16c8a7935a1d89b333a0c28ce6f47a812cbc4dcf2d4aadf38331f0f8c3cf636c

Analysis

max time kernel
145s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Size

29KB
MD5

73be789cb571f3dd9914921b226864fa
SHA1

5ac49b649a70d55b5580ebf7121b858301643f1c
SHA256

16c8a7935a1d89b333a0c28ce6f47a812cbc4dcf2d4aadf38331f0f8c3cf636c
SHA512

f08879d5623820d4713179329a98681edd84e4d186d3db078df136a679bb7a5a121e1d5ee04dc47b433fc6a0d0c4ea564820f6f8dbd899fc47b79b2ca9f003fc
SSDEEP

768:B2TyH2YMISjwcsIJuQPeyj5MFndnefDNkRwpFfAIc/kEf2wAf8oIK:4Ty2YMISMcPJuin2Fdne22DfHIK

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\beep.sys	1.pif

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 60 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wuauclt.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WOPTILITIES.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Runiep.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFUpd.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Frameworkservice.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nod32kui.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mmsk.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ast.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RAS.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASARP.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoRunKiller.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPC32.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVWSC.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonxp.kxp\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GuardField.EXE	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.EXE\Debugger = "C:\\Windows\\system32\\waucl1.exe"	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	1.pif

Loads dropped DLL 2 IoCs

pid	Process
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\R:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\S:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\T:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\V:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\P:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\X:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\Y:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\E:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\M:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\O:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\Z:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\G:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\H:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\I:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\J:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\K:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\L:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\N:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\U:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened (read-only)	\??\W:	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	C:\AUTORUN.INF	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened for modification	F:\AUTORUN.INF	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	F:\AUTORUN.INF	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\iexplorer.exe	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\1.pif	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\k1ogon.dll	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\k1ogon.dll	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waucl1.exe	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iexplorer.exe	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\waucl1.exe	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1867280932"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "1867280999"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EFB651F1-A085-11D6-B3C3-F67F0CB12BFA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{181D17F1-A086-11D6-B3C3-F67F0CB12BFA} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeBackupPrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeBackupPrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1348	iexplore.exe
2320	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1348	iexplore.exe
1348	iexplore.exe
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2200	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE
2156	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1240	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1240	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1240	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	30
PID 2520 wrote to memory of 1240	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	30
PID 1240 wrote to memory of 2908	1240	cmd.exe	32
PID 1240 wrote to memory of 2908	1240	cmd.exe	32
PID 1240 wrote to memory of 2908	1240	cmd.exe	32
PID 1240 wrote to memory of 2908	1240	cmd.exe	32
PID 2908 wrote to memory of 2072	2908	net.exe	33
PID 2908 wrote to memory of 2072	2908	net.exe	33
PID 2908 wrote to memory of 2072	2908	net.exe	33
PID 2908 wrote to memory of 2072	2908	net.exe	33
PID 2520 wrote to memory of 1648	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	34
PID 2520 wrote to memory of 1648	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	34
PID 2520 wrote to memory of 1648	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	34
PID 2520 wrote to memory of 1648	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	34
PID 1648 wrote to memory of 1068	1648	cmd.exe	36
PID 1648 wrote to memory of 1068	1648	cmd.exe	36
PID 1648 wrote to memory of 1068	1648	cmd.exe	36
PID 1648 wrote to memory of 1068	1648	cmd.exe	36
PID 1068 wrote to memory of 2364	1068	net.exe	37
PID 1068 wrote to memory of 2364	1068	net.exe	37
PID 1068 wrote to memory of 2364	1068	net.exe	37
PID 1068 wrote to memory of 2364	1068	net.exe	37
PID 2520 wrote to memory of 1640	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	38
PID 2520 wrote to memory of 1640	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	38
PID 2520 wrote to memory of 1640	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	38
PID 2520 wrote to memory of 1640	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	38
PID 1640 wrote to memory of 2804	1640	cmd.exe	40
PID 1640 wrote to memory of 2804	1640	cmd.exe	40
PID 1640 wrote to memory of 2804	1640	cmd.exe	40
PID 1640 wrote to memory of 2804	1640	cmd.exe	40
PID 2804 wrote to memory of 2820	2804	net.exe	41
PID 2804 wrote to memory of 2820	2804	net.exe	41
PID 2804 wrote to memory of 2820	2804	net.exe	41
PID 2804 wrote to memory of 2820	2804	net.exe	41
PID 2520 wrote to memory of 2824	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	42
PID 2520 wrote to memory of 2824	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	42
PID 2520 wrote to memory of 2824	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	42
PID 2520 wrote to memory of 2824	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	42
PID 2824 wrote to memory of 2760	2824	cmd.exe	44
PID 2824 wrote to memory of 2760	2824	cmd.exe	44
PID 2824 wrote to memory of 2760	2824	cmd.exe	44
PID 2824 wrote to memory of 2760	2824	cmd.exe	44
PID 2760 wrote to memory of 2852	2760	net.exe	45
PID 2760 wrote to memory of 2852	2760	net.exe	45
PID 2760 wrote to memory of 2852	2760	net.exe	45
PID 2760 wrote to memory of 2852	2760	net.exe	45
PID 2520 wrote to memory of 2960	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	46
PID 2520 wrote to memory of 2960	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	46
PID 2520 wrote to memory of 2960	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	46
PID 2520 wrote to memory of 2960	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	46
PID 2960 wrote to memory of 2628	2960	cmd.exe	48
PID 2960 wrote to memory of 2628	2960	cmd.exe	48
PID 2960 wrote to memory of 2628	2960	cmd.exe	48
PID 2960 wrote to memory of 2628	2960	cmd.exe	48
PID 2628 wrote to memory of 1220	2628	net.exe	49
PID 2628 wrote to memory of 1220	2628	net.exe	49
PID 2628 wrote to memory of 1220	2628	net.exe	49
PID 2628 wrote to memory of 1220	2628	net.exe	49
PID 2520 wrote to memory of 2864	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	50
PID 2520 wrote to memory of 2864	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	50
PID 2520 wrote to memory of 2864	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	50
PID 2520 wrote to memory of 2864	2520	73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe	50

