e4ccbf60552add00030a27ff32e4a5cf109c4a0e6c110935c70f9111af2ec4ea

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Size

980KB
MD5

ebd4ba76bcdc37a064b0506b4c2bd750
SHA1

9225144ccc2fbfe675d921b089e186a2ea7a3c1c
SHA256

e4ccbf60552add00030a27ff32e4a5cf109c4a0e6c110935c70f9111af2ec4ea
SHA512

a87b8cb9e10684b37f4dea9cd1bd8a97bbc5fb6084b515865d90cf8eaa3e842c39e7fd044337324e3449aafb3eaed039eb2c3aec540a5ef297a72792404846e2
SSDEEP

12288:jLPe/tzZCIBMMugHRkj4ptpvkizYIbdpyy0FQzVKCXVzQyiJ/DT7U7niEg04Oy+n:jje/t9NtH2j4ptp3EFanlzrBniEB4OH

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\K:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\L:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\M:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\P:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\S:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\I:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\T:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\U:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\W:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Z:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\B:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\O:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\V:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\A:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\E:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\H:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\J:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\N:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Q:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\R:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\X:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened (read-only)	\??\Y:	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\winproses.dll	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\GIFviewer.ocx	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkvertise.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000006ef60642d96c96fa8aaf206647669996cbf4483047b3d13bfb6599992aba3c3a000000000e80000000020000200000004aa1d3c5a553f7f936bd8f9662ee8b402b26473e4499078019a8cee6a502e3d290000000e930e80ee035a552457274cf6dd95c4781d796f4270d04c55d64cd60963c7b69e38ebd0f123202557c864933a542e39582969c0b012c2e6e87c4a8c8d9ecd72b8b01332f110ceb7cd0272946fc2f8cd85ede1b74c3baf85a3fb9a7a8a271f5fe50dcd93cb363fbec2db4a26a9ac4ca179d6fa58519689223853fbb47ca03716f5f0f1c1fb834706f49b18fceeb2038c140000000b97f981976f4b35aefcd2335751a76c3530adf65b78da193c81314f5587a5d8f5e7a02097b4c98dffd6995b97e8fabfa93907a42a4f087d8723a109248cd65d8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8A80351-76AB-11EF-A7C8-6EB28AAB65BF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432928440"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e2198fb80adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\linkvertise.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000052b422a203e37c4ce0b89297f3a6b9ebdfb3f4679db62210cab9016ca88de42b000000000e8000000002000020000000de3adb4e98deffd3d7b136b0869a0b90a925e5b2201c8efbd607f07edd5b8d8e200000008c9bb4ebc525abc56db586c5e10c67c9705411e8ed7e470a5dcdc47e8f41835940000000dfe0b3d91ba87adb3fb0ead82d3c6224658f468add222b2b299c0285227f0b49f4fe3b146c5688fe0e288a72979c1ed92fd1baab16c152195b7cabfbe9c2e177	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C8A82A61-76AB-11EF-A7C8-6EB28AAB65BF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\InprocServer32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\HELPDIR\ = "C:\\Windows\\system32"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID\ = "WelchGIFviewer.ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\GIFviewer.ocx, 30000"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\ = "WelchGIFviewer.ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\GIFviewer.ocx"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2740	iexplore.exe
2816	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
2740	iexplore.exe
2740	iexplore.exe
2816	iexplore.exe
2816	iexplore.exe
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2708	IEXPLORE.EXE
2708	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2740	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2740	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2740	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2740	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	30
PID 1452 wrote to memory of 2816	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	31
PID 1452 wrote to memory of 2816	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	31
PID 1452 wrote to memory of 2816	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	31
PID 1452 wrote to memory of 2816	1452	ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe	31
PID 2740 wrote to memory of 2708	2740	iexplore.exe	32
PID 2740 wrote to memory of 2708	2740	iexplore.exe	32
PID 2740 wrote to memory of 2708	2740	iexplore.exe	32
PID 2740 wrote to memory of 2708	2740	iexplore.exe	32
PID 2816 wrote to memory of 2344	2816	iexplore.exe	33
PID 2816 wrote to memory of 2344	2816	iexplore.exe	33
PID 2816 wrote to memory of 2344	2816	iexplore.exe	33
PID 2816 wrote to memory of 2344	2816	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebd4ba76bcdc37a064b0506b4c2bd750_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://adf.ly/82712/home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2708
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.banturcity.co.cc/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2816 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0c10fe4ff8a61a62cbcfe905b7bd541c

