a023b4335471a19fe8a03ee731919ca0f6f33886519cc85f70786b0f6b218fea

Analysis

max time kernel
145s
max time network
128s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
Size

100KB
MD5

21888ffc59ac8fca15b8168412f78524
SHA1

867b3d38f5edcaaf0986318e76e31d0fd659e3be
SHA256

a023b4335471a19fe8a03ee731919ca0f6f33886519cc85f70786b0f6b218fea
SHA512

7ec454a313463837dbc9e8ae6333623780c770e868a06c1e1f0d1cea176574554dc6a5d42d9449b9a901d13e75060831bd2a99e546f88a3d0304d228e258b1e4
SSDEEP

1536:/ez+KShbWG1oMQzkPEGF329Cfpe6AYJ0AYUPhO+K+tGY48WQ:lYG1oMQzkPEGF329/YJNdPfWQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2000	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2572	29.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe

Unexpected DNS network traffic destination 12 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	122.227.164.149
Destination IP	210.83.80.78
Destination IP	122.227.164.149
Destination IP	122.227.164.149
Destination IP	210.83.80.78
Destination IP	122.227.164.149
Destination IP	210.83.80.78
Destination IP	210.83.80.78
Destination IP	210.83.80.78
Destination IP	122.227.164.149
Destination IP	122.227.164.149
Destination IP	210.83.80.78

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\29.exe	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
File opened for modification	C:\Program Files\gb.ico	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2572	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E1756521-390D-11EF-AD12-DE87C8C490F0} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f6e33b3a9623774aa9769eee88571cbf0000000002000000000010660000000100002000000087a06ba3c1ae46784fcddfcd578b3eee4022b124b711185a2c3a2108614ca74c000000000e800000000200002000000079e8627af39a748131bd51193bf761026e03789688510a86a61fa15d1646891690000000116a799431da1a7f3e7dbb5feef359444330d5908416110f94610fd4488e4807ce93b58ea61cc37237a936801d86c4b07389255a338aa213cc4cf305ef8ed14569ea76bde6b4832f5704f07db45cad08b31787069e4aae021054257739e6375e2741026da1297bccaa12f40a365ce7a902ad2742fa2ee17730fc34727e35d79bfc2e7b7cd96ac8fd86a1b33e7d72c0a540000000933f3c2eb5d5016667c0e79968651c4dd4deb4f8593201c681c8bc99388770895dc3819b05ce3b335a4c85287f8ee3806e550f6bfd3428040e527c08a7b1c675	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E18AD181-390D-11EF-AD12-DE87C8C490F0} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f6e33b3a9623774aa9769eee88571cbf0000000002000000000010660000000100002000000054335c76b8fa2a77fd77efc2887b013c8c6f35fedcf550b14491ed57e56c271f000000000e8000000002000020000000a491fae96938fcc568b73d0f13986b9ebf823c5b94d0ac7fd7cc6af240fe43eb20000000ab823679761fd1b45428f67135a0ebdb1e5293fd80af96eeda0845553113da6640000000e1505beed00cf107ea4521b1b29232dab6588fe3a9af643d0cec23d28b32052d57fb76cb327df741869a7157a272c0259289bcf75a6432822d7ac70887ffa9ab	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426153592"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f23aba1acdda01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
2524	IEXPLORE.exe
2544	IEXPLORE.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
2572	29.exe
2524	IEXPLORE.exe
2524	IEXPLORE.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2544	IEXPLORE.exe
2544	IEXPLORE.exe
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE
1792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2188	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2188	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2188	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	29
PID 1728 wrote to memory of 2188	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	29
PID 2188 wrote to memory of 2572	2188	cmd.exe	31
PID 2188 wrote to memory of 2572	2188	cmd.exe	31
PID 2188 wrote to memory of 2572	2188	cmd.exe	31
PID 2188 wrote to memory of 2572	2188	cmd.exe	31
PID 1728 wrote to memory of 2588	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2588	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2588	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2588	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2592	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2592	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2592	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2592	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	33
PID 1728 wrote to memory of 2652	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2652	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2652	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2652	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	35
PID 1728 wrote to memory of 2544	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	37
PID 1728 wrote to memory of 2544	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	37
PID 1728 wrote to memory of 2544	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	37
PID 1728 wrote to memory of 2544	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	37
PID 1728 wrote to memory of 2392	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	39
PID 1728 wrote to memory of 2392	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	39
PID 1728 wrote to memory of 2392	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	39
PID 1728 wrote to memory of 2392	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	39
PID 1728 wrote to memory of 2664	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	41
PID 1728 wrote to memory of 2664	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	41
PID 1728 wrote to memory of 2664	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	41
PID 1728 wrote to memory of 2664	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	41
PID 1728 wrote to memory of 2548	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2548	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2548	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2548	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	43
PID 1728 wrote to memory of 2412	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	45
PID 1728 wrote to memory of 2412	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	45
PID 1728 wrote to memory of 2412	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	45
PID 1728 wrote to memory of 2412	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	45
PID 1728 wrote to memory of 2408	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	47
PID 1728 wrote to memory of 2408	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	47
PID 1728 wrote to memory of 2408	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	47
PID 1728 wrote to memory of 2408	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	47
PID 1728 wrote to memory of 2668	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	49
PID 1728 wrote to memory of 2668	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	49
PID 1728 wrote to memory of 2668	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	49
PID 1728 wrote to memory of 2668	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	49
PID 1728 wrote to memory of 2148	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	51
PID 1728 wrote to memory of 2148	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	51
PID 1728 wrote to memory of 2148	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	51
PID 1728 wrote to memory of 2148	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	51
PID 1728 wrote to memory of 2560	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	53
PID 1728 wrote to memory of 2560	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	53
PID 1728 wrote to memory of 2560	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	53
PID 1728 wrote to memory of 2560	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	53
PID 1728 wrote to memory of 2404	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	54
PID 1728 wrote to memory of 2404	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	54
PID 1728 wrote to memory of 2404	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	54
PID 1728 wrote to memory of 2404	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	54
PID 1728 wrote to memory of 2508	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	57
PID 1728 wrote to memory of 2508	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	57
PID 1728 wrote to memory of 2508	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	57
PID 1728 wrote to memory of 2508	1728	21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe	57

