Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 06:17
Static task
static1
Behavioral task
behavioral1
Sample
167dd2e0f3e7ea8398eeb6e13e999d5f_JaffaCakes118.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
167dd2e0f3e7ea8398eeb6e13e999d5f_JaffaCakes118.html
Resource
win10v2004-20240802-en
General
-
Target
167dd2e0f3e7ea8398eeb6e13e999d5f_JaffaCakes118.html
-
Size
2.3MB
-
MD5
167dd2e0f3e7ea8398eeb6e13e999d5f
-
SHA1
8d6e297ec712ea313c7a22ad4fc408bafb02e410
-
SHA256
bf454cf93f3c1017607e32bd4608b4c3732e300392133396c91b14e79a54bc6c
-
SHA512
6669c3c371518a76e47dfa898c479e9fadce98c46e9406e6d81d1f806c8680c647b0a30d6f902ad21d2c20d019d94532c214dc120d5b4c9f51b140c2d38b31cd
-
SSDEEP
24576:l+Wt9BJ+Wt9Bq+Wt9Bw+Wt9Bj+Wt9Bt+Wt9B1+Wt9B5+Wt9Bi+Wt9BX+Wt9Bz+W2:j
Malware Config
Signatures
-
Executes dropped EXE 25 IoCs
pid Process 2756 svchost.exe 2860 DesktopLayer.exe 2188 FP_AX_CAB_INSTALLER64.exe 1104 svchost.exe 1272 svchost.exe 1912 DesktopLayer.exe 624 svchost.exe 1944 DesktopLayer.exe 2752 svchost.exe 2020 svchost.exe 2592 DesktopLayer.exe 1796 svchost.exe 2804 svchost.exe 1976 DesktopLayer.exe 852 svchost.exe 1296 svchost.exe 1384 DesktopLayer.exe 2036 FP_AX_CAB_INSTALLER64.exe 1812 svchost.exe 2184 svchost.exe 660 DesktopLayer.exe 1276 svchost.exe 2688 DesktopLayer.exe 2788 svchost.exe 2148 DesktopLayer.exe -
Loads dropped DLL 17 IoCs
pid Process 2348 IEXPLORE.EXE 2756 svchost.exe 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE -
resource yara_rule behavioral1/files/0x0008000000016689-2.dat upx behavioral1/memory/2756-7-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2860-15-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2860-20-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2860-18-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2860-16-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2860-22-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1272-172-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2752-249-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/2688-717-0x0000000000400000-0x0000000000435000-memory.dmp upx -
Drops file in Program Files directory 29 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px9E23.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB74E.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\px5D3D.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxAFA0.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB117.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB07B.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB08A.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB0E8.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxAF91.tmp svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxAFEE.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB0C9.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB126.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB6C1.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\pxB700.tmp svchost.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Downloaded Program Files\SETB684.tmp IEXPLORE.EXE File created C:\Windows\Downloaded Program Files\SETB684.tmp IEXPLORE.EXE File opened for modification C:\Windows\INF\setupapi.app.log IEXPLORE.EXE File opened for modification C:\Windows\Downloaded Program Files\SETAF62.tmp IEXPLORE.EXE File created C:\Windows\Downloaded Program Files\SETAF62.tmp IEXPLORE.EXE File opened for modification C:\Windows\Downloaded Program Files\swflash64.inf IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 35 