41d68c6c9c47fb2148a3c8c4fb6c631eb81fc740e5198ccd8b8a88f50db0dfd7

Analysis

max time kernel
144s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
Size

374KB
MD5

34fa89251681e20c983317fef6d0690b
SHA1

fa1d1ba50253f02415b380b9ffa672ae20e9ac68
SHA256

41d68c6c9c47fb2148a3c8c4fb6c631eb81fc740e5198ccd8b8a88f50db0dfd7
SHA512

eb13dee4f5098b5300311cfe7cc49043d6711d861576f47dccd09937fc185d9e56dcaa694a955896f271c45d0d039d4dd9dfcbb68b0122d680c0599639a2efab
SSDEEP

3072:v15GEu815GEu815GEu815N15GEu815GEuWQqy:t5GXu5GXu5GXu5n5GXu5GXD

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	exc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1580-1-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000700000001211a-6.dat	upx
behavioral1/memory/1580-4-0x0000000002AA0000-0x0000000002AAB000-memory.dmp	upx
behavioral1/files/0x000100000000e664-15.dat	upx
behavioral1/memory/1580-128-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/1580-129-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\ktmutil.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\icardie.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120u.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msmpeg2vdec.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ir41_qcx.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfcm100u.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons0027.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ntdsapi.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\diskperf.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDNE.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\WcnApi.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wmvdspa.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\fdBth.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\hid.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData000a.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\vbscript.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\getmac.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDHEB.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDROST.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msdmo.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\scansetting.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\efsui.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDA1.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120enu.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dsdmo.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDBGPH.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\kbdlk41a.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDSORST.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\shdocvw.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\vcamp120.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\winbrand.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wlanext.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\CHxReadingStringIME.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SecEdit.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\shutdown.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\DShowRdpFilter.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\HelpPaneProxy.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\QSVRMGMT.DLL	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_20001.NLS	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\gpscript.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ir50_qcx.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0416.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wmpeffects.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dhcpcsvc6.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\format.com	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\inetcpl.cpl	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msacm32.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mssph.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SubRange.uce	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\d3dramp.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NAPCLCFG.MSC	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\pcaui.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msdtcuiu.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\C_855.NLS	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\licmgr10.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msdt.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons001b.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wscapi.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\appwiz.cpl	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\L2SecHC.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\lodctr.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wscinterop.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\gptext.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ipconfig.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\WINDOWS\explorer.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\splwow64.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_16.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setupact.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\win.ini	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\mib.bin	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\fveupdate.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_32.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\HelpPane.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\twain.dll	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Starter.xml	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\bfsvc.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f03551000000000200000000001066000000010000200000002dbb81dd88d6e70dddfe7c2aea24520719b50d51684a0df7cd042315715b553c000000000e8000000002000020000000e3aa4dcd45de92935da9ae66b1d6ee2853fe301dd330d425deb7cae1039d71362000000058bba46545614ea2089f28e5a2885343f3e20058f4445904c2af265ded0d3dac40000000009aa7057c6867d261aacfb49b9198f46b617eb03f23b4747c68e942154b8255fdd3f05714b1a8828c06afcbc19c4eb79d22ef39659b23202f523927b23501e5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ECDD4661-3EC3-11EF-9CED-F296DB73ED53} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000022420ef8b364bf0d112c760579a7c5fcb10560ee29a7db0e72a32d677cfcd305000000000e8000000002000020000000f259886bf0435da959b5f3089e011e1f23bc2900304d00b8ece91ea511889c1e90000000bb757a8ad5e0a3b42ab7a07196f4e25fa1bf0360f8d6527601b3bee6afc93b6fcac8e470c299adf4e0d080703004b92d909b6ee29453fcfaa5e4b41c6baccee7ca9b097028064fe6b36225a359b5d0779e149d5758f08f7383c78ec6d1177fa3af0ab88af74211005008c5fe9f248c78b4d36ab2760d286932f14748529ae6fe11893304bb3714b1ffd8da8ef981e07a40000000b000f638469feca8056cbb73279f441a9621223e169a0fda3bfc17a2afd982bb8b33ddbd5af2baef86848b462d6e7059f753676595990087624d41796820ee38	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426781536"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a09906c7d0d2da01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2076	iexplore.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	1856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1856	AUDIODG.EXE
Token: 33	1856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1856	AUDIODG.EXE
Token: 33	1596	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1596	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2076	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2076	iexplore.exe
2076	iexplore.exe
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2968	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2968	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2968	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2968	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	30
PID 1580 wrote to memory of 2076	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	32
PID 1580 wrote to memory of 2076	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	32
PID 1580 wrote to memory of 2076	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	32
PID 1580 wrote to memory of 2076	1580	34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe	32
PID 2076 wrote to memory of 1596	2076	iexplore.exe	33
PID 2076 wrote to memory of 1596	2076	iexplore.exe	33
PID 2076 wrote to memory of 1596	2076	iexplore.exe	33
PID 2076 wrote to memory of 1596	2076	iexplore.exe	33
PID 2076 wrote to memory of 2920	2076	iexplore.exe	36
PID 2076 wrote to memory of 2920	2076	iexplore.exe	36
PID 2076 wrote to memory of 2920	2076	iexplore.exe	36
PID 2076 wrote to memory of 2920	2076	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\exc.exe
  "C:\exc.exe"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:865295 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae9844ed2ea386d8184d86ce681d7e88

