f50be667a3879fe4cda7b73d15971dddaad828b6dcfe983322737b2e9f46956f

Analysis

max time kernel
138s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Size

19KB
MD5

228874def7c66476be40389394d5ddc6
SHA1

fdf3f6c66f47e8d1641341424baea9ec8075a2fd
SHA256

f50be667a3879fe4cda7b73d15971dddaad828b6dcfe983322737b2e9f46956f
SHA512

385457724e99aa77e6e5b1217237809e1d03918f9928e3aa4b09f9b43ab096005e5e412240456c65dd7967a60841193b6cb896989e6aedf70928c6f9027f3b72
SSDEEP

384:4U8l7m2vDBlXAyomDFuAxAagu3KkHF3Q03sxfhB4vZCWp208XCI6VDhAbkD+:4/l7m29qMDNxAagu3hQ0cJ6ZCQ2yIQDq

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 60 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\c0n1me.exe"	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\M:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\Q:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\U:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\W:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\Z:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\G:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\K:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\O:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\S:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\T:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\V:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\Y:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\E:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\I:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\J:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\R:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\L:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\N:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\P:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened (read-only)	\??\X:	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File created	C:\AUTORUN.INF	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File created	F:\AUTORUN.INF	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\RAVMON.dll	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RAVMON.dll	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c0n1me.exe	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c0n1me.exe	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1865303591"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{16DACF31-8E8A-11D6-B0DF-E64BF8A7A69F} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2184	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2184	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2184	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	28
PID 1932 wrote to memory of 2184	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2552	2184	cmd.exe	30
PID 2184 wrote to memory of 2552	2184	cmd.exe	30
PID 2184 wrote to memory of 2552	2184	cmd.exe	30
PID 2184 wrote to memory of 2552	2184	cmd.exe	30
PID 2552 wrote to memory of 2120	2552	net.exe	31
PID 2552 wrote to memory of 2120	2552	net.exe	31
PID 2552 wrote to memory of 2120	2552	net.exe	31
PID 2552 wrote to memory of 2120	2552	net.exe	31
PID 1932 wrote to memory of 2804	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2804	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2804	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	32
PID 1932 wrote to memory of 2804	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	32
PID 2804 wrote to memory of 2564	2804	cmd.exe	34
PID 2804 wrote to memory of 2564	2804	cmd.exe	34
PID 2804 wrote to memory of 2564	2804	cmd.exe	34
PID 2804 wrote to memory of 2564	2804	cmd.exe	34
PID 2564 wrote to memory of 3008	2564	net.exe	35
PID 2564 wrote to memory of 3008	2564	net.exe	35
PID 2564 wrote to memory of 3008	2564	net.exe	35
PID 2564 wrote to memory of 3008	2564	net.exe	35
PID 1932 wrote to memory of 1040	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1040	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1040	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	36
PID 1932 wrote to memory of 1040	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	36
PID 1040 wrote to memory of 2612	1040	cmd.exe	38
PID 1040 wrote to memory of 2612	1040	cmd.exe	38
PID 1040 wrote to memory of 2612	1040	cmd.exe	38
PID 1040 wrote to memory of 2612	1040	cmd.exe	38
PID 2612 wrote to memory of 2620	2612	net.exe	39
PID 2612 wrote to memory of 2620	2612	net.exe	39
PID 2612 wrote to memory of 2620	2612	net.exe	39
PID 2612 wrote to memory of 2620	2612	net.exe	39
PID 1932 wrote to memory of 2660	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	40
PID 1932 wrote to memory of 2660	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	40
PID 1932 wrote to memory of 2660	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	40
PID 1932 wrote to memory of 2660	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	40
PID 2660 wrote to memory of 2692	2660	cmd.exe	42
PID 2660 wrote to memory of 2692	2660	cmd.exe	42
PID 2660 wrote to memory of 2692	2660	cmd.exe	42
PID 2660 wrote to memory of 2692	2660	cmd.exe	42
PID 2692 wrote to memory of 2688	2692	net.exe	43
PID 2692 wrote to memory of 2688	2692	net.exe	43
PID 2692 wrote to memory of 2688	2692	net.exe	43
PID 2692 wrote to memory of 2688	2692	net.exe	43
PID 1932 wrote to memory of 2632	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2632	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2632	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	44
PID 1932 wrote to memory of 2632	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	44
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2632 wrote to memory of 2720	2632	cmd.exe	46
PID 2720 wrote to memory of 2496	2720	net.exe	47
PID 2720 wrote to memory of 2496	2720	net.exe	47
PID 2720 wrote to memory of 2496	2720	net.exe	47
PID 2720 wrote to memory of 2496	2720	net.exe	47
PID 1932 wrote to memory of 2140	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	48
PID 1932 wrote to memory of 2140	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	48
PID 1932 wrote to memory of 2140	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	48
PID 1932 wrote to memory of 2140	1932	228874def7c66476be40389394d5ddc6_JaffaCakes118.exe	48