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FP_AX_CAB_INSTALLER64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FP_AX_CAB_INSTALLER64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434270903" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77504341-82E1-11EF-9D9B-465533733A50} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000b77135c493e0a68c73a90128b52850e25a25aca69284e287c1c70479420786fa000000000e8000000002000020000000ddf0d658dc87c2c99dbe684809c87ff06fec13cdfbb1938d60dc489ffe8bef27200000005f2c28b10c66e93da5a45657ab79e4d05a3b150cf177df0c54b187f8d59fe77a40000000a6923be531f0239f0ebf87b21dde9f81b558579e442fd83a6d4edc3fb50b2c205dcc7f4d4a872612fd77af9f567b242e8e483a0203eb127fd4a087f9fd6f8f4c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000003a162fbb043fe703a09ae4f44401cb8e29c14b187a5d8dbb07e5c8b9acdba5ce000000000e8000000002000020000000a25491d496a65d7e4ccedd0ef96a7dfa46f74c01d8cd2940581723dc9755efe890000000fddff12d779cef16bd8d65a82bab8e29ea92aec8034781d484e77f4c53561f8672892678712cbec7bf66af6a82b600e3453ac7f1d366d28d3a886dcad5323c59408ced1d7b8af71eeabb3554ab1bb126da67454a4c5b5308cfa8ab642e1607429efac7ca2644631d1ffb82aea1096990aba341158412d078cf063e09540ce8262a420822f387920f9675127c986b7d044000000081e9418312f9d621754c02a23c7431807cececbfcb9cb9f222c1cdd4154c78427156895d16d0260ce7deaedfc15331ad869d41282f42b00c0a390f5b379e7849 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a3e941ee16db01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 2860 DesktopLayer.exe 2860 DesktopLayer.exe 2860 DesktopLayer.exe 2860 DesktopLayer.exe 2188 FP_AX_CAB_INSTALLER64.exe 1912 DesktopLayer.exe 1912 DesktopLayer.exe 1912 DesktopLayer.exe 1272 svchost.exe 1912 DesktopLayer.exe 1272 svchost.exe 1272 svchost.exe 1272 svchost.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 1944 DesktopLayer.exe 2592 DesktopLayer.exe 2020 svchost.exe 2592 DesktopLayer.exe 2020 svchost.exe 2592 DesktopLayer.exe 2020 svchost.exe 2020 svchost.exe 2592 DesktopLayer.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 1976 DesktopLayer.exe 1976 DesktopLayer.exe 1976 DesktopLayer.exe 1976 DesktopLayer.exe 1296 svchost.exe 1296 svchost.exe 1296 svchost.exe 1296 svchost.exe 1384 DesktopLayer.exe 1384 DesktopLayer.exe 1384 DesktopLayer.exe 1384 DesktopLayer.exe 2036 FP_AX_CAB_INSTALLER64.exe 660 DesktopLayer.exe 660 DesktopLayer.exe 2184 svchost.exe 2184 svchost.exe 2184 svchost.exe 660 DesktopLayer.exe 660 DesktopLayer.exe 2184 svchost.exe 2688 DesktopLayer.exe 2688 DesktopLayer.exe 2688 DesktopLayer.exe 2688 DesktopLayer.exe 2148 DesktopLayer.exe 2148 DesktopLayer.exe 2148 DesktopLayer.exe 2148 DesktopLayer.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE Token: SeRestorePrivilege 2348 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 17 IoCs
pid Process 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3048 iexplore.exe 3048 iexplore.exe 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 3048 iexplore.exe 3048 iexplore.exe 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 3048 iexplore.exe 3048 iexplore.exe 2412 IEXPLORE.EXE 2412 IEXPLORE.EXE 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 2116 IEXPLORE.EXE 2116 IEXPLORE.EXE 2116 IEXPLORE.EXE 2116 IEXPLORE.EXE 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 3048 iexplore.exe 2348 IEXPLORE.EXE 2348 IEXPLORE.EXE 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2412 IEXPLORE.EXE 2412 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 2548 IEXPLORE.EXE 2548 IEXPLORE.EXE 2864 IEXPLORE.EXE 2864 