SHA1
98116d2cae1d3e60b26c73fb8ec1e4cffe3e4a18

SHA256
4494f20c197a66cbf571395a8612b7924a2cd75b9afa24f28359cd4299507281

SHA512
7b5b0b16177bc8bcf091455e564648ae30da2a91a7ca2ea723bc6fa170be56cad8cf3b6d02ca7cb354ea077161cf17cee061a3ffb38418dd838f9d89cfefae4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f2a8b9da6b6fd3f25dfa439ae4eb1bc

SHA1
b6efcb134ad5550e1bbf59ea3d12ce907dcc05e1

SHA256
d9a110910475b58de71b5ed82ed69b852b1ec57ba4f41b13ebfb50340d548658

SHA512
6370e3ed1c039783222e3f523cf0d46ae0b5702ddab99b549ce81371d550073555b6953bf25b22133b808134fe85ef4c765d42d301ab65d647a719e70bbe741a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2434622f5998bf4b1b8666ac69d109a9

SHA1
a52caa3bca2ad73c9072c898f6ed5cf3ff089e8e

SHA256
d7ae90c8a7d8d2bd6d977c1ae85e10cb11a0104108ffb321ab015c3bf42ba6d8

SHA512
3c55730be0f331cb8791593cf01f205b4ab88f41f4d82044b8e079fe0be00c5d56f7205e2b689ac9d825eaf0c6e1c6794ab11c0682e8a9efc632449cf9ae18d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
252f10ecd2b2e1e3bb3e4c44cba5720b

SHA1
04306c30e56023cbebc2d730fea871d65d926bb5

SHA256
25c83a0e63de228487a87acd1203a3fffe6a4253ba77f56529c181cd8ecc5c43

SHA512
87c2eed36d6379e1c18dd078d525a971e00ed617713f8c4d90b2b025c8c69f530a786bbc5981f8c2764541b3c4af97608bafc8b47ab1d512a2fa155fe0a81d76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d42c8c31ea7c58a87b0e3cd93dd214f

SHA1
d4f52ebc74a33c4a17e1d20541d2354f08be17d6

SHA256
2625219ebd9e8b30ea8b796944cbdb5b6101b318d7b4d8a55b77b47817108c2b

SHA512
fe62a5fe4f9d6fa628967936028449602d007ef16d1e702a821cd084026258af238dbecd1bd10ade00899102dde3cf009f1d1b99da64a6227a047e544350f9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f76d788436b0434e3db9b8afb2e93992

SHA1
23c216e9f007ad3b446ef150e14785f929ba7747

SHA256
04521f338c1dd4e48a77026492557ff8e5bf6af41a5b750d779178c34235f50c

SHA512
66e5adbddfd3be08b79e9a0224434b5ed3173ba44553af3b5b3dbdc5a3c0af7de3f38940bc5d4f210c5996c1a3a588ad5b16d144739a19272252a9830544703e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2074eed3950a0e78a7c9ed547af8a115

