1a7f568d562c3f85c4f79b34a41eef8c4aab28c9d7677ef7b6ead11328f2b58a

Analysis

max time kernel
151s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
Size

20.4MB
MD5

04fe616619eb2b1a612fd1dd130f89bd
SHA1

99938d2adfcea7ce4a5d52061409a2462cebe835
SHA256

1a7f568d562c3f85c4f79b34a41eef8c4aab28c9d7677ef7b6ead11328f2b58a
SHA512

b39aec9d50fe175e43f1d9562c2fdfea734be0f921b4b5f29a2502a937142ea1c04fb89a3fc145f937e20a81cd16aaede6774259c1938defaa52869d9ff748d0
SSDEEP

49152:XYgph7GBfWgBYcMbHP/4MnYYJ2ZhqSGLHkJEMwDkYOMwwnMb4PmyVOz/4MnYYJ2G:XX77GBfWgB5rIDQdYOXwnS4rVOsIDQ2

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\wab.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ExtExport.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\sidebar.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\ehome\ehshell.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\explorer.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\hh.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\ehome\MediaCenterWebLauncher.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\5ada68cfa2258a2d4e3c3779106faf9b\Microsoft.Workflow.Compiler.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\f4a88265ac4ad47978daef8c5482fd30\MSBuild.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Boot\PCAT\memtest.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\bfsvc.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\hh.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\ehome\ehrecvr.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\oisicon.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe_	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe-	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420462310"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c0b7a85799da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0256871-054A-11EF-8698-5E73522EB9B5} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000e1f1a85427ed3432dc7a128c70ebc1398b466930032549f1af9eb65f7416021c000000000e80000000020000200000001d683bdb99dcfa9e4d8120a65f259b06d910018686ee91a03c353a1c297bdd7090000000c1d2336739f6cefda8056d095e3eff3cee6c8c604bca85f6058318628e7c505c3d785443dcfd0c97b835ff5d9725fc07f3e6a35f4abbec9ef3059d39345f28fca6349a07128e905631def535058a7d4ce47af2fb6fcb39029a0e79a337b64dbed5e4f50ca8eed06d62b903730f303734c3f70c3818ae769309b1b3180fbe2fdf5b9644fedd8b8856bc1d30c880165f2f40000000513b940d9e11bdbc72dbfdd29f854effc780ca7d223dfed0b58163ee670f70dca3cf4ff7c61157cc76bb895b48746f8991c2490cd94e4c329b44f13e9ffd158e	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000003f6bf85881bad3c6961ca4094cd70ed8279a1f34153a0e7e59de2015bfaee025000000000e80000000020000200000009350cd5b8d3c9e2d167a823c08fd8fee56a2f49385d1d682567ab846c3cefe1020000000330f9406a3ee25554b89e780e001cc55edc73686dfc1d9a8c6d5d9d3af924e15400000005707e1a2be331535c9ef42ed6ef38d39df14cfc233e0f7172b68173fb9644e33ab82cbfb4df401d225ba8b1981bd8c72eda258a06dd8aaca4c56e33f0fbfd25c	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

1056 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

1056 IEXPLORE.exe
1056 IEXPLORE.exe
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE
2204 IEXPLORE.EXE

pid	process
1056	IEXPLORE.exe

pid	process
1056	IEXPLORE.exe
1056	IEXPLORE.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2808 wrote to memory of 1056	2808	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 2808 wrote to memory of 1056	2808	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 2808 wrote to memory of 1056	2808	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 2808 wrote to memory of 1056	2808	04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe	IEXPLORE.exe
PID 1056 wrote to memory of 2204	1056	IEXPLORE.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2204	1056	IEXPLORE.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2204	1056	IEXPLORE.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 2204	1056	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04fe616619eb2b1a612fd1dd130f89bd_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2808

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
20.5MB

MD5
eda0c7e0b8ca9a402ac8fd935c886d95

SHA1
c67a309a5a73e585b695ad52573181196302d2ec

SHA256
b18f12cb36543c25e91730608a952cb7243075bed885ad121f2e275ee6774ff3

SHA512
4170abfe2c901d3106ea5e098630f315f6176472c276d7f6ecaa50023b4e91dcdb2bbf51559b94d5b13b7ed0de4d38c419dba725861c99a143918c6abde3f22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fa2c02c65cb8808415411091ffedc68