IEXPLORE.EXE 2352 IEXPLORE.EXE 2352 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE 768 IEXPLORE.EXE 768 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2348 3048 iexplore.exe 30 PID 3048 wrote to memory of 2348 3048 iexplore.exe 30 PID 3048 wrote to memory of 2348 3048 iexplore.exe 30 PID 3048 wrote to memory of 2348 3048 iexplore.exe 30 PID 2348 wrote to memory of 2756 2348 IEXPLORE.EXE 31 PID 2348 wrote to memory of 2756 2348 IEXPLORE.EXE 31 PID 2348 wrote to memory of 2756 2348 IEXPLORE.EXE 31 PID 2348 wrote to memory of 2756 2348 IEXPLORE.EXE 31 PID 2756 wrote to memory of 2860 2756 svchost.exe 32 PID 2756 wrote to memory of 2860 2756 svchost.exe 32 PID 2756 wrote to memory of 2860 2756 svchost.exe 32 PID 2756 wrote to memory of 2860 2756 svchost.exe 32 PID 2860 wrote to memory of 2740 2860 DesktopLayer.exe 33 PID 2860 wrote to memory of 2740 2860 DesktopLayer.exe 33 PID 2860 wrote to memory of 2740 2860 DesktopLayer.exe 33 PID 2860 wrote to memory of 2740 2860 DesktopLayer.exe 33 PID 3048 wrote to memory of 2768 3048 iexplore.exe 34 PID 3048 wrote to memory of 2768 3048 iexplore.exe 34 PID 3048 wrote to memory of 2768 3048 iexplore.exe 34 PID 3048 wrote to memory of 2768 3048 iexplore.exe 34 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2348 wrote to memory of 2188 2348 IEXPLORE.EXE 36 PID 2188 wrote to memory of 2056 2188 FP_AX_CAB_INSTALLER64.exe 37 PID 2188 wrote to memory of 2056 2188 FP_AX_CAB_INSTALLER64.exe 37 PID 2188 wrote to memory of 2056 2188 FP_AX_CAB_INSTALLER64.exe 37 PID 2188 wrote to memory of 2056 2188 FP_AX_CAB_INSTALLER64.exe 37 PID 3048 wrote to memory of 2412 3048 iexplore.exe 38 PID 3048 wrote to memory of 2412 3048 iexplore.exe 38 PID 3048 wrote to memory of 2412 3048 iexplore.exe 38 PID 3048 wrote to memory of 2412 3048 iexplore.exe 38 PID 2348 wrote to memory of 1104 2348 IEXPLORE.EXE 39 PID 2348 wrote to memory of 1104 2348 IEXPLORE.EXE 39 PID 2348 wrote to memory of 1104 2348 IEXPLORE.EXE 39 PID 2348 wrote to memory of 1104 2348 IEXPLORE.EXE 39 PID 2348 wrote to memory of 1272 2348 IEXPLORE.EXE 40 PID 2348 wrote to memory of 1272 2348 IEXPLORE.EXE 40 PID 2348 wrote to memory of 1272 2348 IEXPLORE.EXE 40 PID 2348 wrote to memory of 1272 2348 IEXPLORE.EXE 40 PID 1104 wrote to memory of 1912 1104 svchost.exe 41 PID 1104 wrote to memory of 1912 1104 svchost.exe 41 PID 1104 wrote to memory of 1912 1104 svchost.exe 41 PID 1104 wrote to memory of 1912 1104 svchost.exe 41 PID 1912 wrote to memory of 1784 1912 DesktopLayer.exe 42 PID 1912 wrote to memory of 1784 1912 DesktopLayer.exe 42 PID 1912 wrote to memory of 1784 1912 DesktopLayer.exe 42 PID 1912 wrote to memory of 1784 1912 DesktopLayer.exe 42 PID 1272 wrote to memory of 1312 1272 svchost.exe 43 PID 1272 wrote to memory of 1312 1272 svchost.exe 43 PID 1272 wrote to memory of 1312 1272 svchost.exe 43 PID 1272 wrote to memory of 1312 1272 svchost.exe 43 PID 2348 wrote to memory of 624 2348 IEXPLORE.EXE 44 PID 2348 wrote to memory of 624 2348 IEXPLORE.EXE 44 PID 2348 wrote to memory of 624 2348 IEXPLORE.EXE 44 PID 2348 wrote to memory of 624 2348 IEXPLORE.EXE 44 PID 3048 wrote to memory of 2116 3048 iexplore.exe 45 PID 3048 wrote to memory of 2116 3048 iexplore.exe 45 PID 3048 wrote to memory of 2116 3048 iexplore.exe 45 PID 3048 wrote to memory of 2116 3048 iexplore.exe 45 PID 624 wrote to memory of 1944 624 svchost.exe 46
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\167dd2e0f3e7ea8398eeb6e13e999d5f_JaffaCakes118.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:275457 /prefetch:22⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exeC:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex4⤵PID:2056