SHA1
02f8e52629f30b456bb3ad65bd8551d12ba26d99

SHA256
39cc5f82dd2771df6e2a372f8ab944eb47f377d300ff5b1dc2e7c814c1d036a8

SHA512
63f85c07764be4aab6464ae2d129da079e83d9ad72342937d8273794343aedbb57b63ff773e572cfb3c1ffe259c9d019cb1dff04990d3139c37c0102be67f7b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e4e44c8b8b5693b2692e32dcfda0bfc

SHA1
7ab710c75c1afb2b9b7f5be65434f204ec3a5280

SHA256
1711440a5986587f7ad7e2f8c66544d0ca4c6e7fd38ec84a11b1403988f0f57c

SHA512
7047533f536fac4543598fa604c9708faef8064bde2f292657258188bdc762c28a367fcdc921ac0586e641ec2e37233ce6e5ba540b3d8f5c32533c6685c4edfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bac9028f4c7c7c801c35494535e5002

SHA1
ba9cbc2f7af57a1ff17bd550a7e2c6d42bbbecfb

SHA256
41380d36efed56bc7f5e1467cb4454e09bda12eb474eae70d3bb2845b6803c19

SHA512
ef64df099d9b032dc043719b7f3d3d74feb7784d7dd5686a040bd97db73027f9559e00bbc9823509cc2e841d1ff8228b4508f1287e6a2c45a3acea34add10255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e9e42d7c34d12c21621e5047992a489

SHA1
769eb196dab183f2dc4d44d993b819db3bdcaf2d

SHA256
4f340c9e1b04be69b1944d59684e6fce29ad03123df7ec4d9ff667a314ea3614

SHA512
822c1e7e2ab7be12209975943bfa9dbc811bc863d204ab9656d20a56d4b0ad4a13ad66763c1501cb34c224cfa30d999c046e5af6a0337a32e78e3fc73aaa32c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df5eee110fcac7d1607797925203c4b5

SHA1
e6a139673be1b627d6dd6771196c95e2e2156015

SHA256
91b4a1bf9efa2a6cf15fc961617ad507f9af1d71ab8576f072cf4bfefdbd242e

SHA512
0fbe25163ebbb706517947836ffe02cfadb187fa29efa08fbb35a5cd94915653bc335e9ff925ad2a35d0bd4797639fec3a448d5f4edfd6c0a5d34189dc557aa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2aa7d87286f6075cba7bb9545c7fffb

SHA1
f27138afe2d8a310edca99b6be45ddec6e0cbe45

SHA256
789429725e21f7181c0e5bb472228f4d633cb44274d905e40998b680337065e8

SHA512
1e79d56cb426d55bb3ce29bde2fb7bc2069cd56fbbe9c1e3f247355aa6d9dec79d803b31ea05691de1c247a49caf4c5499209638422e2f06f9bcee0e4fc860c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fceaab0df4c09fd439d8edc6670c5505

SHA1
51054c84540555fdf151458113904416bfd70623

SHA256
c66612d1a2d032d22551cf3f8ea3fe1a1b4851dcbf1356718ff20f68b3ea6a51

SHA512
4fcf76317b70d01980b675b3f3592c607de0ddd9823f42ba9e3b6d36269c397eedee4aab49fc2a5331281f1c6f9f6cd1f59d6f507dc77351b8b93afc425e521c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5da00fed63384971dd57bbd827fe303

SHA1
fddbd5ba55ce092aab190b33cad7be4fb6acfb12

SHA256
0443b9ddb1b07007c7ff2a9518b40b63af84aeca881bd007b47097c0e11c4e01

SHA512
5400c8be24b751585ef859be86ff37c0376f5e76d5346e790da8911fb5e39275d800c3175a17e3d5fea29d7f2f038f5e0bc5c8a58cef7b83851d626b439c7226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
047d3ace036bd8a1fa72877421e38c32

SHA1
869af16b06266cc5d76ac6407a8dd3bc71bdf7d7

SHA256
dd7e67f9981034b6489145b83a9451bcdcf0839d3d6273025e31211bc2e0d232

SHA512
a2bcd148c807a560f38bcf4690849297fd5a81335c7ec7546bb16c0a26fbbd230de306a3a4bea56e8870356ab5069def332a260234cc7015381d56c8d5824557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4aa07885ec53985910f0784d367ecbf0