C:\Users\Admin\AppData\Local\Temp\228874def7c66476be40389394d5ddc6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\228874def7c66476be40389394d5ddc6_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop DefWatch
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\net.exe
    net stop DefWatch
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DefWatch
      4⤵
      PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Client"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Client"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Client"
      4⤵
      PID:2496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus"
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus"
    3⤵
    PID:2520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus"
      4⤵
      PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Definition Watcher"
  2⤵
  PID:2472
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Definition Watcher"
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
      4⤵
      PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework ·þÎñ"
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
      4⤵
      PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      PID:552
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  PID:1980
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  PID:2132
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  PID:612
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2984
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTORUN.INF

Filesize
145B

MD5
43a741a56d6407be6c4190a29c26b39b

SHA1
fd4f5a3732fa9c9426428d8100812cd33ffb4e03

SHA256
a094953255a5f2815a96bfddf420056e42abead85111df8362adb1de83d81dc3

SHA512
5b75cb17a44f14eacf6ccc10fc455a4945872a152aecb5f1ea30b0bead88501e41711103d8f64e9a455ca02fe2281fc1771efc09fb025bd3d0884975c79fd5da

Download Submit
C:\MSDOS.PIF

Filesize
19KB

MD5
228874def7c66476be40389394d5ddc6

SHA1
fdf3f6c66f47e8d1641341424baea9ec8075a2fd

SHA256
f50be667a3879fe4cda7b73d15971dddaad828b6dcfe983322737b2e9f46956f

SHA512
385457724e99aa77e6e5b1217237809e1d03918f9928e3aa4b09f9b43ab096005e5e412240456c65dd7967a60841193b6cb896989e6aedf70928c6f9027f3b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4a27e3d2da038ad0e7168ec118e3d4f

SHA1
066a0f5c08eb0b31291b51812a053c573d2dc954

SHA256
4dcb74299b16dae172c490b0c744aacd147c091fc9e6aa781829fb53ed36ba0a

SHA512
03c031340a0c9778963f048cfcdfb1f9d1a007603c428d5e1c33851c11bb29bf28f074724991781b36beb02993281d28fa31810094e169c1ab19786a720bcf8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9928fdf4c605670b3654d845d7001168

SHA1
7ba303fda4935398197329ecf05283f9126424b3

SHA256
2a5a14b15e73990001cd7bd551d5a3cf50f8f10ca2c860d3501874fe12dc2a38

SHA512
e5246a1b3dc7c514573101bc420641c30ff0d80bcbac00951067fc7617217e07f8b967bc79a5fda89fc462f4ee2647e7ff4b2bb981af7a7e5a21a80bd0e6403b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2216f3a342e8f23ae61b186e98483c25

SHA1
e6228f2487eb8069b300794f9c641b2f9ffde3f3

SHA256
c0051607fde116690de14b23a2b8ed411c583edcd541b67604d63de6fc1d65b9

SHA512
c1de2365ee90480dfa143c637bacabadedf3edb3d2435c94a32b32da159022a1bfcaa771e9a57cd8417b32b466267e02b8a300eebf73c6f6147423731c78df1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31657d48f832c5feb2db65edbc7aa1f7

SHA1
e1de8a287d50ee6b79372b2aa0b2fb095f44375e

SHA256
55bb55fc3e472d40bdd5e1ab0c7a2d8063530dce2da4d5a21876282c4801aea3

SHA512
7c6c82248f03e65033a7fc1c8c3850435a6b29986d92e25c89282ececa6b5e5394c543db7b9430c8810ebda7eeee648041a95861da696399b0c87eae43550aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c32cf37f8af621fbe00ae6507113ced0

SHA1
641be9137c003d835cf4c8ff2f8806c45e955f8c

SHA256
7263e5562ee55936d5617dd369d3af357f22b2df8b6a489ba54c86106afce8ae

SHA512
733bd1e6d1d3ad90f9366893ba0ed08ff327a5e6c29929112bdc7549a21a4207d8bc8519a65b09d726159bc9be1a203c51b852b89f2db0b247afc85ebf16b55a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9dbba699afaa514198b1bfcd863bad1