SHA1
69b5f8620f11f178a148800bbc90ed35c0a3a29d

SHA256
dce9a721daac1466fe8ce4686b9ee5e8e5fa5aa7448e6addb7f8263a0f5abb46

SHA512
28291bdff246062a56b11dbe151ae6fc3c2d35d17d0599da3cf7f8b1b54231c8834de4afe015de7fa4efe4c657dde629b22e171a401e5be351736a21095419ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
913550a97b2dd0cf1c952e84ef317a42

SHA1
077192323e06395ede6e3445f75ca281e817c688

SHA256
b8cb7b1519789bfa28935044f87b7ec8e968191356c34b31351fb53014627c00

SHA512
dcf3ae52652bf22155c1c7c6ec3a95d64968d711bc0609cb0d1b2760b2a9495906d32949f82d85e3ee0a1f6cb74561e44df7afbedd9a26d19670643bd6d89717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b62ca316c58547630560651fcbc5acf

SHA1
c9bc747889f189c5be5a55a7131d0e0d5cc8cac6

SHA256
ede77521e2705e659122deed3137e37dd8e527f41c4e186fbe4679c3c02374f1

SHA512
444dc1ab514c35bf2d7bea79e05f2eb2fbf184db70d6062c4130a1fac116a6867377d147e0a095ba61c534e43c34ac3539858fed138e6b9c339880e7019b6942

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b72c6b3908b03d89f4cc1c3eb7f840b7

SHA1
54e86dd8099a27f25a228f4a460ee58e5d4199fb

SHA256
9dd3b7ba6d41cc3ab7144b05711807182b4fcc700728e535ce6e2b8cdaad7b49

SHA512
61e35b12f1eb9ebd8e3a81725e0642a2d4ec93230066aee24b59eb0f3e9235da3cba1e1e73841b3a23c32785b77e97d391374f0be7e68da167f4451adc958cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a47784af9517229d773657f7edec9101

SHA1
2b9606b7b34ee21d91934ba8abe0bdfea84d24d8

SHA256
23c319fa7dbb98712a973bfc80f90e40a94595a23cd5fec92b9a0e4693a37d7b

SHA512
7f51d6d21e886b21c75bd3fcb637bd533821a06f09bf8a09dbf01ed2e9d1d197b29e0dba8386295923c32a11d6ab1e8ce239741fe8d02d208224ab1a4bb5922f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df3531a8261f820ec1053ec63a5e4979

SHA1
3a44991f7725bf842d3de2cca874b0b8e10e2f60

SHA256
c27c7e0ebe8e65afff3d316960a5cb1b4d1fc919e03ea240a304a3a539fe9689

SHA512
3c5dae46b94a359e67cf6fcf755d9567d07b04ab989c7ae9e968e46281686aea48625f03b5761e587c420fc2b1520246f07564100a51103936cbf254559b8f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
136e2be0e7d929c6b9be328363331fc3

SHA1
4e3a981d8787132a6f7de49ff777ef559f61882b

SHA256
163c301db10197715d3480276d159e1900653b1f9ae9a31f0f83ba2dd4978b31

SHA512
ac50a41b422a218660ab1a8c77551f55a58e4e506bb5a4ee34124b65786a94f49286d5c85364bf1fb4c873ac4217d38f1b86b941f1bebf29051139d390a73914

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9019c32cade5700d6bd3d6c36905a95e

SHA1
e05e5c3a3d05859e213e5142d3b8a12e302ded28

SHA256
d9d5b87a949b4b0d3ae320e414c1dbd5c7f883eff9ec7d317c6c691576f12f0e

SHA512
a30dff35b2c6fda98498dfbef8bf7e3ea0c03ae5652771e19738425bcccdb6394cf8c617fc67e594c4bfa2e19979c3283f966664e56373f55bdb0fe30a82420c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e7cba2607eaa346afbc5f937d5c8781