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:1312
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1944 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1604
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2592 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1488
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2020 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2820
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:3068
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:852 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1384 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:920
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2644
-
-
-
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exeC:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex4⤵PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:660 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1952
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2184 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:908
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1812
-
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:406533 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:209936 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2412
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:209941 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:734219 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:2634762 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:996368 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:2765837 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2352
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:14431235 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:3027982 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD50a7bb1dee73992926a37538ec882f1bc
SHA1cbf524ca2ef7400da8f469a4ae3aa8a42d49cda1
SHA256d224b0258ef3815c83a383770a3915f488dfe68f9f57c5e0e80e7be6b85dbdd7
SHA5126ed347392831b9e838a66977f3aece5041283dced0e5c16f0eb1007ad5bd68aad661e954e5b52b772cea9c6e6bea66e6f2837c0ef2adf1bfdc6cb3907b242d49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e54a08a05778a5f0b6950bc4b3ec3c7
SHA17e065b7c00e7011564c03215e8c62fb1f0eaaf56
SHA2563797fbba3143347507177f0b40a1e2e9cd484fe7b5981021b9ffc56b4609c587
SHA512d2f5b55b95f7758fd5e9b1b798629cf4e23a41c03d8e01b8cb0a415b36950708bb106718edfa07961639f8a94db019783e13029990cd1af6405cbcb7c4a99709
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521c57f1cc1c11d83e2a442259da4627d
SHA1b4c3f981c6e4bf448023fa435cb56545d134f07a
SHA256322fcb0baa70f6b8892ce10d3af798fc568609ba8493bce7410359b14560a192
SHA51246034c0befe49fad2cd3a359a142354772c0a1689ac7af9edab6eef236ee2ba1ee225a337dd2ca174ed83e55042c9396d3be2f8bcba917724e61e91d0ecbe72d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50c0ade8c9270d998e5faad6084452615
SHA130cf37955634470c19e52f318f78b554cf12854a
SHA256fb2db7bc338ee5f179c3172a8e62351efa65951e83b895a213b1df618c8330b4
SHA512ce18285b39318bb338c2a1cde520926eb355b734423a61168dfb9250acc3d96aae0f7cb7694a2aabf6f826dc35cabf5048c63ca0fe88171e903ccef8c7cf048e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54afd4626cc858d4d7c20c1fbc5f19c6e
SHA19583a97acc29d9d7dc2036c1be69f71841a0a667
SHA2560f1fc22b4e55562c8d80467c60ff2f94f094d17450abb32b27aa64a3540c4c8d