SHA1
fdd58616bab0e2cd02ded5b85e22ab90728890fd

SHA256
ed5f5e0df606519a978e4ecf7ecd4c9c26c75ef7212e7f374783abad7aa7c66e

SHA512
2cac11d2106e403cd27e0713234712fd05ec6800764d8c388b2b145adc550ae6056293b9a1bca10fe072fbb26998116837b540a29ad5b6c7340da885e194363a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9db23a7ff998ed72fc1f48210989149

SHA1
c53511302552191f634b00c225603100cddc1cf6

SHA256
c38fa0ecec4972a37861d720a02962d637fa2bcfa1f310a0037c1456ed2bf5e0

SHA512
d5773559c829a3016f9c0a938f24ab8269da91a53109d2cc715339cc85bed870625985ea4af86681e359feaa950ca54550426aef5dbc3c59fdbf3615bb447acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c576aa783dea9047e352df81d6845b

SHA1
142c5143ebe133b3597358127b827944bbf20f0b

SHA256
91adc6b86df35117c20b1a4c346e0667baf5481612c8d94338b9d1321d445bcc

SHA512
6f853b28f51ccae64664df9080db65b94d9e4d2619241201ad3d8f275308c9d0bfbab4c6cb6a0de38a81e0a2fb60cc2e32a2a6ebe331437c7f076b427312c47a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9688d050eef0f443bd8230187a6b2229

SHA1
43c7b61945e83b748cdeffda51a8f5341a8d5cfc

SHA256
d39861e0b9bc10e321eb0005ddfdc5f5481d886a42b4d7e99f40d47baff4c898

SHA512
00cce6bf1ee6e9b16159e285f56ce53a903f773dcd6d23ea13869ffa0761ed6e64961a7226c63804447f82f617188c042d833dd5285c25863ac77ead5214c54f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e42a1e1c9df381b3bc920bb5368a7a18

SHA1
a7895f3b521e8e7b4665ae65998a2b3433323776

SHA256
40b12e174becd2cb9139d6780c964a8b4c113e65f37acddb73cfe6bf17747821

SHA512
0041a98582c1d437fd4bb323cd8e668310f5c886ba86e572228805d8da231ec2679f2ff14020c9c62677a8b3c6c0c6e06d5f94941402b563ec192fcf6424410e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9657cf1d546f99831233e7dced98a733

SHA1
0f741c35481de3da5ddb16075ef71c6b43127e7c

SHA256
e188d5d521094b410af3beabd97ae11397a0e8426731e7f7c7ffcffe79562747

SHA512
854f8870116812f767e04b20b8f328b01ae08fbbf38907911a33b2e639233afcda911154e257fef3ec6f59851970f5f6457f6f3de62fed1de3124aa65a79e258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3ce5f5fbff63f06e3c5d7cbef16ef5d

SHA1
a7cd97cc16e4190f81c5192de8d0e347dc186772

SHA256
92600adac1323e39f5b286cd42a0fa62be2acb3535b22926bdf1d9fc81069d87

SHA512
1a343377677c65b2c403c1fb21ce6befbef4e523067a9c51a8915c26f5070bbbc1f5e5b9369820c5a4ad02d08b41a3cc22c24300818ebb1c720f1b39948dbc90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92c8f9e21dd613cc077c5e684db37a1b

SHA1
a3e117b3731a5a3262a0146443bf958641dd5873

SHA256
feeeaa1da6296e7d87338f2d38038173a182253e2ba9540720954e8382d2eda7

SHA512
a3c042634f9d54c1355b4676fa3484712ad27a17a78b0c8565d9e89bd91a3094a0bf418375ba5d9c381a53f689148bb2db7c327172b840d8e4798e691b2fba37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f23e4779031a620d3adc85a06929937

SHA1
ea2fb0e92f9211333af1f0e69049ab8cb039eb89

SHA256
d6585e348319afe3dac60e2024b5e46a9bff5d8395cd9ca4ae78367fdbd53340

SHA512
514be7efd2464085f9e5f43d158cd232789e6a293d2acf572a57e2bc097d1e32cf7ba0881dd2871178d27f468fcc044bc9a4c0110a55b8b50078e6208b6f1462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd50a782be21845b6ef63747928fbef

SHA1
ae6640f5b85bc221f21077de94176320271155c5

SHA256
ac40c912562d78da47c05cd4ad92104b597fbec94ca4b313c6a3feed105f52fb

SHA512
fe789b51bfe6062b834cf3a18665e2fc4a47ebff863700e6e8e6ab56950e2423d9a787c6b3d674df740c4cddb9828a0c0d0c2179773d7b9663bf15497327e567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86051a9542ea38c2a4b895e1162d1cc4

SHA1
69610aa5fa4927dab73c3fc8892e7f608f262d5c

SHA256
50610866ef2e6f850e5bdb9cd76ccaa946419e4c6a4c3338bb7f759f101ee615

SHA512
16f51e88018265f658a46d47f49846076d49262dc056b6ca4f9fecb0e34a1d1202d3af15e99421289d9407acd89f017464279353df5ae1a6feb70fe901d3905c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8995ed2b3bec69abdbcbffb396d71cdb

SHA1
ba767e6654001ca0c6445decef3eb8f2bbd9f6c5

SHA256
df9a8111af083902e1c4341d07f352d49390036e36555b5e7bd5474df0ec03a2

SHA512
891fedc4a22abcd3f29d971a77f6f7f0ade5e8064ad86aa948f8329e5ffd95fc602540ebd174def6a9be8daafc2c6bd2e07a2ae64797915bfa52e72f07a25ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
190f6d5b14cc2b5aab293e626da2dd9c

SHA1
36b9158e4a474e1a00da00e283593bd208559340

SHA256
220898af697780786bc11d8b484200ff28f0260df98f4065fccad362b76484c3

SHA512
cd78498116f979f326f3e8d39aa39cf41db6449532573b7679feb34357e8044fe6a96fe84865925b0ffceec42f4804d96627cbaa5f3ca0d25fa1b000b4755d83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b60c4917804d92e281a0f9f6f3ec7c0b

SHA1
83a17b244296e41efa2349abc21971b3359d5755

SHA256
fcd7db4b48fba82a5f016c99783d0b867ad4772ada01b0c155a207096cadd627

SHA512
af08924fd17a7a70e547a210896b5629565fcf287c10567a3065feb83c391b8117dcef8bf6ea58d41b868f7e7ec2a093ab9e7e05c3cda88bcafb3817e822453f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afa7ffa93c7e88e9766aa52a8f6ea0b0

SHA1
3b74f0f9de00bdd31270216c61a755e83a0ca441

SHA256
78d977655fdb9e32415326f96a49d00a3bb58e6fb0940f4952a23dba7f7b8779

SHA512
7a5aa5181945a9da0290c323308caf0be0a5f3e0df2c39f0d02b6d8efac87d821d79ab9a59a8b97b00b1c2421749bdc2d0008c96d9229c0f7baf17af10a56af5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be3b76ea12f88a1135426cfd68471cf

SHA1
87757d0a186ccd768be371fbe9b8df8424046f35

SHA256
e53f9c228cb6ae688685a204182c964872bc13f6a6fda2270c6731d87d6484bf

SHA512
9709e11cc2d007015a5eb70034f54f42e3641f0c2cb994208b061ef6aa368bb7f691cabcd11643b1d3f372afda4fc2793bc1af2811e8818ec921ae0e6e53747d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e3bdf9b919d4a700669aa46c939deb

SHA1
963f0aa37d042226c2a6698875b2ef8839aa13aa

SHA256
9e1da4cf01c5eb7289aa0f11690976620f27f24024e6085328311e5cef64c94d

SHA512
e3a9fe621b1d2b746bab3f7cc9e4983ca94e6dd39e53d5045eb779adfbb67db865307f2b824b583883bb227a65222bf88adb83377d6642bb30afadee8aefbc42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
582e4a53db204f7f0e4b3f8fc4154e6f

SHA1
9bf2b71d3d8b843a1b76a998d342b421d29601e5

SHA256
e58d5c8fb37c6835fc3811943931be4952032c2c1ed171c856d1f99cac8d4827

SHA512
7d98d3256fa99a024702f7a551235575e7c0da9795872c7d5afcbb96548a0c01387ac663beb2186f069014054a1298811c595b01b08117f9bf4b9f280d9320e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8b47718f04e8aff834f1bb9b635b1dd

SHA1
8fa1cd2dd54987ebc657d9a25ea23b9ca6722570

SHA256
06c1b41b9953897c03240a1b71a1fce5e54c6327f2a333f2b714ad412427c5e9

SHA512
7975962287e016e85b314c8249e4eaf69cfedd0c91659602a2185c791ed6702839a9efdeaac3115ba556feaeb53a7c2f8ca2b12193bdfcf43700b8dc8af64fd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96b991222fe87f71bcaa06153e189f45

SHA1
5365dfa46946903f7dc21a7cc99faf91213e523d

SHA256
09ec27dedae4022f515b25324c3c9cbb055a88c280408f60ae4395fb1f762956

SHA512
fb71ad7fd2e763357ae0204bcf5179363f4682052fdbde01c2202fe16eeaca134cf41593adeafd05c9077b8a344331798c34617a94f4e74a25d6bd851adc1b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff564e2312666893cf09a79a14c6d68d

SHA1
e56d45347f45a04b5031937d6300df3a22ce139d

SHA256
ca461415c23172d51cc7c32ee2fddc86c7d9ce8f879eb47026858b7729d4936c

SHA512
5609662df2506b16982dd9323a774d6fa4301573b5254cfba9eb74362939512beefec53cf241d00596aaba61d21f793e4f80910646b8e15901086c50c2228645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
057821db908788d7701fa7e95993893a

SHA1
8089c8d7443f8e784ec09c7a34652b87ca44756b

SHA256
56dcd86c13933661ae09ddeb911187c1ff6b415fea25088119c0b5f75ba25295

SHA512
ae85bb45f7643332026eaf1b7067e816f5e043632084a9ed31920b67220ed8429ad961b27400ebe9359656db30fb39498ac0069eb4d1564cdc640b7700e59d62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
15b9c9641e6ed6e4b1149fd9875afa93

SHA1
9ca9798e6a65115fe39332e1680c5b8e75441750

SHA256
5a644ad53e95e52b0c8da42bcd081f2881f03f23fc3efb1ba2a16cac7727eed3

SHA512
dfbf560e004f03bf63c99de7d06d279f2a6d8e7ea09c18118efc09bfcead16a148cd44d4c91eee2e62f4fd4c1cdc90569593afac26dbda72f3220871dd023ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C8A80351-76AB-11EF-A7C8-6EB28AAB65BF}.dat

Filesize
5KB

MD5
c10bb128be1c32ebfe0f2a637a175e62

SHA1
f6728d30eb73941c6161936cdcea6a02e050f8ce

SHA256
766bf30eef1f6f00becae244e2c5cb73fe2c84d9a6250981d78fad8a443fea2b

SHA512
9b34380181687e40a6b75e5a89b726a6dc8a933771baa7b919af20cd3a6ddea97758e7b4e815b5b5771451d9d2038e6c7741c7ec8761184b69a3619a186dc17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C8A82A61-76AB-11EF-A7C8-6EB28AAB65BF}.dat

Filesize
4KB

MD5
123b8510084454474caacde8bbabb507

SHA1
eda44b12888d80aef7a1879ab52c1b654cc03186

SHA256
69c610905a3eb3c34688c12f9bff56b5631b2de3693b37522a6a8d80b3092e2c

SHA512
eeab7ba18d1fcbf2cd6324974ed7c110cf7ef67c3fc85e32eaf09269597d2d984b0243c0718833ff5998d8d786409e7c9b0d6867ca2d59a8515e59dffbeaa87f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
1KB

MD5
0974f15c918834a7a5481e601a942c84

SHA1
11f883e2a4de80a7ccf83ba0fa087b2383b91d47

SHA256
efc130fcfb6f7c636e8489f887e7acfc274b3013c6d8dc2c83a0ba7ba838851e

SHA512
2549bcba49a5f8b486ec8d849f2b2cc07bb2e1a031f756331a629c8168a57590e9213af0fe2e933167f6e12c552a367998a2399b8f8bba55bbc5a403e580caed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\favicon[2].ico

Filesize
1KB

MD5
f4efbd07afdcea3035529958c1eca83f

SHA1
01955db113300c0a1219c7ce0cd37a34717ac7ca

SHA256
6c5186f7e301e4dae0afb67610bff86074208cee7adf28463d30834d20f0bbed

SHA512
cc684e6608b05c8dd710a0aaa43c3357f07d47273b97ac83420b848a66e484deea93f3db581f9d16890479d85c3f63822a17a6fe77f6b5ccbaf187efcbcbac81

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAEB6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFD2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\GIFviewer.ocx

Filesize
100KB

MD5
73404435b36b8cb9ea68be6d4249488e

SHA1
ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02

SHA256
2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c

SHA512
e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7

Download Submit
memory/1452-1310-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1452-17-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1452-16-0x00000000042B0000-0x00000000045C2000-memory.dmp

Filesize
3.1MB

Download
memory/1452-14-0x00000000042B0000-0x00000000045C2000-memory.dmp

Filesize
3.1MB

Download