SHA1
2276f6070e9ba2903c33a17f549a95a01785ff56

SHA256
3a621ced9787deee5fd2d3f777d5526ff4a0ca4f6893043511393866bff6abac

SHA512
acdc7b6b8b1666d88986accf55c92217ce68e8ba9d4c6c10a2b2eeeed8f3bf91a46c463d04780d150406be512220e2ddff4e895da7582f3fdb0045724e368d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
355fb1e8c8a4d7305df2482463075912

SHA1
10decf08b997499411e53ac7efa43fec07b0df06

SHA256
fccae8d94dd5ba49057caf945a16753cc9f9b480bdeaacf62985308036213d1b

SHA512
0357e4585bdc4a145814cbd8ab4b5892b93083f4db7f35b395f91f6c3c957c6858934a9d6357c28b8ed31ce9c60f107b047634c281b780788927522e2d29e84c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18be59a8c3cc266bffbe4ed966102c77

SHA1
0665d5762c1080e3372fd25e35c039dbafb5ad9f

SHA256
8546c9b9fe1925e3ee61fd78c40dfe394aea3f761bbb914124002d1bb5837b82

SHA512
c3b083f0c8aaab0f927db801e8eb70bb78245338402ced5a9839600a8aacc9b4653a2ffe446a3370c5d4a32fb7523557dd84f1b70c4700d88ad0c44083eb8e96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c375b248a517baa7a6f23c201066907

SHA1
25b29947c89a65aecd680677d8be7596d91f7e5b

SHA256
cc987cab71ce9dd25d54fb745e6463c664ab705433ed58d40ba165ff657a3cad

SHA512
5f78b9cf812ad56cde516ed4a3eed9d6d9c90531a45578fe861892fc2236faf349787586a87c1ff739925d462a5b648d735fdef428f9ce09d1ed7cff64e46735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e082c6065f95d08393c72283a9422640

SHA1
ed97f6cee104a887b77b43c39c46adc5c31520fd

SHA256
4525e3387ab75d60d045b8fc5efbfaba4e1bb26f7d0d87c2ffa079b99ddf8ff9

SHA512
0d2b7a64423a1e6e6d23c328a496e64ec9bad01f4f75dabd766920d061eb4685029f49da68956e907df11d67fc75945287b87b67255f9c9823a47e6cec52db20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d58b1f3d9a5690e57dcfa1162b24c3

SHA1
37068ee97990c00f0a39b739e82e4c856073f9a3

SHA256
64076be7cf0b4f826d22bd6ba57d426dbab5c88cd3ba3ccdbd4db89eced4ef1c

SHA512
d7def2d03baede52d4ef0330968e7301d209801cb67167adf37b0ee290f2b25fa8b4c6140b80d31b99a931f8bbdb411626adb284b7b9cf6968b03a2c15dfbba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
622aac55da79810c76c60f12b24639a6

SHA1
a8d9e351627f77caf9d2bf33776a4974a656401d

SHA256
864e77a6a60eb750d25991c9c268158caf0e0361505abff30470b3c23d5758b0

SHA512
635e9fe0b514cdaf55c69cc46613b056c942923cdfb954ccfde1cf64d25e06ae3100d885e1207258f816b84b139ecee6a3235c7b663d6f4c338ff4dcb66cf377

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
933a960c4cc38eab7e8a5719242b645d

SHA1
c19cc5e271d01f5b0994979536c0d6d64df7981e

SHA256
0bb6ed0c5cfe41590c727db4353d973c37a1f40104bd10ada59916f560eb2391

SHA512
5cef6c66b00e356eff918153566f55cc8ae2d45e8a2011910fbf81cf9291772cd8d1d9d85182d8a20b99ab3fd80b75054ff9348db4ff8cd8756acc59acf612c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5073e4057d5742ba2b98a7afa7bbb24

SHA1
449067d87ad5876a0453cc9b23ed44db7c4141ff

SHA256
ffb5089f72737c7c2153aecad7ab41676cc1603485caeb4ca098684b0deb8139

SHA512
c7ff0170bc98e2fd2bbb99d29a7404ec7a0f84bc5e9beec4630aaf429f55514a6a9a27aeb843bde7900e0899300e531ce660302fd7a983c1e9b23728fe779982