SHA51292a0129636d3cd39887cea765fcdb0e3dbba9215b860874e8c5a2ea2eeebf0674641174a807017c986f46dc24499f56ae0b3a89e73f7193487c4cffa858328c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f51168ac8d9c6be9fa9ed1e1dab41097
SHA1a6309ab1732c08dde2cbd1484c8cb327a2f02777
SHA2565fa6e50b149feeb7c08d2892a9ea02fe7b1d6133aec247cbab035fa48fbd0c0f
SHA5129be9f62cdd2338af0ae9837c1faa52c48a6c47264ef74151142642d0e3f0a26fa0b569bb46c1bd344f8e5beb84e9bdeb44c26446db83bf6645c6356f1eabb86a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5788db26ec7eb904aa9c6443b257722f7
SHA19ed622c5e35a1d9ffb2e53585a6b25c96105bde4
SHA25698b9c4a6e9da73bc1c0217438fff5e308eec16092b1e521e57892df27153e937
SHA5120d5273d8406516acf07dc6d974f4e81ba59f560dbf324bb5d2e1bf21080355c45ac9b67530d168cd10da678c0d021cb2f6b6755a9901789fb37089907c34c16b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57d52bf9904d877af2898fec282859b50
SHA1e9470b96c8d2500354fb23ac7410921516693c21
SHA256439d2f1b832402964907c1431fb9cf24dd907a0a9d24b3160575f44b9e366bf2
SHA512adbd6d1c7bf372746b88b049fe17114477c3633f3c5f926814d406d73df252c8066f232d2717f1b7197a79e718be16d424e83d3dd40ee12028d1d5fd99f75573
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c624d2f534974545c0918bcf64764cdc
SHA1159835d964277950fd8af176eacbb38eec0cba63
SHA25604b1abe6aca6aa1e5c10be9e4cc2ef8aa9a1ce70b4b5d4c59ce26bcacb3e7939
SHA512553c585b86c36c706abc9f531c5deedb925d5a51480c8592326af4f1f30947d70dd0b890dd80fee1221cdcaac93f8007b7d9c758926ff6b7b43ffbfb9b894b0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fcebf95bdec3473ff879092e28d4bd73
SHA1967e34d16ba26502b2c75ba47f78acc13d593b5c
SHA2561f9fb137ec53d050d290dbbf8efd9e58a5ec5339682776db02770b71068392ce
SHA51206376f50364a745249d087a230f07c3d070a480b19fc7b79d72d01aa78591c82d75998302f14cd804bfa033668da21c4ee3052a327eae9f5382d511cb620eca6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD542133c879583dee6e418d6c43e6a1e68
SHA16e65ba6ff376b53b87cb296eb9858ab5d54d3d78
SHA25638e4da0f82bd8b81f37bc2ed4d0540f16f7d5c48c34d9e073f8b7d522277ac85
SHA512e1018d9d2157fabb3e81837eacbaf36ac18a5a23f8cbc6abfb6a6b503595dd713f006120cea0205348d19f2de22d7c1cdf99ec9837b4e279f7dc8c1b8079bdfd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c27b271d363f437d39bef5e4ae32b775
SHA16f862e9ee5fe320b9f2436616b30da83b51ac65c
SHA2565e10956a6dc0d88b4bda82844c0e9ee0a392e3e180898b8da2144134b7a54d1a
SHA512f5de080af691b08602d1c50222438c0fca1569b0f64c06a30e4e887dfc31c330c1f0b3b0f2edf5a101ae417072e6556bbaec48366e471c69c626712397ca7930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f09a162b234b4b56dd04d1521ef17131
SHA1a81a916e7ace28e45cc382d9ac983e78de01ff05
SHA25678fe889240cca54459b9831833659c7215d45f10c2808c403215dc6f7d975ffb
SHA5129fa89f818deb914196b50412d96d1073dcf14012c92adfee826a59877e333c227f4f02a69dd78bd658f7f76d3f10de2b1284d869be4456ef4293b3e1b4b9638d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531348d8125a6af5738d912f703a9e356
SHA118b10acdd92678111a62775a262e289eb0b31c5a
SHA256467f8c859b8ffc8ad1008ee62f02f051e597ca43ec999c98d788f79c9dd266e1
SHA512500e4d11b9593c6b7e9a9f22c879f34c669a7090ea6fff337ff115db169bd05c624673da0a41e5c35ff86651e18125f0bfc95b9600bc4da03f380a8a1f84ee13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4709022031f4adf70ddf0faa468231c
SHA177c3f75779f268254ba4c7dbcbccec75e8b483bb
SHA256ba08abcc01dbba55f14b7c62871c8e46bdbeb4ce70d3215620177a078000dd36
SHA51272c495d6e8aa82887185d3cdad807324e2d4bd6ba42d5ad39bd7b16181671b2d21ddbb5a93c924551511961af18061d65b8413ddc3fc97fc3bf5e9f1ecf90310
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dbdbc54454f04d6a8c012e519643edd6
SHA12f16f187f138568e0f83e4c81b3d599d87f5d97e
SHA25630a95632121dab59e5f0702f1ede619b5fa8bd59d93c40e1c6120d60d14ddd2a
SHA512618893448542266f56d1e99b43870ece573f1e43c0ed096fd5dd921e6274cbb0b64d0930e0d81c888cd4a824906912e694bf9a01aafe24267cb75c43305201f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d664709319165ffe65fe2f00ebc685f
SHA1f713bd049947b97d7c2504772043dbf8401339a6
SHA25666525363a0218bcf8ffc172595526e992c41169c2fa76201e3a5c2f518ad25e1
SHA51262eb08c2b79e8d7b464c550d05408c61a55c54bad92aaa250458d12745cbf26a8df7f1643cc9d9da512caa14a32029faaf39b9d11698c21a601355e1af8fa00e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57621a3d2de1654146bf9c90e96d5f2c7
SHA1779aeabf66dbb988fdd48685e1c7b9369c86a3f1
SHA2561b642f97ce282b721fe4a7ed7daed57df3b59c8d99d862719ea99e254301a265
SHA512440e172cf053a0a17887a6c2c4e951e565a601f62cced2378a65fb2f958010ff87a7a84a686f7794f06a5db9ad55d053f04aa1f5b8a119f04922039a5849eaca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae54898accbf38bc76b5ce342ef08816
SHA18d7ffffb692bd23421b08448117ae6c71ba08974
SHA256236dff55e5bd598e7ff48e3da3442d6160c301f9aa9ace2f1a126476f6ebf575
SHA512fa47409a3bedf001abb7554a98e49df120a4456db8089582dfcb9f07f845519de90beee821aaa33d2c6afff7102deeecd5afdedacbe8713e7aa104ed16d1fc88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ee1955548f38ca303bc85c7b56ed0060
SHA16e2946621289b8dfa0222bb123d0eaa0654dc8ee
SHA2560f1093ace7eb1861ffafedd114feef7007777daa79117a5827b2029430a36561
SHA512876fa8e091bab618a64b2fc99652b9d9b482e5076e435d3f04100f3274a6b00be6c239a4d8d9c815f406ad059f4c2601651361b11edf90258d3166bd977686d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509d68c710042f05619393db1ba0e035d
SHA18c7af2d84cccecf97eb12eae44c9a368eb32dc64
SHA256773c6cbc585305f1025567e607b499dd2675212dcd67ec4e70246dba5f47b16d
SHA5124b4797d78394b2d898866becb456bafd512d941c247094fb29623290e9b2351a32962e82a76f0b47bb41f11786c9044a9a56a50dc61637ad3eef802d719702a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a6b2c0132201bcd8c87c243c10a8a9b7
SHA1e6f5db357c2a5a8e7605ed6b93c63f2f7152fe89
SHA2560d27c5e8f3facc63ce7769f7aad26a41b8245e673f59944dfa1316bb1c1172c8
SHA512aa058633126ad3a691470a298d392d20a674cf892b55155574a747d081fabe53f0dbbbd48a71148fbb3e9cfbe3acb1b0459b24dc59c915890381feaefd669d5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5bc606c6b58f706273f23b98b87aabe48
SHA162cf92f4d414416a76a700bd28d6d88a7a48978e
SHA2560d0985edb2a34a35be3c101613d4e1d1027ae9e1ca467812e3ff88298c1fcf00
SHA5126d17394c617ba97a6a6e97221eff15018a032d342b34a0f6964811bc9dccfe3f4194e94be493dce24e088db953f352e6f37ae4a0a3f8236dcdb299e822db80f3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\swflash[1].cab
Filesize225KB
MD5b3e138191eeca0adcc05cb90bb4c76ff
SHA12d83b50b5992540e2150dfcaddd10f7c67633d2c
SHA256eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b
SHA51282b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
218B
MD560c0b6143a14467a24e31e887954763f
SHA177644b4640740ac85fbb201dbc14e5dccdad33ed
SHA25697ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58
SHA5127032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
757KB
MD547f240e7f969bc507334f79b42b3b718
SHA18ec5c3294b3854a32636529d73a5f070d5bcf627
SHA256c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11
SHA51210999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161
-
Filesize
83KB
MD5c5c99988728c550282ae76270b649ea1
SHA1113e8ff0910f393a41d5e63d43ec3653984c63d6
SHA256d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3
SHA51266e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d