SHA1
35cfc00beb74f0e06aa4a6a77d121d284f7d0e26

SHA256
03addd8b4253963742c4c6896ee8b7b78e1f6d17049eaae27eabd9e2be1b8dae

SHA512
b010697cfb0f86c4428e05e7a696ffa8d1c9bb8219460ec0367a2c0ca11a58c22d2a9f9da40e2362a9f53bc8a39a5a9171a51890a9b12c4c75d43b1c584d6b72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53b65598e99f682fe23ec3de8a90c500

SHA1
9a32b46c8e32a9ca28295e388a78498bd16926ab

SHA256
8d9e4342074433a8aeeb2ba876b8cbefebc7d425f7ea18c5e6e9c5a9655f6da8

SHA512
1ff260fd3ede3cbfe8f8b47f036c232426e6c2b33f480c71a52407a26bbb6a40f1df9a9eaf0a9ef28b158c66e659ceeb461e68c0b6baba0e3f249de1173221b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52e6219a0271dd286001e41b8803c6a8

SHA1
20f5a8653159ea1c40cfa9fbfc1875245de19ca6

SHA256
fe27795e7a94f070b914235da4b3fe55dafb8d9aadb89aec87f139aaf919eeec

SHA512
c646d33e88abf392543840cfbfce2b1f20283d5ffff4da49098ce830a236de56d377d768b66a4067f308783d5cc0cba1866e85c6c4085ad7d8d0328b7e8961b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d64c0eef693e536043ab51e0a2748c42

SHA1
ac2173870430910349f5f6702aeb5dbcf67c1e53

SHA256
d19b1d7c004a4ab6ffe4944eb21f7c47f09fb55724910b443eb3c2c7e93b85f6

SHA512
adaa0888b36b9a849d935d137d1adefccc4cfe2f603d8e82f65b8c3d4e49bec6d65e557d0acb394b8a2f011f4899b70228c94b10aa72ae9b1092b826f59d5247

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66b9e813b8573a038f4a336aca984dfc

SHA1
1a49e2784529930e7c497b0fa0d5fe0b063a5b9f

SHA256
af05932fdbbd33a24ec47bb307cae00ff2ebf1b78f4f8304d0da182d93cf6a12

SHA512
ab4b90d2cb0ded61299ffa3a92f404916b12f1172877602e025d2cf847b1e515a5524e12a60994c6b479d0ae1eaa2700389cc5d3d1372a512aa1cceb6c7f743e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bef16bc37c4cec55969346be6ce31d71

SHA1
bbc21fc6d100532b795245ad8ee7302f84a4fc8c

SHA256
af3c99bc30f65979153fa51cf86be764f10a9366e15a3d7adee28527ca03795c

SHA512
d9363aef833ca996237c324226aa08aa1ed24ecd82de9399dca4da4c274d8ad6d12f1fe641ddd69447005a5a03ffc543619562e8d0efbca44075b6e76188ee1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d38dbb3fddffae4ea756d2faa9b30e36

SHA1
2712e3358773b8e165acfcbcf8ba2fe496d02837

SHA256
ced3fd0961b1d9c66e82181cb1d0c58057dab628f77da70164eeb615bc890b73

SHA512
4ff017253f8a54e47070fd138bbaaf82b8be722aa8b7b893d42bbac67ad8ed797149377f950db5ef72d828a667312847c999fef681466fe0f326fd9f614bd5fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3df6148741788136f8837ca1d9a4df11

SHA1
4f26b9ba53ff7bb63354c4d48e5e856c29758ee8

SHA256
19bb262a05414c2caa6b0a17121f56364a156ea8756c93270c3f438a3f8e34e0

SHA512
a3fd7fac945f8c6c2510cd7053c82fab579bb04c9bbd659c1f5b1b13d792428ee35fe1ef4cb81aa6f1e540cc5ff204f594c753b221ceb18a731c74bdae726292

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22597b430331dda78971f0f26987d297

SHA1
c70116c44ddb11fa2f46f21c6eefb99599c9543b

SHA256
d19e4334227e0b0e3b6f1a3ac19d19e72d3a158079b8dd2be800149e82639943

SHA512
823de2b4b15842928f1c109d22c793e0085ca1bd8046f4ac9b95bfe0879279a0d501bafd1b27b4b6dd1f059688572ac81efdc0f3dd4d10f04e1e74aac9e45674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d861eab4dc531427538401df87d00f3b

SHA1
83259c9203f5ea0a4fb21bd47352a2d14e488793

SHA256
5e367c635932ab468751974cebe8babf07d3f2434ab0313f0213bebebed05d4d

SHA512
f219e7037b17ec282f32e74e8b26477267f27aaf04e2078b1671f299b5dbeb3d41620dcaa889b1387b0008ec69ae4c92a7b0ab2e0ab16713568a2691d1e22d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2793bee1c031c9e9ab5de011a76952ca