C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ipconfig /all > c:\WINDOWS\Temp\ityw88_9.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:2572
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /G Everyone:r
  2⤵
  PID:2588
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r Administrators
  2⤵
  PID:2592
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r System
  2⤵
  PID:2652
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r Users
  2⤵
  PID:2544
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r "Admin
  2⤵
  PID:2392
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Intrenet Expolrer.lnk" /e /c /r "Power Users"
  2⤵
  PID:2548
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /G Everyone:r
  2⤵
  PID:2412
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r Administrators
  2⤵
  PID:2408
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r System
  2⤵
  PID:2668
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r Users
  2⤵
  PID:2148
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r "Admin
  2⤵
  PID:2560
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\上网指南.lnk" /e /c /r "Power Users"
  2⤵
  PID:2508
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /G Everyone:r
  2⤵
  PID:2936
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r Administrators
  2⤵
  PID:2964
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r System
  2⤵
  PID:2064
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r Users
  2⤵
  PID:2308
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r "Admin
  2⤵
  PID:320
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\精彩小游戏.lnk" /e /c /r "Power Users"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /G Everyone:r
  2⤵
  PID:2628
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r Administrators
  2⤵
  PID:2488
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r System
  2⤵
  PID:2820
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r Users
  2⤵
  PID:2272
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r "Admin
  2⤵
  PID:292
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\购物淘宝.lnk" /e /c /r "Power Users"
  2⤵
  PID:1368
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /G Everyone:r
  2⤵
  PID:2300
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r Administrators
  2⤵
  PID:1316
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r System
  2⤵
  PID:1276
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r Users
  2⤵
  PID:2360
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r "Admin
  2⤵
  PID:340
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r "Authenticated Users"
  2⤵
  PID:2028
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Program Files\gb.ico" /e /c /r "Power Users"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /G Everyone:r
  2⤵
  PID:2904
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r Administrators
  2⤵
  PID:1540
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r System
  2⤵
  PID:3060
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r Users
  2⤵
  PID:2888
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r "Admin
  2⤵
  PID:3000
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r "Authenticated Users"
  2⤵
  PID:1964
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\AppData\Local\Temp\21888ffc59ac8fca15b8168412f78524_JaffaCakes118.exe" /e /c /r "Power Users"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /G Everyone:r
  2⤵
  PID:1632
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r Administrators
  2⤵
  PID:2480
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r System
  2⤵
  PID:576
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r Users
  2⤵
  PID:792
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r "Admin
  2⤵
  PID:1088
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:1564
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Admin\Desktop\Intrenet Expolrer.lnk" /e /c /r "Power Users"
  2⤵
  PID:2712
- \??\c:\Program Files\29.exe
  "c:\Program Files\29.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2572
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/Loader_jieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2524
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2856
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/haozip_tiny.200629.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2544
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1792
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /G Everyone:r
  2⤵
  PID:2216
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r Administrators
  2⤵
  PID:2372
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r System
  2⤵
  PID:1212
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r Users
  2⤵
  PID:2664
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r "Admin
  2⤵
  PID:2472
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:2260
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Firefox.lnk" /e /c /r "Power Users"
  2⤵
  PID:1464
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /G Everyone:r
  2⤵
  PID:1968
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r Administrators
  2⤵
  PID:1676
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r System
  2⤵
  PID:2552
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r Users
  2⤵
  PID:2384
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r "Admin
  2⤵
  PID:1256
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r "Authenticated Users"
  2⤵
  PID:572
- C:\Windows\SysWOW64\Cacls.exe
  Cacls "C:\Users\Public\Desktop\Google Chrome.lnk" /e /c /r "Power Users"
  2⤵
  PID:2900
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe del.tmp.vbs
  2⤵
  - Deletes itself
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\gb.ico