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
370d82ddd5f361bc70261a8d61166bf8

SHA1
54b075aff684b2e81101c1ed1c54d69b13b453d4

SHA256
9da289094b7902fd446b6e021e7908ac73915895f39f1ef56b0d781163c15354

SHA512
92608551a02f58eea5f020e7766b445ec0dfc208dfd9a975a9b5a44dd5f57ff9916e41f84c01bf00638878d6a43d3ef8441ddfba5b00dc3659ff0b42384602fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3a06ca5104f7c426235b0dda9f9768f

SHA1
f586149c1a5e4865fe30f5f8cfe3ee4627f34a42

SHA256
91c9f05eae8c7e61d79c9bcc29f83fcddde9e2a532511155029466a410e9c404

SHA512
fe3f1b4b3df44228c9b688b3bb7a20992f490a7ecfe57443dc1e8dbfab813bb6fd4bd5c92403888fac8fc9bd01e627e810e11c495dc41be6cc93867018dfe0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44ef7f1f2132976bd0eba91ebbbe143d

SHA1
bc6464c744508a7b02480788f385c26042151eb7

SHA256
74a72e34738edd7bda8dea4bb5cce04da957670621ed5b929381c0001255203e

SHA512
f7c87cff19a590ae7cf5558709cb48c0edd6535cc2f5bff18f48d2121b2e0493abca72283ef65a39445e1616f9e039fcd1633a6ca8f1eed675a6618f4afb4617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f281e6ce509568cecda9b63e9d74f39b

SHA1
acbf29f5815a79d44197950d27d7e7a7f1f43c0f

SHA256
8172e08ad0b9421317c08e5f42505b01939abddfc527f871f2accfbffd8eeeec

SHA512
5b41f59ff867371956539cbb4e2efba2368e498eee468ace1d8fa9bb0cb4eb508527e9af16c838ac844d3c159897d1470a73fb8d3c8da12f10fa95318053628c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22c7b0e27d0e0ffd40949b1191be4937

SHA1
a3544b6c248317f869c4da265e541fac47baeba0

SHA256
839cd72fb0f2d90ee2aaf413c87fe690e9596e864be058ec7838bbd5b35c907e

SHA512
8426ff3f31613079d537e394e4372d84b11a7329ee59515d9f1bbe1740b0fd1756f57c7f1b1571d0d46729cabb49dd38c3dd7e10509e6c27320d0a50be64372a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f1ee38ce47b82d8d706f366b3ed7399

SHA1
1278f14302d2d73bc5b7bfc6daffc2fb6e9c6a35

SHA256
b8d247c06c86d2be99cf1b62d5e7840088befce48c0457f58526aed0be2449e9

SHA512
8aab584245fe93bf10a4e8c68ed4415a0a2ab6912f8db4c1ec8e65182f6831d259d37a80cb5b855710cba252a9114f74d4abdac457ed78bbb327246477d0038a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6510c4aa9abd58f3ae7a52344fc6d6ba

SHA1
73dee0aa7b93e8dd896f54b0c5189918787d4479

SHA256
f4584e58fb7c285f845d5f7d1f03b35cb00770a957c26b24f73127ec6d16ef36

SHA512
9e44f9db347c390661a0b9b02269a93d4474186e5aac1843988ed264d3dfe1bac95fc7c05e8a7870ee419412920909500548e6db55fbf2995b93877dec244a18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d67496d641e13c6fd633eed1e764d357

SHA1
631650c9524682b84acfe7738ec7ff81e74b0d6c

SHA256
8795444b53ee36cf6e42ffcdb0e6b6e48ab624e23aed650e5a3cc791123078b1

SHA512
5ae4a180c0edbc1513994fdd7d301896bee6396e5a2a65ee5658549508c5f6d59745cef9b2943dcc88c6c4ae68b15d04cab469e7bcca0f3001f9f16f3e34d40c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8564a9fb2a28f780c9b9948c63de6ca5