SHA1
0c0afe42d7aa5f11fdf4226d4a1de6ae7a7ea5ae

SHA256
f9ee74d3de511013f6c65b263fb4f0ba4ae028d734d00ab3dbf6f11cc3b27525

SHA512
318dde77effd35c27ae96564360c14e06c9fd28ecc9f08be7ce4a6ad5016295b6e7f33cd883098de09fcc32873abc95e14dd5b5ffc1325066bb6eeb4a0a0605a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ed60771c0929daf6be48cd839f9099fc

SHA1
59aafac9bcaf0020da2ca3c65ee04c85071fed0f

SHA256
471c355f96dfd1a02e8d00472f13237a12c4353fb7a8af9b8ba3c0b89d88d5c9

SHA512
f8c2c236affcee288c18a4d1877501d114b66aa4eef20e14b4b48ffa93118a6fa87eb5bb6b7cad391d41b289403e030c1aefd83d032cd61f96e32eee5f981dfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2331a6335ccd54521b95ac2bd3812426

SHA1
204dc852c29706d993d880eccc9f8fdf22d68b8e

SHA256
df186c593b6fac5ed399b159ce328f89d5ceea9f79726da3becc79b212345bb6

SHA512
7eb99b8452d51feeb42f638d28213e6ceb425557ce7b2e4f69b7036ce4137ef458253858a81cf346cd67fa449586f70fa9759f8355f3a03dc2c8a9c16f8a3dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ad72352e4bc8677f1ab57df4b6356a4

SHA1
2dbee5f6ad927e331996b91083a9e9af81391faf

SHA256
cd79670276ff9cb9116f261de23f7282f7055f180bf84500d0511d1543e83f17

SHA512
212a3b8d641b508a584168b22119a4914cad5b99e293a4e3af9e47e5e55b4241e90a628a5cc014534cea6f4395ab720c97dc2126d9c7130ad60918dc60d59d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4845e67ee30c450d9b1fb1f54afb70b

SHA1
424a4db41937c9a805d230eb6ed3505dad956fb5

SHA256
c9fafad82f9c0f70d007b22e1029327d6fa6c870cfc33e7d8e7bf3cd0f638261

SHA512
c01c1912721b454f63535847f112a18de8ca57a93a75c75cb567caf4d574be502dfa8c582f7c4ebfa9e218510d813b6c15fcede9ef277fb50ba08bbbb69ba59a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b836922e680faab6b843bc775623093

SHA1
12fdc2feaf3ef4e03f9db839c377ea27fa6a85ad

SHA256
e5618ecb0288dd69585845ff59afe76aef4e2c9b2147cc2f18b755f5d4a1d5d4

SHA512
58e6c6c4175955dc084d308b208cabb3cc31f7231343fc812fb686df51970e55c18b32c499c8ea543da43733dba2bf4ef0d83ac83ee366222d6985b6f8b91f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81c6381173138fc8bff5e895ee02fbcf

SHA1
18bac320e07cea70c763e9c391cde177637fec4e

SHA256
8e744e24d80d6a58a8a9e10302d8e635708330795b11b41ff9ca58e715a53bed

SHA512
6e3994347f9378fef9e772c5dcc32a808a0b374a0c2ebe9d64d228dd821dab11d3fd0bc04c4460596d4f89b089e912ee43ae2e8ccdae390ddb49270b7b1cfeeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73eb2a7b91ed568da59981d1c8c70cc2

SHA1
5a9763e4455a72bd554be49193c69e3c86ee8174

SHA256
979d7da23a59db37b12b1ccecaafcd4a66cf559c84ecaa072376eeabbbb39cf8

SHA512
ff13ba31921b60d6b84c3784ebfb3629d4ce4c55a0bc98e8fb50a1f3cbd74bd621b418313fc2dcf2e8282d5b2c2cacf97ac823f2a51ccd8f9bc2669a0da20323

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e76b316ec74849bc32a86cb523c9442

SHA1
09859188815688dba0fd1434c7aa1db7d6ff3081

SHA256
48a18485deb5420ec69917f28afdc905547642138840bebca0eb054ee41b0d92

SHA512
5f3eab8f69dd58367c9bfe20de449c29057072269c838e320b8e255ad01cf4184b0002cbb2c45820137c3f3cdfb68c35d08af3df0cf6f4d02ee821eca69eb4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA815.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA39.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAACA.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit