blackmoon | 236598b83174bb79ca55cfa149e195fcccf0f0afd8761211a53e982812ea0cfd

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 11:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
Size

356KB
MD5

34954423ec92b2354dc7458bb1a43dfb
SHA1

fa2040e8fccdcd48291a0bbeeeed458e0925736d
SHA256

236598b83174bb79ca55cfa149e195fcccf0f0afd8761211a53e982812ea0cfd
SHA512

3fca59b46a3b13910e3a91156485cc763fbfa30f68edffd3a84666dfb7ca064645bc468bfdbdca3ecb323caf801c5759b942f724dd6c0626918bec83f35ce4eb
SSDEEP

6144:OEREeAZLa8jJpZfRtPWwcZAO5Fffgh/hYFXIlQ:OEREe6La8jJpZfHWweff8/0IW

Score

10^/10

blackmoon banker persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/1828-12-0x0000000000400000-0x0000000000428000-memory.dmp	family_blackmoon
behavioral1/memory/1828-46-0x0000000000400000-0x0000000000428000-memory.dmp	family_blackmoon
behavioral1/memory/1828-70-0x0000000000400000-0x0000000000428000-memory.dmp	family_blackmoon

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\progra~1\\bphrb\\efgyhrm.exe"	svchost.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bg_go4321_com.ico	svchost.exe
File created	C:\Windows\SysWOW64\uusic.ico	svchost.exe
File created	C:\Windows\SysWOW64\www_meinvly_com.ico	svchost.exe
File created	C:\Windows\SysWOW64\qm_go4321_com.ico	svchost.exe
File created	C:\Windows\SysWOW64\music.ico	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taobao.haodizhi.cc.ico	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2676 set thread context of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 set thread context of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TheWorld 2.0\TheWorld.ini	svchost.exe
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	svchost.exe
File opened for modification	C:\Program Files (x86)\GreenBrowser\User\GreenBrowser.ini	svchost.exe
File opened for modification	C:\progra~1\bphrb\	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2760	2028	WerFault.exe	31