SHA1
2e079ab2b4e545688b253cff3ad0476be16276ea

SHA256
0238e86e10fc4290a28994df2eeabb3c583f2d2829930d2c1b53da69e5aa7a93

SHA512
539993f09b49b114d9c87b82f7261f773697a89d15cf0d2534cbedfc2f20d0a435044be35722362f9c987fd8b7c08f3495162fc145775b506fa603fd8abe7d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d569d65fed4adfabffac8598faea6e66

SHA1
b4b5fbf632a5156db49f20fe1fb98d9f2c6a4ebb

SHA256
5ee4a71ab36f4e9030c0056ae7df18fba5812ce855b14f569184aceb96302bdd

SHA512
b128664d920afa1cde3f19b29b8c2da173dd5acb853dbbd77265f84cfa9b049ee629a926ec2c15abfaf4d6059b5ee7ed2d8c900ecc1d11ad61cbc89e7c61b86b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24665e704dd869ea49d6ae64b576c56d

SHA1
bb942b8390b17ffd79e1b70f3125a9b83e6eb3f2

SHA256
babaecc3fa9abf22f7798fe4a41e42b4c7adfe00c7f44f02f6b502cb17306799

SHA512
37f1a214475c139ac8ff806c2bce3393e4ab8af098c513108d8326b943af83f0121af6a64221831419918ab196368ad836a35d087cb15e22098b794e8917922c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
226ec2568131924207e254faaa3c71d2

SHA1
b2f3fc149ecb3322fd14b31305ae83037cee3eaa

SHA256
3e6f7984d134550d14fa766fedcdf6f63ce52679fbfe3de7cf401c85ec2eced0

SHA512
c0d2fe8a53326358637fdfa2dc6a176923c0d6a8575bfccb6f5ab18ef544781e778b8483227748612434e8428adca1063ee1345bce6fdbec0b3385cd712e8ab7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4c05753587225446801c260988c4767

SHA1
2a35d296aa529024111522881de7eed471726b4b

SHA256
8e193afa106b37060b4eda23e94eb8d4e47f241e18b345ee1dc2e4f8a4c1ee5c

SHA512
fb7dd8f6c93d2da5af4f8d2e0c85b51794afe9fa62eef7d72e378206b974c5c5d92643bf721cdc1bf575a27b68e47cdc62862eda022f2cc789d0c2dcadbb3453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ec335f95b6f2059ca22de39195ea291

SHA1
87c57cd4b988c13cae179a595addceb919f329b0

SHA256
fb735a27430054a7e6a96eb5981773ac413c8030876a294f8db1d910b00b3756

SHA512
31f605d2ff2d75b12236bab4473e92241e8f6f9b2b4c1e76db25dcce9c64bd2fd6ad3540dfb877eb44833e9c9dfd238c3969557c714326e215655b56d8ee4607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d441d3d625da24c7ad14de2e38b4410

SHA1
9fb9f2a4e643bb69422d518af1994e9bbf06df4d

SHA256
80f7610f6a04dd62fda9cc9905aceb24ffc876cb96af513cc378eb4f4b00ad82

SHA512
1aa3374cc8943c54da5f370b504b569958d49d24ee8d9d04a587c6998a3633ec1092519c603ef5ecce6c0aa694fbc695182a834341c73dbba314c260b7574b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\6SA6KUIY\www.avira[1].xml

Filesize
224B

MD5
be7fc4c124d31b41653e09f653cb12aa

SHA1
d4cbb991376b0da3b586b25d2094f41f5fdf0f53

SHA256
0d1ab5398ad97d66ac9b9748317649332a7270290c7287c6cdab0b9b34a92376

SHA512
b49c9a8bab38a8b5182350d5184dae1d75b9633325d05de7a3766a5792288c8a9697ebd8944a8f3f3081ebcf9e5f2eac1a2075237c8c4cfed86fe30df482b862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\6SA6KUIY\www.avira[1].xml

