1ab74d601c93f145d7d9326c1ea65144497207f0e8daf21d47ea762fb718e074

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Size

401KB
MD5

c060849bfc22830185a1def4b2989fd0
SHA1

074e7ab1a64b5d93c185e988b9c8bc9d60aadc6e
SHA256

1ab74d601c93f145d7d9326c1ea65144497207f0e8daf21d47ea762fb718e074
SHA512

83b16b590ba30ada7ffa850f339449789a3eea04e1bed0770d102adba76b01f56cb7dedff4fbd1be3c9e9ee1a9041020b10b0fcfafd5d4e51523a943f61c7550
SSDEEP

12288:5WAWFipjX/PL1HZO01LlAD2YIYsVRSHsDrK:5/WUB/5XLiKjD

Score

8^/10

discovery evasion lateral_movement persistence privilege_escalation trojan

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PestTrap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PestTrap.exe"	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\PestTrap = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe"	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 5 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

lateral_movement

SMB/Windows Admin Shares

T1021.002

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LanmanServer\Parameters\NullSessionPipes	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf000000000200000000001066000000010000200000005a50faa4f2127b9b628bc4f8bc3d1d05b1f452e711fdd4ffe8463646d700fd6d000000000e80000000020000200000000d26f183a08e61f159513e41d10adbf27f497862ab4aa7e159f332788d51254d90000000b37a3502269bcc97a8fb41157831f58b051ef2970fed4a8dd7c55c1c63aa27eaf8a01d5ed45955b36c2d4d1fb91ebcd9f0287a3a37bcf6b5c11fad1ea4f6b3ae86e273250b81fe2dda744e42aa628fc58aec587982765910bd372a879a475e28725c01954487ac1325d6a18207acf2ee6f9d512f5fbef556d410c604fa12851b77302dedd3235fe47bd6408fbcd3114a40000000707e229b95334e52333188215e70240d057e4a02c5bc1b8f090e51634f8c6d4158d40583c8c1b8778bca933d7b9a36fd4f6f8a1c58c2ec4fb3778420be2f3678	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E35D6571-B1E6-11EF-B45F-4E45515FDA5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000f3ace40b4fb666e7a81600c9826e11eb260039f3b09a7c3e15808b33d22a1e58000000000e80000000020000200000003ea8550b445c90138bd1e10e28639accffce93074c8679a9efa8b6dc772617c620000000e39ea9c65ab6e0189f70960fefffa959c48f7386e53ac066821faad0c8dc55b3400000000a013e7ee055c79de16d59712dabed34b11537976cff8783591608edeaf5bd941b7b74ef90d0c6976c58c9f8e7a7271e4f978e6c4c8a6db7a8f22c6b45f5453b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03715adf345db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3622831-B1E6-11EF-B45F-4E45515FDA5B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439440936"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
2812	iexplore.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
332	iexplore.exe
2324	iexplore.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
332	iexplore.exe
332	iexplore.exe
2812	iexplore.exe
2812	iexplore.exe
2324	iexplore.exe
2324	iexplore.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
1072	IEXPLORE.EXE
1072	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
3588	IEXPLORE.EXE
3588	IEXPLORE.EXE
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE
3608	IEXPLORE.EXE
3608	IEXPLORE.EXE
3608	IEXPLORE.EXE
3608	IEXPLORE.EXE
3588	IEXPLORE.EXE
3588	IEXPLORE.EXE
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE
3600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 332	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	32
PID 1628 wrote to memory of 332	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	32
PID 1628 wrote to memory of 332	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	32
PID 1628 wrote to memory of 332	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	32
PID 1628 wrote to memory of 2812	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	33
PID 1628 wrote to memory of 2812	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	33
PID 1628 wrote to memory of 2812	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	33
PID 1628 wrote to memory of 2812	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	33
PID 1628 wrote to memory of 2324	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2324	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2324	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	34
