bdc81689f395787579444e8d7c3e27a20f15e4c28dcc940857a1ab0046d4817615222ca2952934893b1231d1ffbda758e51bf38a19093312b9bb29f124639c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bbef346e87170ef7807da38a51ede43

SHA1
114cca8adfc2698f1932b3aa63be998b0dc2a125

SHA256
1142b6615e344f4676c22b41b2633539bd810b40b3080807d0993ad710c9c7e6

SHA512
16900423043b292d1ca151c2821ab5c491a2918843940d36755c0d0b72f0af403efb5a96ff114ef55f5750584b802b5172103c27fcad29dfcbc4af8b3f352d09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1d629ef8865ca65df9ac78cfbaf0e2b

SHA1
1f61fa85db324278222c77fbc65d298a64d3f043

SHA256
e957a8968820f0d1c1bc229c4f1045ae735095b42f1522dc0818f52ab9e5ebeb

SHA512
44db6ded8011c76a5907aef5a3a355eab371621631dd4a64f919bb71c4309517bd0b41fc7e3d3f3bff7e61729ddc576748b40827bb7e58860f2159edff26929f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36af1fa3847d40c9bca1c9b44643f151

SHA1
95054415a1cd7df9867d81c2167d69c07f7c51b2

SHA256
ada3a23db04bc06c5fafd8340ae34a20a76685fbc2bf7590bd58478e4a4aa287

SHA512
d9fd93aeb9c310db06cfd05005601b78bfc9ccd53ccf19182e472d0c53f129de13013a86c08cdeef23f595484eb6e08728a6a6acb3dc9bd1117df307e453cf07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfb32df90cd0d4495a41eb8cbb4e3cfa

SHA1
88b42cc02d55962c2a520f9a8bd1cd21921272ba

SHA256
7b3a181c79d66475428c06cb27b533516d9c2ce625cb2f863b21f02ff796679d

SHA512
05df6d3a7c702d1ea0f52e44ba9fcbcb8aee45d68dac2ac46db1be9ec7766309bbdba10609d1f5f8cdfd5dcf3e071a25f9ba485928b078f26f84764a0cf03042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83155219f4da16ad586bebe9d3603ea3

SHA1
88085f63f1d6c04c9bbacd81f2741764acaab134

SHA256
44b9c071bcfe0c62805f1745a2254296901eb7dccd8d6c314b9d84d279c32eda

SHA512
934fde736d869cd68c7abd385f25c25b3d2b145b238a21fc47cd8bb4c75426985d6e2d2509da6530e5c3151fd477600040ea53f75242a2dabce2ef8b4d2c406e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40285b4cff39c0409ed966a46f37863

SHA1
237b6513a3f2455d414422fa73fe4aa133b19248

SHA256
ac0defba8f3c1e2053846320a8075c8c0860979f370f22ecc50ac44658cef7a7

SHA512
7ec750e8aacde2babec07e4d26fc33acb6ef5f888fd1c28607ce593024da84bd4289784084166c16a9931ae107e4a371114eb0230bca39eecae7884b7d93ad54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
947b2c60326d12fc9cc58a792f06eac5

SHA1
6ca615c41703cc4558574b82357a7990ea2de15c

SHA256
5fecae23a44951761366c1df59208fad34886f1243f190ce46babbb1fdcd4e6a

SHA512
60d110ff6d16a5be4399e8afa5889796828d765d99054c141ddb8c138155e0a9b72ed9580b63574241d478b8af006ce418132a6b9af7a0c0c4717ff3784d91e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6994e9fbe174034a5c362b680c1e8ff9

SHA1
d40948288738dc11b50715ccd02f8fe7247e66a3

SHA256
3a8041b7b835a749ad0b03951313e07ca8683135cdb55e6f9b16368d98979c54

SHA512
16e0fe3bb50a6ba1de3c06b04a3fbdc14fe0ac0e3e977470af82db10b836831442414ebacf5f985190dd50ff094929b7fbfcf40eb0d4c8535b4b7155a491b14f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c5c804f4220a6f83cdb757411e245e3

SHA1
e1a4aaebece506648b3d26859a799e9b34fb54c6

SHA256
4ce8c84f63be12f594d950c908e0340695b310161bf5a72d3f30db009e0f8292

SHA512
4600b33ab0fb6f9f348525272ec287e7e20d782f90c3eb7dfd018708afd3ceb7e5e8b95b5234cdd97fbbc9ee5464fa36bf1451df56025aa13627ee6ceca03c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
132be520950194332155d5ff61814eab

SHA1
b2d349d30494c1e070b5c02e7877e4549e4712c7

SHA256
5ac63cab1b94e560c3d279d95d9feae5f5a0e5f28df1f4275e38e200b07753bb

SHA512
651c1754e9357b4c4009ed5d43b21ddfa97951e6fbc30cbd6f1488d22a6eb01d809159f4dfd7f1669db6cfd3182b731d17d81a3471a846305c2ced68014630c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8ffde6687fe8d17fb5c4d2e37a60cd2

SHA1
990319769ade48756997d0fb31c9aaa92f01749b

SHA256
9f1114db00e40b1ae580cc9b48a435aea08d8e3a2eab6a4c2dd560edce08e0a3

SHA512
d7b29b4bfef740feaa30bc210591ed31f0bb1715c45bd5e38522fbf6482db898cffbda698b31b43c57e71f26ef04a103a19e7c15d176a2145b5a86a169a6e61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d8110f57b4ef64ddcd2c9c809359023

SHA1
3ca634f707f70bffddbe90495e251122a050683d

SHA256
4df7b378e304208d4fab5e547cf9da9a863a8ddb6f73cd7b6a584d28b0d3ff6f

SHA512
7654465a78a19ecbc7308202de7dc29bbe43feddd2c5b5b75b37bc44817659506676062571a95d482139247b0b3f989a9006782bb7612cd31b4810f3a6cb6c5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3cf11ad63988b563e6c397b602d39af

SHA1
d83daa330992a10a7a4ef47b726889a9f882feef

SHA256
d4aeeeb98420695083bb62b73c50a47a4ca539ed473b47a1585744b08e6f59aa

SHA512
d4631a7f30aed1a054672911a89a67912a259c5ca5f2b735170b29ae5a2a45cdbaef5d6cd4ef183fa284aaa3509feb38fcb7d4dcbea14f05bba43ce5be6f6bf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
527ad8d87c2d16a4c4a6790764b12cc5

SHA1
5ebfbb94f44189f53cd798db77a35e7ac09dc4f6

SHA256
8a1306f0d36ce11a965cd4c784cb1951a3adde5b81da98fe1a02d3ec45acd779

SHA512
9eafc8e09acbe6238338abf5f6beb36e6bc06ce9468f570e1e423bcd6fee97884ef19366752f205f28e8c8ac44ae8d1af182a18cb7f1d60cae0626143149c4a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1adbd4eb4134f57fa2e8bbfbbe8164a7

SHA1
7a18a5f6ad8fe5fa357c54c07fa4cda31e3f905e

SHA256
a191267f70719c53294a08e3bb9b24ef9d589d149966507d2d290f661652e449

SHA512
7aa47af7bd69dd3b0dc8127c05f910360094a67577274495e0a38c71f679f1f84b87dabae0b42e5f9d746ea0474de990d614da089e6cbd9c4ebff11afc69e129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf2e82c58dd01321ed941961e1072ced

SHA1
56a523f1ebc47610dd5228208b9408e537255304

SHA256
a16e766dd50967c5649208d8397d455785a284bf2dcf373f630f97b2b37a1d83

SHA512
e6e1655445d0ccba4bc5ee12e1bf0c75246296862772f4ddfa65e26db6ee34caa6de2fcd22b30b1334278d592e9771bd17989a255ed54d389d1fcd781f3f6c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab62FA.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63AD.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
memory/2068-543-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2068-0-0x0000000013140000-0x0000000013159000-memory.dmp

Filesize
100KB

Download
memory/2068-221-0x0000000013140000-0x0000000013159000-memory.dmp

Filesize
100KB

Download
memory/2068-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download