Filesize
437B

MD5
5bf97d3b6e814b16b142b63075f5f7c3

SHA1
21ef4c62b29640a8176029c948c1967eddffda3d

SHA256
2223da3fcd15606774c2cbea624bc4dc6322e944ef016d6e5bcac985d5759f38

SHA512
b74761cd93612160a2305b1481083b5aa8bf3214c251ffcd329e00568c782fecf4daa0e4ad54e336f30421eef69cb0558d933c41fd78f8580e1dce9d9939a11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\85y7ywt\imagestore.dat

Filesize
1KB

MD5
47ad44d38bb9266abc4b35a06245b86a

SHA1
62c0e3c8a530dd1cc7e4e07207a3f6bf9cdfa640

SHA256
1a78fe1af8e8f79fcae8c222d919eeb8ce6cd224a9ba1eb9f16008bf82967af8

SHA512
8a0ef43de38b2919e1c43cd4645b834b30cba14d356e22341318ddba572a90bea5e771e7125b3efae6c5d6ab85948a262fc1339342f12293bc08614bd90a7071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC89F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8B3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\654CK1Z3.txt

Filesize
394B

MD5
324e4b3c8b558651e340b096501f49b1

SHA1
4f7b42aff5dcbdf9629c2dc5c0e8471f4dc5dbe7

SHA256
91d79a88d8471e035b23038fa829c3844817730ff7952389907374785c66b952

SHA512
e7e33f4bdbb9dcca3cd864d4e35c1b43cbc6a376db1ee95f94fd1320dbccd65ec71e720d1d1c9aa65830dfda48c34d90f08116ef7d7959a4094c93fb59d7db5a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B7DRS2NI.txt

Filesize
642B

MD5
df528f5c29d4d69bd3d82beaf947e8ee

SHA1
81cf8cd3bdcdfdc444fbe4c82fc7d726e3a66200

SHA256
b972a70894d6742ff2ab24ea300455ca428fc14758c63772dc0fcd65e69f4e95

SHA512
427fc92a3db3f0dbaa470faabfa1d3637612f452fdc404107b233b6249c972175d82366b73e46194a2810f1db0dc31a058568af32f7c5f484d43ea7878845888

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EI48I9KG.txt

Filesize
583B

MD5
0728a5cd90952422d0792e792cd92d40

SHA1
b92ea654e049e88c1aef7338e14353c76eb5654c

SHA256
f27fcde11b1cc3fc3caa088f49903fa05e58a2ba6e67cb244c7157b8f838d56e

SHA512
6a6cd236d9f8eb8020823ccdd776afdeb425ac7c728b3d608852fc5f699989198236e65a435259f446dbe45172ba23d7bc8535f3a0c00394731aa4c18cb577f2

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
76e50725ef984976a7e79f6a9bccff6c

SHA1
dd2ef6d11d1f55eee052edabb02e497ca62c88f6

SHA256
ac96b6a08c6451bff50e320f4f6192b583a2204abad545454e3dd9dcd9e306b3

SHA512
04f63ff5f3ad4c7dae77112bfda3124a40c07f533688281852bd0edbf863283100db329b32565305e8528b24852386c57561635ed2e2a424b5fdae01d93b6577

Download Submit
C:\exc.exe

Filesize
346KB

MD5
797d6443e3d91af4c4b288b761dab70e

SHA1
09a4a54b274d587532992818128fde38ba68937b

SHA256
bcd8bd5d74f626b54d008cf058ebb62c4efce1c709dfa4082d497fc1f34c937d

SHA512
f1afd246919dc2d53e30f0968950b1bf15bbe39bbcbcd4f64719e2e9254c4ac354310b12b61bc1c6530fbf191c4a22f22e4babc6ba3302f7b1a42023cc18e3bb

Download Submit
memory/1580-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1580-9-0x0000000002AA0000-0x0000000002AAB000-memory.dmp

Filesize
44KB

Download
memory/1580-4-0x0000000002AA0000-0x0000000002AAB000-memory.dmp

Filesize
44KB

Download
memory/1580-128-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1580-129-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1580-130-0x0000000002AA0000-0x0000000002AAB000-memory.dmp

Filesize
44KB

Download