SHA1
3313b8fe831f020aa1b4b3de0d3a264418b388a1

SHA256
748fd449d8b624cdc7b722dde3e3436089f12406e5b6e913300b9371afc55b5d

SHA512
0a5132551832ab9063d7a9bd477e143284199a1f1f09b242ec6e9a2821ccfbfe3a0f338a0cc4d54d437a5b8972d54a5e2a6d98203211c01b74b45df7bc8210c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f58b81f49de966808c2ea9710e8b8044

SHA1
99426b092310d8ed9f3031920acbb623cb261082

SHA256
f30f15023ab7f79b5622e8eee1d52a2ca5589d72cc50560c163e920c8954094f

SHA512
3730949ad9d1d8eec47b1a27383e0e61586eebb41e00ba60445fbd28fb6a8c9835dfe4a2cfbe0f18d55275dd5db7937b148966260da1c3cd70bc8e171635c333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72236574c999a2c4174d01a1f99cc486

SHA1
e1abac023aded6edd83320513344b1c79b09c92f

SHA256
8adf7f7a43719c5f6d87ccb9a7aeff6d7f48c513a94d2ed9d28557a42f9ab6b6

SHA512
9f7d460768ec1b60f7a72ce9b299082f749b13e2f7ab8e42fbd36a0dbc73fa35a66162c36a2b3d8cd3d7eab320335b8e58257aa0acf3d8b4ec6258e0ec09b0cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39f8c74b4438d6887d045c48cd72afa3

SHA1
01d066e956e387a4c539b05ae0af7026c77efe60

SHA256
d93c26500bccdf77274495fef777abe6708f1fdc76d1619df2a1005e32f523ca

SHA512
7a0ca7789453ef2de5ef38ca30a6c3130d31172e7a52df1f3d66fffc62952adcef5f14be6b68c90ab409569e052dd2289f33991a642e704592a3688647be1478

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44e3cdff1e74a9b810b0c35352890fea

SHA1
87f164fb6993f2ab76a2c44d02bba30a31f4c47f

SHA256
6ca9c93d5c5566a851e6e150b1967863dc3077a66a720bfa8cd56d9e1e8cd345

SHA512
c42c2b950ea80e481d453481620faa433d4dd520c5cb8f02830c81da9ed314f2055da69e866f4e7aa75dec050b4150bd412f7a5d0affb6d47d79e6439a3be9c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
976bebdbefe4c2c99ea56d3199a2ca69

SHA1
62dd3494c499e27d740d7b449855c85b5df3ee76

SHA256
790a7df42a4e315369e57a2b5494f28fa18fb78b7c7bb17ec626e393e0a87f29

SHA512
a9fc43c6bb69db47ec02d4cc21fa493682029faf684a2a9325f37786e7436b8d4243e78f57da50cd928f532fc8daaef4b6d110c044af1687c2e7936a98c8db5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80fb77c63f99913f1c2904f9bf5b2d3c

SHA1
082b23dfebd6ee01f023d3d29c2ee88df9b854d9

SHA256
a76dbf6398b9dff252ea593689292e50d8b7cce2e55f48887fecf454949de406

SHA512
8c880e5a7364b6afeab283078fe91e882faabb2bd6d95b5a7f2c0d913a6f05acfe24a195433c6d503d2e5edda4b82bbafdd683a128a9291b391937f7d1358980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335559f96f8628b0890ad88fb50e155d

SHA1
e72629203f8ea0a48eeb96d83c74351f6976dd93

SHA256
69f289fb62d025526b2881bea661f07247fdc89c32cc17c39917d2331aa4d5d5

SHA512
eee170c3fdc85cd9cbf7a11fce4f6334b3e80bcc76815500525d5b56460baa7d2791f734d3e6f551c7f6aa140038fc9bb0a7cc711f88809c9c539216736ade33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3fd16eb001dcace928336f7d6ab512c

SHA1
dc8be93b3a6cdaf8062a1736696185d9c5669283

SHA256
fd6dbe222ff03798e83460f22b0c327be48eb421ac11ff3af0f5a93c3dcf38fc

SHA512
7da9e9eb688e53d86d93a834423adebd52bf770908e40f35a8cc6623f7e3b8d4b06c7500a2d09402d0dfc06007d44ca8bed390e3c4fe503c69695ce5cf9c7f6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b55d5cb6f3a56fad852ace36aad1caa3

SHA1
569c18186b41585747a48db7e6097e6e22e030b7

SHA256
9c506d3b9cf9c2cbfee63210893c963950f11fd8cd1c105a1a42512488ab5496

SHA512
d88e7e95daa078747703a71d74f756dc188deed2c551aa75fd071e17a903158338dc44f6e38abf6756cfa9d9ecd8868660d008dd47417e6e628494d5aa4c0d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d125058faab554db4821500f25925bb

SHA1
14486fdcf831e678bb46c534923268353cf1f681

SHA256
fd7614b97cacecb1916e7297d569f5c2096e534e69070b9a1c16daeda2e7cbe9

SHA512
bd334873f32054020ca3ce94bc1d4946bf63fbe81e66545eba4918f33f503715ce107b4810bece43a8182bf023b39458313677ed71662e4dffb9d847e42feed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca72466ea175203d75bb2f21a32cc93

SHA1
c26a773ca2780be2c3aea25ea1eb31e4a05d696f

SHA256
e8a6cd7352d992f149eaeb942dee8d05ab959adbc9e81594417a9da48ec497c8

SHA512
d89b0e03b9f1f8293cc75b0d3f3e841ef12b72a202f125933931faaead46595f8132d39d392a08dcf0519fe6c7f50d284612efab3f7ea5c21a64d17a81cd39d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05269103f7e59e2198a6fc96b896f0a6

SHA1
0a516b57b0240eea1b5972e75958935bc81e5061

SHA256
5fd4c1029fc43b108ac90095eb1374385d2a0e550b4fa3f45d341c0fee838273

SHA512
92ce440f091cd03c5f22994164c6fb9005175dc624277c3f284ecf9a4bff61e95caefb50a1dc64f1a53dcfb12d35a1a564b13973cb9d3bc7e5b5a5d40bda108a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8d73f24f92ab8cae825ab639d408657

SHA1
e64215bdee221823b4ea4d5852e054a9f8cd5275

SHA256
2ffda06fa00a69b8dea40400605c526191623af3a62b9a391cb54bae9a2e35f4

SHA512
1460d453fd0ccb97fba8c38630a8833d6997b592dd1fd87d17f051eabc0dd01e1967ea1cf8d659a9b687159a98c4f2a162db5dbcdacb57b117406668a1961a9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a96b937718d9df57373ac9b9e626c906

SHA1
b4dde0c5f8024e80d9514f2a7b3692dccbce9302

SHA256
27746b4c4e6bae582a9015b5a0195a62bc77a4004a331a89174185a1d6efd846

SHA512
60ebc707734e1a5c2dfca2a95f31a9b73c362fafef70c28d3c43b221fce32b9ffe764bf7dde4e240732c46018f1e66305feb3ce0cfa79fc1351f22e00880b983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5088db4656dde467163b8e4357029569

SHA1
6efccf26e16c1f1ed4015d6e466d90d4a1528418

SHA256
97cba7542ae5dfc93e1c0ccb81267221a6bc7f3243d9fe5e9991899295e4b7db

SHA512
6617104507cf6829df01bd0692bb99be0fc896a72f834a5345939f80943553fe80e68dedee87459d3110d9e0dd347936d82fb7c70202e3145970fd53f8d82241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f984512e39da458e3aa650d9c35b2f3f

SHA1
c81da503993a1d6451c7ffb902741382ad7d5eed

SHA256
1ca05c80266b5e297ea6386b92a03062476c8bc483819103abc859ab819d0eb1

SHA512
1bf5f560ed651bad46c84e24120ae2d41f987b37e07c09aed8149171d2694832deb9c164bd36ea969719d4b87fdae02523e15f261a8e7d5b7b75531c3adf27c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71781025fb4de134b05acfa6849177ea

SHA1
f2db69bb2262a993852d68b84bb375ff9daaf604

SHA256
f415d72d5b95007ef8eddf5e640346eb0e093ce1a04b29c966627c838ee1d647

SHA512
ac2718025a9e9169f6047f331dcf08336555fdefaf5494d498ba84eec7404b992d153e45dcfee6bca205b4fbfbd1a542fbc5870918ee7c55613557dc3e10f2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44D0.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4573.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1932-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-10-0x0000000013140000-0x0000000013158000-memory.dmp

Filesize
96KB

Download
memory/1932-0-0x0000000013140000-0x0000000013158000-memory.dmp

Filesize
96KB

Download