Filesize
2KB

MD5
5d05eeea90032887917b66063474548c

SHA1
3fc18f64e81fd0debae603348e4648bc008a4ccc

SHA256
4274b111fcbac6a7cacb7cda063a0b50dcee17c54d0671a23efc03295da28b0a

SHA512
45e3f0fe97c2b4806a02c600c529823cb968e2e5ae56c5c2eb7ea6b267035570c25cb1f680055471e405c7f9a919fec1d054193b36f2c5bad85733b67242d503

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c35b84efb80240ec65c5f43c251edde

SHA1
8ec9efb41b2107de72959c9f75aaf91276634edb

SHA256
a36c8a9280e605fcc5ea9f75e252ec2a5591071b7c40a42d596791b3d56a5cda

SHA512
3cbd12e9f00798d04b271c5745e2e7734019a75c8e0579ac650046a9e863a6c6fe22d68ea25e4bb0e1aba92f47cf70f3e6ee2a4e26e7271c24df13393739e1e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e145ccca616a8efc729f310c8d806d

SHA1
2c8326039c62c1b9d99979b9d9d75f7ce25f18d3

SHA256
bc6f2a19a459b866a3a6d34e116a63c33899472a542150f82b5f65e404e6e82d

SHA512
1228d7e316bceb71d2c2ce4c1e5c583eb0eb9b436bfac8ab939977c4bf7feda8bd75da0a8651845592a207fa6ce9d0b5dae29148d62945af2e2ee74db6c524f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abe5f28d49223f93fc7693b0e131df46

SHA1
fe23147af69af400a1b4143061e10adcb9c2af09

SHA256
a8b16b3d9a9d711dd84febfeab1167019bd5f6e62752456a5bca0fab3df61c20

SHA512
417e4c7e66f245a35981e51cf895f36006e25f492a4160c4d91960a2608e85b97b5f13f02beb0b95109df486e008ef4384097860ae4f4b70efa0b51b549eaeb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e95077a756d9b8b3ef17d45dcb36f95

SHA1
1c59a48ee2890341bf137dba2edf96b63a7d1897

SHA256
1efc9dac124d42be272ffda3014688dd5193f001fddd7b8261ffd6935cf18e30

SHA512
f6817eb6afe64a6f3bf6cae3568dfb8700c1ef28396f51bbac61426f73d2b7c68265ee7e4f8b30d2e740a50f8d508d5c84066f2599e45ae7cd3eda4b33f9a8b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41d0b1549f713e8380b30e7a24fe8dc7

SHA1
ce1def507fd03e172d043af638f036c59969cd5c

SHA256
dbba536c6f5d1dc07675b3283367a0dfae5352f0797b2cd1c3b80dc0e83a440e

SHA512
bcd9a61cdb4776f6a18af821d28cbf992caf207840fe996412e23bd0496ddfa1c7af8d8a2f9428302631fe3ac18aeafd7ec041ad3dd99b0012e45ae727ee2b55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa811e54a8057a3b6b9b2db0f3b477b

SHA1
9fcfd875a6b77e745c7bdeaff9d5ba5990c0d716

SHA256
25b50cfd3c95eb811c79e4ae723bf3cb7c0050bdea1c0dc8dbadb7586fdb3f0e

SHA512
1a51e95f3c3fecda18034c45c6acd7a64e3b752ee7a0b03853895bf3a389392ed37bb4706f09466929948dbac7e1b5873bc5c88015afa5a4b8b7c49a261b5c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1741f3935eef0f3f77ac9bc7a2138c9c

SHA1
b259d8d4708550e0743e0296feda23a7dcdfa5ba

SHA256
d0d55d37a486508e03029d9781669d2805798e6292c48a1e9a655518235f2e0b

SHA512
ca8c2113a857edba0f0c7e840ff716680faecbcb0035a1ba142516bfd491d71f32e8b8cc36cc9e03ae28214789fdba687186b8466b3c5c0661feb97f9b4657f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0c1cc6a61762b803d8054126d339aa4

SHA1
d541421402b728cdaf2589fbf28d1c79f418628c

SHA256
fc2ed25aa7d506540f6c01041e8cfd73d6e1c04e7d779d9be5f166b72296197c

SHA512
4c65de5bb78b230bb8ac27c8eb600ef543885e6f9629742b6e0bafdc7317eec0b8be8c0cf97164f414dc53c600c3709ac49ae287679cb6af513f447bfaeecda9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef7b3133c97fa3fb8d7399bdb44a8e66

SHA1
11952b6bdf9356c57c879392437505cb7289f018

SHA256
7b7a8d922a51edb43dadc724a012bae4d71a619a36b67cade74b5c5f586b9bf5

SHA512
8c2cc12b885c1f29203991d9dfef0907e6ea5cf1e81b4daaf52c8a7aa592b236793c1c6e0b2d84c64c7821bbfbda84bee4dd1cff38ab9ac59b6463d5211bc2a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c288d70df30265337cf573cd2acec658

SHA1
4f5ef0635b663759d89f13a9e2423bc729189f36

SHA256
e0d5e2ac005b9789d0e7266060106ce2ef595bab9f0266b1ade9dc567f1c5f0d

SHA512
fa02be6e1a28651eef3c9c6e04a60c0a8b2d732348596a4f484b21365f3afb29bb87261fdcb7d95a0845b55f8e0953a1db84a10e938373da70c6790f4d83e86a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48f7cad62978e1b1cbae8f47f398975a