C:\Users\Admin\AppData\Local\Temp\73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73be789cb571f3dd9914921b226864fa_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop McShield
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\net.exe
    net stop McShield
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop McShield
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KWhatchsvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop KWhatchsvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KWhatchsvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop KPfwSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\net.exe
    net stop KPfwSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop KPfwSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Symantec AntiVirus Definition Watcher"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\net.exe
    net stop "Symantec AntiVirus Definition Watcher"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Symantec AntiVirus Definition Watcher"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "McAfee Framework ·þÎñ"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\net.exe
    net stop "McAfee Framework ·þÎñ"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "McAfee Framework ·þÎñ"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c net stop "Norton AntiVirus Server"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\net.exe
    net stop "Norton AntiVirus Server"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Norton AntiVirus Server"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2672
- C:\Windows\SysWOW64\1.pif
  C:\Windows\system32\1.pif
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1348
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1348 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2200
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\packet.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\pthreadVC.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wpcap.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1464
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\npf.sys /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2916
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\npptools.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\drivers\acpidisk.sys /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Windows\system32\wanpacket.dll /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1584
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe" C:\Documents and Settings\All Users\¡¸¿ªÊ¼¡¹²Ëµ¥\³ÌÐò\Æô¶¯ /e /p everyone:f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:320
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2320
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AUTORUN.INF

Filesize
143B

MD5
33b7da2b6a260b7ddbfa9307930d6cd8

SHA1
91859a5fac5043489c0bda9d6537393679e78789

SHA256
6e7372539697726220bdfa0c2cd02c490ea07f1076abd8e06282db7be95229df

SHA512
3a2eb8462dc03f192e9022245dc642856f5456b958af526201b77eedee427c4eadfb05966919fb1020b1143d5e9a7a35445e1fc352f97950084f4bb5d518c60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f91cc81f6dcaeed53e231224fd476062

SHA1
fff884b833e1dfaf5c2ca399e0debc7f1a931112

SHA256
87f182a62b8883fbfea4094e6ad56d4ba926a8339d4951ed90bc8d79bef3c82c

SHA512
d9bb29408cc0c86762fc71655960b925db038882b9cf5a9a51e372f932f0e0506c8f8fe55351a0467db182d21cb7259efdb81f72ad30b3b5604778b7b98c0ef8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbaa0fcbfac35e6c3111945dae089824

SHA1
419e5ac02ec67d0743368ea2f992c93003b03173

SHA256
6a6279b25e97fab34d5acf47c7be7649a0df7d6c72429d769b82c8e7a76817b8

SHA512
527bfa16ac258870fa0cfdd893907a036cc8380f03d6d1c1559fea55caceec0dab0063a2dcb8dd92737fde2cb47ac68be796360de9f3861ee7bfad37cd3c5815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e07b6093eac034cb4a9f4452ca9c16f7

SHA1
36de20eb8fb9435126a3a2304b2dbd0052b20c9c

SHA256
5ee528bbd8e9561c01d1c13b5d5348edfc5a82c8595c4cc4656334c11e9be4c3

SHA512
5af936e540b04e4413ff88fbf4260ff609e98638197bde0171ce52c699d1d35e570a092231aafe967fae411e9c6b44c092fb3d8e49cde2843cc41a35ce6db0bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4cce651a1a32276a8cb3228aa396aab

SHA1
e38947e347ae0f284b7742e5cbd1e535e7edb7f3

SHA256
e5046cb00fa8b47e9fc27969f077605a9cdd183fa7153a9018c2962049bb4f5c

SHA512
4f36278932f3d6970c0a97977fe3d2b2ef8ebfabe83ed41d0d814b1f89626b798a05a43ff917ec16360300dc1dd3e93ba3270359dd2d34be50cfdbbbf41302d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79e79796627eeb458a32ecafe9d17a22

SHA1
305200969a97d1266d355b4f2900a0fd4b883607

SHA256
5146b9da02f6d7e4902c1c39b2d1f943dce2da8094ccbd78450163bcffa02d4e

SHA512
37c114a3a72bd5f84e9cc077b393f60752711cdb7c6ff60a0ccc4f616741eddd562bb750b5034de155f22308290511b737ae47dcfe1344eec92cd5a83d30769b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b1fc40d3d18afe71bd8094af014d84d

SHA1
0ab19e8206c0acbf4fa223040f86c08bd77ae365

SHA256
363a0c35f104b129b42daff83ff5106cce0d33e1135ae21796b108ebda299eea

SHA512
48603028e42ee36465e6cc75ae40de734ade9f48f7d440e351af99275c81cc3c14a51664446dc7740878417b53eb8bc0f3d3bf60475744da942f9fd193c7a07c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1cdda68b52f12677e34c3973ee80217

SHA1
f990a303065a351bbc54cc889fd9deb14e2d64a9

SHA256
1257aca646a8ec1463af3f0b3a3929f2971ae901477e1f73de0fe28a04a9d3f9

SHA512
2123e7de697646c1968e5546a968f8f90e066d930061bc3f05cfadfb38b9eade3aaacf55a3ad385380b806709e15b81d6df25902bab154fdfa0f31b388657ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e417e28e707c7640e063ec35fbee61d6

SHA1
e7ae14a8dc8c5fb47ed44b4e56becdccb315076c

SHA256
3d957ee790d0f4ff2a898a48ecdc1f55fea0eced0ff5b277f234417520a1c722

SHA512
ebc0ca1bc4cffb0018852b5a06258f6cab9293e7b55684a88ece5bff3961bfedc68bedf2773af7be5a4a63c871088f6dcc192aa4f5237eb349fcf79bd3d51bd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbc9a36b2b0d73cb57e7188bd59832e