PID 1628 wrote to memory of 2324	1628	c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe	34
PID 332 wrote to memory of 2768	332	iexplore.exe	35
PID 332 wrote to memory of 2768	332	iexplore.exe	35
PID 332 wrote to memory of 2768	332	iexplore.exe	35
PID 332 wrote to memory of 2768	332	iexplore.exe	35
PID 2812 wrote to memory of 1932	2812	iexplore.exe	36
PID 2812 wrote to memory of 1932	2812	iexplore.exe	36
PID 2812 wrote to memory of 1932	2812	iexplore.exe	36
PID 2812 wrote to memory of 1932	2812	iexplore.exe	36
PID 2324 wrote to memory of 1588	2324	iexplore.exe	37
PID 2324 wrote to memory of 1588	2324	iexplore.exe	37
PID 2324 wrote to memory of 1588	2324	iexplore.exe	37
PID 2324 wrote to memory of 1588	2324	iexplore.exe	37
PID 2324 wrote to memory of 1480	2324	iexplore.exe	39
PID 2324 wrote to memory of 1480	2324	iexplore.exe	39
PID 2324 wrote to memory of 1480	2324	iexplore.exe	39
PID 2324 wrote to memory of 1480	2324	iexplore.exe	39
PID 2324 wrote to memory of 2344	2324	iexplore.exe	40
PID 2324 wrote to memory of 2344	2324	iexplore.exe	40
PID 2324 wrote to memory of 2344	2324	iexplore.exe	40
PID 2324 wrote to memory of 2344	2324	iexplore.exe	40
PID 2324 wrote to memory of 2956	2324	iexplore.exe	41
PID 2324 wrote to memory of 2956	2324	iexplore.exe	41
PID 2324 wrote to memory of 2956	2324	iexplore.exe	41
PID 2324 wrote to memory of 2956	2324	iexplore.exe	41
PID 2324 wrote to memory of 1072	2324	iexplore.exe	44
PID 2324 wrote to memory of 1072	2324	iexplore.exe	44
PID 2324 wrote to memory of 1072	2324	iexplore.exe	44
PID 2324 wrote to memory of 1072	2324	iexplore.exe	44
PID 2324 wrote to memory of 2240	2324	iexplore.exe	45
PID 2324 wrote to memory of 2240	2324	iexplore.exe	45
PID 2324 wrote to memory of 2240	2324	iexplore.exe	45
PID 2324 wrote to memory of 2240	2324	iexplore.exe	45
PID 2324 wrote to memory of 2700	2324	iexplore.exe	46
PID 2324 wrote to memory of 2700	2324	iexplore.exe	46
PID 2324 wrote to memory of 2700	2324	iexplore.exe	46
PID 2324 wrote to memory of 2700	2324	iexplore.exe	46
PID 2324 wrote to memory of 3588	2324	iexplore.exe	51
PID 2324 wrote to memory of 3588	2324	iexplore.exe	51
PID 2324 wrote to memory of 3588	2324	iexplore.exe	51
PID 2324 wrote to memory of 3588	2324	iexplore.exe	51
PID 2324 wrote to memory of 3600	2324	iexplore.exe	52
PID 2324 wrote to memory of 3600	2324	iexplore.exe	52
PID 2324 wrote to memory of 3600	2324	iexplore.exe	52
PID 2324 wrote to memory of 3600	2324	iexplore.exe	52
PID 2324 wrote to memory of 3608	2324	iexplore.exe	53
PID 2324 wrote to memory of 3608	2324	iexplore.exe	53
PID 2324 wrote to memory of 3608	2324	iexplore.exe	53
PID 2324 wrote to memory of 3608	2324	iexplore.exe	53

C:\Users\Admin\AppData\Local\Temp\c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c060849bfc22830185a1def4b2989fd0_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xpesttrap.com/license.php?s=2858717936&a=0&sa=0&ln=0&vrt=3
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:332 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2768
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xpesttrap.com/license.php?s=2858717936&a=0&sa=0&ln=0&vrt=3
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1932
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xpesttrap.com/license.php?s=2858717936&a=0&sa=0&ln=0&vrt=3
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1588
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:209935 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1480
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:406534 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2344
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:537605 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:2110487 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:2176016 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2240
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:1061905 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:3879969 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3588
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:3683358 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:1717281 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf502059031d3d2dbdd2cb7721750fe0

SHA1
29e8745d32eca24bcece527ace88e341d5412c88

SHA256
6c5832517e8db37ea939eb90144ea387c96dd8ffb0c2fcf57c4a8dc82c52f968

SHA512
2f0ccd7494ec43ac2c131623099048b9463875307ea55d5d87885902f43b3af65878e08d4ec385e1f6d41e7ff90f44a18bdd836d83fb64072b0482456181f4bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7c7bbd146242047b93acecbcd1aba7

SHA1
2ebfef51df02ebc88eb258fd8477104498972bbe

SHA256
1e8a1c6805eafa8c2e49ceb3cda0763720b9cf4a795d5dd5e85e7c172c3b6a46

SHA512
b43057fbc7db953070070be8adbe3254cf17cf496cc8006169e842de3c547f23b8b5d1d5981ae1cb5d4476a8f9f5068d6d7d248badaa1b55ed470badea7a0963

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7a033b6ed3ea70e9fd7ba0dcf266037

SHA1
16ef4c96037f1cdf24b599219d4c555e0bf10938

SHA256
7834dd20030586c00db96ccd8e43391aa445a1ef0bacea3d244e8f16eb2f8991

SHA512
6333e36580ae3dc625b55520755dd563ec422a17b3802dbf92d97e41df4c3a9f6b1142e8475bd379c4e29126c0fd6c1662a5ca13da374aff1f0813f8a4b5f4f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca576585a469856e923189f55c15d724

SHA1
d7c4009e79b46cbe78697e9e0640b92184cf7acc

SHA256
760534425fd4559f03f9437a89ea70c024875ae91b0d795490bc84c97afbea1b

SHA512
cd51a660efde0f27db21bf80d0051dada260d82d1d1ad456b6b979bcd041e7ac4301bd8f1c79165590840599edf16119f86b371c347622156c905a3e8ef0ed6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cee1ad32054c8ba535fec4fc431a100f

SHA1
596bf212bc55b705a977742a681c3256180e4e71

SHA256
92c8bcbe7dd7d505b8100a7e601835639a87e4753a4f24bc206c11fd34a10f88

SHA512
79ea7dd696ab238ea9402cc603378ab2269dc049bfb715cd4877c0c48cbf7d85ed5296a9fbe14b2d7647cfd5676445f8973c44a262ca4515f4df61980c92b9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02bdb2924584822c2c434406b1d06aac

SHA1
8efdc4c08542a814eb0ef7291ccad7513dc006e6

SHA256
e42a4e8c61981f69f8851f0d928ffe983a947a62abf7fd1e8d9ab32de9063ee0

SHA512
bcf6034603ffba685de663b0331569872165e100787c9b4a428dc109317f52a436c3e6db892dfdc825ea1b93328bc2ca74ea941ea7e5b299f7d82681df002335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e02e4b29c3db474553f4b49874a56ed

SHA1
320c493f76870d7b1ead6421a00ff65668e220c4

SHA256
9b24888659224abac8f60ffd791243abbe0b9402ed87de0f938fe55c4e71b0fb

SHA512
cd709149fa5f6c5593aefa0c401c310f3b27daead1137c69af54b850462d224918e4ee9fa7f2ea653680f74be2891ba7616dd73776e571647cecb842f8714627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60dffaef9e46811b300b912457f14ab7

SHA1
326e2fc7fbd35e72b5fe02867fc9c35d8ce900ac

SHA256
4db67877d8d42dba59114aa78ca7c165da12fc4f90ba40ca410cb58de27c1d07

SHA512
8b648bf803265658daa55fe7f62501b51810a085eb59a35a4bd7f6837eff21cd84b34865f855faefde9a61ebeeb6d466b2f79a90e67cd884be76d817625c532e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24093af0e4f13cdf2c03fc86b553c027

SHA1
d17ea92abe4e3477dcb6e3025e0a01ac85f33cb0

SHA256
b45279e11dbe9bc2512c3bb32942ed942cc5b61a42723df5081ff046ee0068a0

SHA512
59f4b6844a5040f3718aef75559dddd19839e8a97d7d7b765c09e6f2f1377ad647c1270d63dd51ed3d7c762cc39f975bfcaf156efd9cda5bf480ae960dc6ffa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1e51d5e8bf19ab37ce09d559dd6390c

SHA1
04f0d2c88e7abc7078e0b3e38d17fd95afa5c3f2

SHA256
a823c59dcbd03d2b613cd669ae01be2e2857e1506fa2f09ae2543d18a03b0049

SHA512
357ef78c5a872f6a995a2a10efc7989200c6928409b122d362e64f7c7b3a66a28273b2802e15da13c94e394c045aac83576d646900ccfb898248142899b8f4f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8df45fde78fcd1d64b10e5dcb6fab4d2

SHA1
946dce2f9ba45fcf4e9e6e829f82885cdab5a3a4

SHA256
68a754b8af8b7aa2eee3f19f8ff17db2d454c90130d32e572f8bf05d25206204

SHA512
4d9c773e9b7e6aefb20f00dfaf50d56e14ff8aeeb41da0d62cac98e0031d2d45e1503f6abbe1da3285b0cd29dbcb6794edcb9b7bad9297413568fdfd304a9ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2227918c2d6f7ffa2564a12b481fc179

SHA1
8f6c212d82bccc50de265cd542cbd439bf612782

SHA256
f12dc6773a552efb065a379ca1ab32050ad0b300d81d0764e1aa177a274d2512

SHA512
9b3704f3802e68eb2e6152cb8a0c2ca12aff7b8f0c4d5612d30a60910c23e7b9833440c70765b0cd8fbd445ac5edf68971fbf609681199ed22a991cfb0f0e8f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8525f2b717af2abc5a77ec3b406b925b

SHA1
a6bdc9472269813b2de38c7211ffbee7289be34a

SHA256
da6c56402bb498dbf3dd70900256210f063b3fc036a0d4ada4225c1ab0a6e795

SHA512
f173629d9623a8d213fa16a83fbf3f9ba6040763f3fe37381c973e15e842b96188b839c90182ce10e8bbd4478be897cd791452382575509c0617d862f13268ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec942a4332381d5ce111860688af325d

SHA1
ddde929493d7f761e150356074ec772ab320ed44

SHA256
f76656165f841236e6788affead95a358b131ff498efe1d3a0d66a079075b7ea

SHA512
a66b114c8808dbfe3a867d3894ee83c331d57f9b5f94d01234e30370eea014443daf4955ac6fdd2b41d2f746a31649891bf21c2b1789432cf982eda972920727

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02d8e0424c0c24d2c6c3f03e3c37e064

SHA1
6825b1466e25a815c696d978c2657f7a242afbb2

SHA256
d5dd20396f47ebf03dd88307938054484eb150ec2c57af4cc229c5a4636d4ae4

SHA512
d9227b1e7b042c37dceebb625695e1844c8dffdf4ceffba2b94cf5ef8d71eb735590f8db55b602da1f7c80bc41a56fc9f76eaa3fe0d3d90f1e437e3d25a62082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b17fd7ffd13d2a2e775306d592498aa

SHA1
bb04939c7c4cae9a4218b9a8f7749033b9d8b008

SHA256
01df0fc1d2822bb3284d3120d7b8d87beac0c2c33fb71f0295c103eec6575796

SHA512
48e4cad42af72562b7517cde99400dd845e852e60d9f530c5a674275acd750fd3b2515faece3877348a5b6394d4818e1cead49d53964e14b3feee9fa92a70c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
083b7ac9bce83da29f20343d5d9cba55

SHA1
1eaf0287b8114f917cd14bb2063fec557b231893

SHA256
4c6a1d784840fef353eb4f43867abe9b231c19527fbe8f788850c69af7255a2d

SHA512
99dafbc25727b1f99254da617aae3431727cf966b381aba7acb33bec1c68363069d59b59046883f96155a34fe9df8dbc7f4877c868269fa65b1b302340cc065c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42c086a2a677134c0bb7ec4d88fbd48b

SHA1
3e62205bb9b1b3ae76f1977278daacf8014892ef

SHA256
e98e33274f6a7cd8207ea8827edecc60d10fc7347e51dbe2aa049594f6e19d51

SHA512
e850988a4b537b0368890a9890dceeb2adf9663d29e97601de30a3128e32c85a2e5361d58ff5144a24db4eaeb8e31b312bcd50e3918669cb857fdc686c71f195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b8622df51a23eb364fae84ee0d4e06d

SHA1
8986705489ed65fac42ae7867d5f4e66b3ab2c24

SHA256
35f72869990333ad70efeaf56b4e9e54b482afd8e114a48f351fca9d9fc82ea6

SHA512
51a78ecd0ac93c38402f6d1d1ea2e9e73980141f7ef1a59e9000e6a50472e6f45346207a9aa5d2eaefb92c003e554ecc4b01805b7e0755154f53324ddb39d1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E35FC6D1-B1E6-11EF-B45F-4E45515FDA5B}.dat

Filesize
5KB

MD5
bf01ec7dfd15a2fa85ab3932a5714b77

SHA1
1d6070621127f535e1fd433ae7827fa8f9a60e0a

SHA256
6b3041bd2bcaa812962f23f39a254d4d16ab4ee950aecbda07743029df6cdbbf

SHA512
d2112419cbfd4566acaf1eab77404950fa53817d0229a0377d62580b0edc262421183908aee51c84b4f9f120c2425fcd5b5aa851899b6da4c0de53915a7eeb7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3622831-B1E6-11EF-B45F-4E45515FDA5B}.dat

Filesize
4KB

MD5
14e86848e250f575ed6e42f7c996a25f

SHA1
dd7b0f59ab70334dfaf2a8cc890a21c033cd7730

SHA256
32f8682ca26cd0e757d14e7b190b11241ca784c87ac05409a09316399fc334fe

SHA512
c3bac637f1d9eb53613fc84e025c0e72612df7f00a758264dfdc44f895edef3f646104e5d4e32ac16b2bf41b14e0765c7e87bc9a7bccc01418b18acc7a901fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E3622831-B1E6-11EF-B45F-4E45515FDA5B}.dat

Filesize
3KB

MD5
28b7cf3f314d33d0ce266ca09f1574ac

SHA1
fb2e06f9b3e240b1d1b5a963161b3a571392db0b

SHA256
1e44089569520a3df0a3472e8ce168a3176cde9f5049b3657dcaa766b414e51b

SHA512
b0c2088d20d0816f6f89dd015b185ac251a8d9f658ecebfcceb0ad62a8d380d836f9dfe01dde312748e367cca37aba5ed5da99dffd01dcc723d6da2d0e939c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2761.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2820.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PestTrap\PestTrap.lnk

Filesize
1KB

MD5
4f3b1d0acff03bf77f32f8e81cac41e5

SHA1
9970df9016ebb75f33ed37a8949dd58f0e2d1f09

SHA256
47e87fc47c36d40537187288ac5146e988ba16828f29a96ee3cebf9a29208892

SHA512
6829d9817e181fb0d34066252d582498b2395c601a284a7f7a5d55f0dca2b16bc878b96545634cfba93aab3937d8f85fef71eb6c5928d612e8828e65572aeea5

Download Submit
memory/1628-14-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1628-530-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-28-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-27-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1628-26-0x00000000002C0000-0x00000000002EC000-memory.dmp

Filesize
176KB

Download
memory/1628-10-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1628-11-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1628-13-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1628-12-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1628-0-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-15-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/1628-16-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/1628-17-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1628-18-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1628-19-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-486-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-500-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-513-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-528-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-45-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-20-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1628-5-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1628-8-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1628-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1628-6-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1628-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1628-4-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1628-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1628-2-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x00000000002C0000-0x00000000002EC000-memory.dmp

Filesize
176KB

Download
memory/1628-975-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-989-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-998-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1001-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1004-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1005-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1628-1008-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download