SHA1
cc58ce98d5bff255cfce988945ae6dd03b6eb68d

SHA256
6490a6a1bc5811f350d8c651e29480e62d97f84ad3711223b90b9f6e84004faa

SHA512
38f3de494a8b63b01516bd17cc1e4b953729f96dfac0047b3304e45292a1718446e017823b518c9ca89973326d9c2f685f66fddc697a516f70b9b1dc27c3554b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc512747448a5fd255f77aa3bb23f73

SHA1
f89c19decd38d464a3570fe42b72a90dc4bd75fd

SHA256
a6a614c626293f010d13e444b6469d52998b6ba3dc93542800f258d23eb46bab

SHA512
84aee5d90874b430b7c0060ae5cca6cd3b398fcb1056735097930aacbc9e03fff81df5efbbfa5286aaf8e5315c099d9d39481966b01120d9e19fbc5ead3a19f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b9f78ef3776ba6ec4ffa68831edfa22

SHA1
af26257e039ea3552f6b8ce942bd9489fc4964c3

SHA256
fe5a7ea0b162050de8fb353381569bd6d3e0fbe1750bec63b85156ac2e338bb9

SHA512
0a449af97acc8c33aee5ceb6c8d6ae2a7f4683e62f74a0a8d899d13b482311ba87f1f06cb8ff29b4e7235379d63c39c2afa388cf2a1e06577b90ba6c5c3451af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d875544d1fbe1c9f38a8dfd587fe5241

SHA1
d9aa96e9de053bdee2350aa622385ce762266e34

SHA256
655bd2c44597c0a005845d726bebef923ef4439b9d28c0e934fba1a7ceb347f1

SHA512
4b797216f9b2fb36671c5fe867717c860b24f685c6182d8e4762f46224c500d83cc925f65236f28dc81e092fe380e34ac8b0fc35a877de72cd33df94f94b35ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f3bcae7d70813933899db92b7ad342c

SHA1
755ba3fddbd424e4017190ded8baecb7679a3c03

SHA256
d8aea6454cca21e76ab9701913ed3c7fdb5109f5514c6b67ab25a5cd9b81a6e0

SHA512
01182bad708490a084a14541b3e3c0a1938ec0e0b237847b54651601f60a22bb734cb08f44cffcb235c3c22d03b3e37a8ed3f3cf5bcf4539f21614ea30814ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b2e7f6602162a932145d2580c70e612

SHA1
2dccee0bf3337368dc3f5900a3a663bd48c6fca0

SHA256
c0d57e9f8600db6c95697bd199e6b243c3b11010c9d32f51d2a12782a8ffd3c0

SHA512
e98af68ea2373e5ef6ab22fdc1e5dfd4a7784bfee46db138946ce2efae3be76c12f850280df84dd926177354ccc06752c45d5a3552d25a5c4b39e76bbb73364c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a1c2a82e8196e264d162294a1773e04

SHA1
0b66752205af77652d7918ab7c69b438dbbeb14c

SHA256
ed91f541eec476661f1a8a655284002cf96a2d4cd979ba12ef8fef4b5dfd28ee

SHA512
af87533f4b0a1c6fbfd23110a6b8a434e9c7ab68512a15a51f782c5bb7ce8ee664c75c4784d8d2feba8b15e67e830077c441d7c6f5a8a514a1f301ecb08b65f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85a4412b175d312f1404ad33d784326f

SHA1
66dc8d005642d782b7903994388e6a39976a7d44

SHA256
9e2a025ebe481cbcd3089543bff3416e33cd2896197e318f4867ce3a1d12c302

SHA512
f12d961112575e46b96b8e8d6304051abe84d770a626dfc2cec69714142504987317cc5f1343b114ee97252b142f0503d4b86e55a3dc44ec30945ab91850a022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f5d022e41ad7e8da2f8431803399e26

SHA1
fcebed700435a7fde2ec9c7b1c7441ec8b4439b3

SHA256
3f342aa3fb5962b30efa1916ce9a0014e9e23b54cf2d50100937825afd43c319

SHA512
dde1386a5fbe1c9b65d900f883db9197d88cdfae1531e47579438a5e10678bc1f77bbe13e178cbdadf66b7205dcc1425be2101b38e4b17bb1d0bfc8c162fe059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1756521-390D-11EF-AD12-DE87C8C490F0}.dat

Filesize
5KB

MD5
ff347119155d6ba3fe893bb5fad17d21

SHA1
f22c2820f2856987e6bbacdacdfdc7615aadb6ea

SHA256
944581c6b7406a7f9b0ee13cbe976f1ce0355afb2a0331b0f8189d4e28114f4d

SHA512
c17fae5063162b12e828a9060c51b8796c86b027a953c986cda6d95ac4d134e94309dae8b19f21e1a49605cbef27130edd28d217469ffe80be06a96b208e1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4B45.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C27.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.tmp.vbs

Filesize
449B

MD5
a2994aed36e7ed425229497f7da24e9d

SHA1
b2a8368a33bb6aba7bc3ed80b3835ad7b31d566c

SHA256
ff5c2fb8a8f433039039bbd8502c1b477d5694206295d1f3a457201282c10175

SHA512
ab1391841b4d38c148d33b96e571957977f5933df12316c8c5376ce68625abe4de8a22d69aaf1ed04127d8dec491e69492603100116d748e3570640a389a5b06

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1KB

MD5
c8443b9de85568b35a8430c4a5eb9c1b

SHA1
1be70dd3028b45f9f074d4db478396921a84b65c

SHA256
991e63a4fa78d6b721e66b0123621f2f3e7b711c08b011ffadb56b4ecc3da1e0

SHA512
928e6e9fa2e39a0864610da7fee95e964db2ae7b6f00256ba022b73cc9ca651bbf8d8d177195b2e2d1b7177978f8e0f1575f40662ba1470b3548d7dcebe01509

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
1KB

MD5
188f966079b2564523cc53a0d6903b48

SHA1
9682f9145e33e34c1d00b7d0c9aef8adde448c38

SHA256
8e40631dd59d05f666e1f5f8366ca7f8ad823202892e9561eb3de42c36f33f87

SHA512
e1505712311cf90399a53024bf6876aff395ee9f61655ee72b183dd91413cc7b1adf5a380e18ce5b6a60767638bb4e056547a6e8965cc90437a5a617c28f031a

Download Submit
C:\Users\Public\Desktop\Intrenet Expolrer.lnk

Filesize
1KB

MD5
99329b5a0f46badd2415c5b19c04df99

SHA1
68eac09f450ca69791a096a266b2296a348792ab

SHA256
2476c02c86402a51189c6761be131fe3f44f6ff152dc58d54c499424beabdf9d

SHA512
918eb0a5cc0aeb424ea4b86bd57c9f95e7a2d9a950b464b7b82fa805a1d713059c8393d65e53976b50b36a84fe0e52dcd8d98f5e81b3f6104c7d6ca56fa7131c

Download Submit
\??\c:\WINDOWS\Temp\ityw88_9.tmp

Filesize
1KB

MD5
13632ff5c76b45e12e08af0ff1b85804

SHA1
c743e929114a00532478ca78bac1e358debb1f7d

SHA256
c838e143ef22772acbf8dfbea5a22a4048f0e06c5e004c04ab65cb9bc81b390d

SHA512
0dcf89e4395940664913172bd970f6515d24afe39b074287c014903752d8ad73c54f6fe8cea99b1e3071083603d488114f4c23a54a4fe103f28240b7d0f875da

Download Submit
\Program Files\29.exe

Filesize
28KB

MD5
b8fee731cb3390993f01b36d45841952

SHA1
dfec454bc5412367a5b532a2d059d0d934d4e609

SHA256
46583e5baef6420ee7d7efc6dd32af67785e28feece811a03547853b82265dde

SHA512
488be12cc781292f27333104c6ff3d17293c28b612c8eba242a37362e456fd2e484f80d18eede4c313faf16619cba4eeeb990775717926714b95e204e8172648

Download Submit