SHA1
078446c5a77ea47bd1287ae4d669b67e135d479d

SHA256
9a5c3eaea406aa3ab59cab0da0ef899fe1795abf08da554b78b2bb5792224a61

SHA512
bda601ff1cf02b60bf4266079dc421c72b5ce3b1e6f6e076f43532038654d33f0d7725f8e1f8bd1c0aa83a4b9c988bde45ca013bbbd5dba65f0bcbf13c3a3828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88578d3c6260697361ccf21f804f5a5d

SHA1
6eb6fa4c36fb9cb153f4cbe329b516892f376d72

SHA256
a33fbbe9d95f2a2cd7282ee3dc9fa36503ba26030966a05d32b76319875ab2b2

SHA512
7e687534f88a7f1131390465e0a71ba41fdad218af30187cab65d41861480908f4c95bc13f5231ba241025056e561c3f415c0e1143e65d7aa28ba29e10015ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5224b8b3325034dc4579c94c81bbfa97

SHA1
620bf141876f551624262b285e783063ffc1b05b

SHA256
a1cc23b0140c99c82252aa8c30ec348e7b368bd675c3a98aa525e693975e5401

SHA512
154d877aa4dca392d7aa00c9ac8dcb5a073c482572729311c984440bdfe39793f3b0079ec2f707bd713e0de83c6258dbd508e5e72315f8a1a8db5e6c63198ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb1c918065a1d52b682899e37f62c568

SHA1
f39330e2c2853c922cb5daadd8a5fb7741a5abef

SHA256
63d4b6a7b28843d8c17fa2afeb50a71b4274923c5ddf30acdf8263b6e96ba711

SHA512
c7d64f8fb733e45af4bd2a9ae308072a4b495025770dd25874769384f56553b593e6f2edd49fd7e10b68aac8fe960fa5c37b2126b7ce121e9db2d5453a23b92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0908f35f4680fd1326755ae6c74bbe1

SHA1
625c422abdbe96d9707777e9d31e7190ff7e0d4c

SHA256
39cc2f56e391fa1c03a55af768b18191aaf800cb40a97d93881e0b734062bb93

SHA512
24042a14d254d6395c7b9af866043e58879c40ab2cb9af7204736216fc76d0bd9e35536062f548e53aa830c7b0b3e97dc557f640146fd5bdea3fa11fc5bd8efb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9de7ea7a4e630e04465febae0cf1211

SHA1
0dffcdbf05c05cb4894ca8b71bcf5e2a063de20a

SHA256
89affa14bc3a9d0034daf3d8a21d994a772289f1cd5f6219872532c0e39aaeba

SHA512
0db9be11f81b8504c6ad76bc7559e5e6e895fd073383fdf162a9052097bc41655425454c336662de7d08493d7468584787a73dfaa66367292f18f410a3153a2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a29137e4acac51fb60e174e78000bede

SHA1
dfe7f100e8860e7c5c72940b569f5cd9b9eb71cc

SHA256
bb0a2d2eb3d258843a003de290b60175622db459b691646cb0a3b26f409b545f

SHA512
68e714cd2374c4f3543866706ddda2550c6892d4b203490278cf4b399ec303de69b1e0d55770f8a06292bbebbfe2f3520841e781cf17a8c65b1dee70e2404c1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdf40d488bff67e5acdf10a6c4e1a598

SHA1
3baebd40dc5b911bb7752bb137c2e5591cc6bfff

SHA256
d30a4eacde94c13163d0b37b9e4356ab5051b9ba0fc3a46a1ff3f0983c42b43c

SHA512
54a4a29642b7b9d3cdedf4177f520b244d2aa2cba3896a5eef6537aadca487bb1139ae31f4871165c1357446d372c806431ae13e853c7ecda44038f98d8698d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4322b905d932457aa778058910d673d

SHA1
5f1957455d31632f1ab1ad3d6f57c769abe0d809

SHA256
026a2386cc339d08cd5517b9fe9f1df58c0fcfc7157fe60604abd36c3e33ffbe

SHA512
352482061688132d6b2873d24eb003ca1721f939aceacc369507ac9acb6a623c2d76377fe59a89dd5efaf323813a1f3af656555ea0ea6cb2334a45abdab7a145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a646609f57f950c4508802d23d16353f

SHA1
269b4b9675d41b76eaf60b8280abd72f280bfe02

SHA256
4804d23faca76bf87dd8239281fbe3149e26a73cb0d5e197c2b1cb65044ce11f

SHA512
712aed637202960d26a34be7ebd2d239fb8b33af28d66185f7fb5cea0b6bbfbebb344ed658593bb4cda05018e907a8a1df0fac28e23d5187673e0d4942ee9771

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c34455ed621bce15dfe4a3114099788

SHA1
dac3ab7098b4af2387e9fb88bb6404fde0485bdc

SHA256
2c49be714a2273bfb797c45087d09cdeefe3e110b31e5b2fd909eb81a1d0d43c

SHA512
274c8a4632512401f3795b0b85c53f92eab2d7d8e6003fae12c8a4814c5c25a07291482044f2222518a82944fd658ef20ce1a1ab9033f8330c2cf4d565adb8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fc3bb4c601f40a4885def450dda5f00

SHA1
3ae72a063a14deba1922d8bd5c644300d5ceea0b

SHA256
bba2d71642749c5c17565ad0ebd1fa08605fce83a1dd01b6225cc06ddfa3601e

SHA512
ad9e22bb7f568aa0a4845aaf490e6b51e98b760e166962bdc81ea76cda11d55f5df69605290cda643e1f5f7a9bfbf747548093d28d8d707204cd2d3715ab4cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0415a6d5bda02fb9457692a939e55e7

SHA1
34ac468c2928b86c0fa3659bafd6fb3230de278e

SHA256
6f06369c26c0b814a74cac83ffd4f06ffd2da360ecde51a9ba10ef6cd6a457cc

SHA512
e4d5a7e6a38f2c59595421c8fe5b398931a2bfcc6d25d405a34fe95935d49bf97084f6ad62a6de8c296f9014cd964146d1ebe5640278fc473a04ed94c43280db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4045ebb199647d5b3e06136fd18a3354

SHA1
e716711afda222a35181ea97f99eba7809a081ae

SHA256
55c49eba07d3de45e9fa4cee9ab41ebf9baa554cbd97c5fc203457399015e767

SHA512
56ada688d30ec8d231f8ab3f27a5c3dae27529b149b698e28fc653f6876eadf5bb7d0c6b9e6813fb382a07a60f114cb923cf1c95d77e11eef8e129d1a6842d07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
352f5354d595032e73e4fc98a2430a3a

SHA1
ac2d1e7990eee722bf6c3037a0303e728f339101

SHA256
3d9a8411a9a3b4107b7188ca7a40c70e1696441e8bb3fa9a1cc231dd94efcf92

SHA512
7033eab17f7b0ec90bf14c6950c8c7fe941cd5256cf1a2f3df6c4b5ee0942d2a2f43ef4700b830da07cf5a4df159ce889b6db64b1ff495f215d262fa4503ffcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05f6b312f72b674427f849106bbb594b

SHA1
cea8d8d71c7e975bee4553144eda5386e790adc8

SHA256
16f82028628947df1eb24a4321a4af9f59f42a65f44c778744ae656481fd75e6

SHA512
4442234fcb605bff4cff5634285d47ed0a7ac321b3127a84a557de650d8e616f28d41b64bb4dfe397ba86b3023809c5561e3a98e2e3ec2d6044b992c2979a2ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c333686d683e8b00cd76157b1f87e1b5

SHA1
591986c85277d0c79e846af2894f8b6b567f9907

SHA256
0a7a744b09b3107e56fe4a0e1f9351c42d1ca011eb94f2d4d3e32c5da78d9e95

SHA512
9b6df1fd47e799357eb5546040808d80ddcacf41d9e8b5e37096e17dbf83dca995d23069ad0f298a57ce6f4961a29b426983f6ea3ebe99fded50941f61be3b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92068702fdc49dc93d68f0de4997ce40

SHA1
0d44a681d7c021df1a6dc466bbf755a63689684c

SHA256
9ba18d27a11e45232aa0ee0257468c8c6b598ec9e653624a6a288e06ec5799d1

SHA512
3b94c6f496e275c3da5be13dc84dfaf6bebbf534c5aeca749d6f4c83ef1eaff10600153c61d9e2eaf570870107fee646722f870b588092572c3a096388d0637c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5c9aaf1320c98b959a11fa3f6da5d23

SHA1
580b24df0ae191454a8fadb01f1ba84fd8d2278c

SHA256
0b0729bedd73a01b644dfbd2cfac79670c6a3a5fe4c4f59e18d258d385b8d65c

SHA512
ea6dc36247a3dcbb5860da747e61af0c66410a7b879dc3db45dec9ee018db057fc493aa5fb9a0ea6717b57ba012951580e48f584d0ee8161d159e11115c47ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c3b77caa25178d8a7d63d14d69139a

SHA1
524008499d2b4ca54099ca73e4393fea9d86da0a

SHA256
0c15b47bb40daa0345ea08a4436760558641ceeb8ea3ec402a41e583e1302117

SHA512
f674bb52807d39976b85d8ac69d87a3f313241e264c00df6ab82482696201a13d2a492482224d2c09f366ca062a11d38cc2a665de4154c302b94681b863cf768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a51f66e75fc21362415fc412aae523

SHA1
67154edd3514f9750789b00a943abecfc5dd2251

SHA256
a5ea5d92e872047a95ab8f338b79a920da946930b0517d4347d9fb31850e8687

SHA512
110f8ac0b88e4e4cd71777e4ac8177a874065f10284f044b76dda1fe1cf17302e96817818cfe9a37f13a7830f907649ff80407d334c13a5ae846eb383e9327d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4678215cb6609c93b3b54cb362284054

SHA1
a0428905bfbc180941d4c689371724e737252344

SHA256
dd6a60ea201df3af43cb88ba0e551fd53fc68d8088a04a579fcfa9b5dae90f34

SHA512
d2ee8d5a4a69372db83318da19bf90354f6e1358a4ce6808c5847bf8fa10194a3671b7b28cedeaf12e76cf1758d8ea90b1df3c89655e2ab36359dcd52d013977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
981732fc9b003100632ac94c4b64e315

SHA1
166c1db9bf00814a632eab8988cd176f9473e184

SHA256
a0bff36be417e3a2ef71c0587de0023756b37fcf5293a9e765d962d4da4c0810

SHA512
2b2c9412662ccf1e671fff3242ac0198314c35229ab1fc22f921ff8dd7bf2b60dae20fd50cdcfaa1ccced4646fb93a1f5b9b92a367f953fa537bc4ca9c0cf27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCB6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFDC5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\waucl1.exe

Filesize
29KB

MD5
73be789cb571f3dd9914921b226864fa

SHA1
5ac49b649a70d55b5580ebf7121b858301643f1c

SHA256
16c8a7935a1d89b333a0c28ce6f47a812cbc4dcf2d4aadf38331f0f8c3cf636c

SHA512
f08879d5623820d4713179329a98681edd84e4d186d3db078df136a679bb7a5a121e1d5ee04dc47b433fc6a0d0c4ea564820f6f8dbd899fc47b79b2ca9f003fc

Download Submit
\Windows\SysWOW64\1.pif

Filesize
7KB

MD5
ed39b3accc3428934a21772438640be5

SHA1
796bf164ff32f1e7453d31988fcf7b2c5e072ed4

SHA256
a6a2a4c186b787bc13242f0ab1b5c0b422aa978847da0841539db848faff1fd3

SHA512
d87af3b1597973497808c215df184640487d9a5e32961b74345bde2fb3d2dedce98bcac5384f096ae533e14961ecf138ecf27b2e731ef3e2659d55bd021e2ff1

Download Submit
memory/2520-13-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/2520-4-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2520-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2520-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2520-25-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2520-0-0x0000000013140000-0x000000001315C000-memory.dmp

Filesize
112KB

Download
memory/3064-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3064-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download