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426773882"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5015d2f0bed2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A370951-3EB2-11EF-BF59-526249468C57} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A34A7F1-3EB2-11EF-BF59-526249468C57} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000005391585569ecccbf63f3f8ae4a9be452f033551a2ca181c5dbce7df28bc3f681000000000e8000000002000020000000d7780c94b99977d51246967afe591259d06a206895609f56b2f5598dd5ddd8cf20000000ce1097c39f9344d5ac2cbe52a5d580ce5ac2f458b4cb723a58f7bd1e20fc225d400000009eb9bfb65c2a941fa0a299a61557aaa7dc6f66d193e5cb84368a8ed790e818b03fe7c33a1f0140f4364d2c0812bab1c592cbcf1fa8077074ec441887d9be4c87	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000e7f524e19afe37349a7bfefd762616f8706dac865c9d53634a6642e4fd869dc4000000000e80000000020000200000008311ca9fc8f95aacc8a6766cb8478a5a0f91168c474188327f2c8464503884b09000000051af3ddbd07f0c942398c836b11b17e3f9e29e8ed84cd72d96cc67c4e612ec517308b15726021c1b3e712903d3acc9dd8507d7b0584d392723577c1d1e557c902a9e08cd668ebc20f193dc491bdba51693c6b6b3b3c1c6a6269246d76e3e2ba84a2f149c587c8327d0367d97d29af5e0d044421e330b5c8c890945bb6ff2781fdc7f52e3647809227ec043eb95e5d2e84000000079e67bc4cfe7294bcea92e61010c4bac3795dad38b7685dd4151597b2baa35687f7ddedd95d08a4c3a5316c19fd5deac2a418737f2d2190bdb554a68666fa519	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\InfoTip = "Internet Explorer"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\ShellFolder\Attributes = "0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\Open\ = "´ò¿ª(&O)"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\InProcServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParseDisplayName	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ÌÔ±¦Íø(&T)\Command\ = "explorer.exe http://taobao.78ys.com"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\Open\ = "´ò¿ª(&O)"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\InProcServer32	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\LocalizedString = "Internet Explorer"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÌÔ±¦Íø(&T)\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\taobao.haodizhi.cc.ico"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\shell\Open\Command	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\shell\ÊôÐÔ(&R)	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\Open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}\ShellFolder	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e345f35f-9397-435c-8f95-4e922c26259e}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shdoclc.dll,-190"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command\ = "explorer.exe http://u.v22.cc/"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell\Open\ = "´ò¿ª(&O)"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\viewhomegrouppassword	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\viewhomegrouppassword\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shdoclc.dll,-190"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ÌÔ±¦Íø(&T)\Command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ÊôÐÔ(&R)	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "ÌÔ±¦Íø"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\Open	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder\Attributes = "0"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\taobao.haodizhi.cc.ico"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell\ÊôÐÔ(&R)	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder\HideFolderVerbs	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}\DefaultIcon	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\DefaultIcon	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\ShellFolder	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\taobao.haodizhi.cc.ico"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\DefaultIcon	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\InProcServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\InfoTip = "Internet Explorer"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\WantsParseDisplayName	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\sharewithdevices	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\InfoTip = "Internet Explorer"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\changehomegroupsettings\command	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ÌÔ±¦Íø(&T)	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\Open	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\shell\ = "Open"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\Open\MUIVerb = "@shdoclc.dll,-10241"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\Open\Command\ = "explorer.exe http://www.779dh.com/?%6h"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\InProcServer32	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2776	iexplore.exe
2616	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2616	iexplore.exe
2616	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2212	IEXPLORE.EXE
2212	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE
2968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 1828	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2676 wrote to memory of 2028	2676	34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2616	2028	svchost.exe	32
PID 2028 wrote to memory of 2616	2028	svchost.exe	32
PID 2028 wrote to memory of 2616	2028	svchost.exe	32
PID 2028 wrote to memory of 2616	2028	svchost.exe	32
PID 2028 wrote to memory of 2776	2028	svchost.exe	33
PID 2028 wrote to memory of 2776	2028	svchost.exe	33
PID 2028 wrote to memory of 2776	2028	svchost.exe	33
PID 2028 wrote to memory of 2776	2028	svchost.exe	33
PID 2028 wrote to memory of 2760	2028	svchost.exe	34
PID 2028 wrote to memory of 2760	2028	svchost.exe	34
PID 2028 wrote to memory of 2760	2028	svchost.exe	34
PID 2028 wrote to memory of 2760	2028	svchost.exe	34
PID 2616 wrote to memory of 2968	2616	iexplore.exe	36
PID 2616 wrote to memory of 2968	2616	iexplore.exe	36
PID 2616 wrote to memory of 2968	2616	iexplore.exe	36
PID 2616 wrote to memory of 2968	2616	iexplore.exe	36
PID 2776 wrote to memory of 2212	2776	iexplore.exe	37
PID 2776 wrote to memory of 2212	2776	iexplore.exe	37
PID 2776 wrote to memory of 2212	2776	iexplore.exe	37
PID 2776 wrote to memory of 2212	2776	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\34954423ec92b2354dc7458bb1a43dfb_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Program Files directory
  PID:1828
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.v22.cc/?g
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2968
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?g
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1508
    3⤵
    - Program crash
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Filesize
651B

MD5
dc7ad4ad897b44c7b6059dc83953d980

SHA1
933beb39742e7bd68451b39a64e410eb1f6467fc

SHA256
0b6e6dc2013c781caa266500e2434bcb27b7602c1c22f8ce5a3fe31376741996

SHA512
17336b206f0e1f134266a86a7692cd08a7fbfe5dd2e290cac85608f182ed81908181914f9f9b9c80074cabb70d7490da901b8920cb5073dfb5555b79bb284e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ca955aadd1b9bd3a4a3290d0853cfc1

SHA1
7fb291d4ec954c9db53c7ff0bce83c2b47bb4425

SHA256
030d4190cbf75af6427429762ad71c10047f7a8c789a24f7cbe1ccf3c20b5c3a

SHA512
8ee4bd851f604f84cc679ccc5115e909711e50f17367ea924f1aa68f6832300d969b03ac693755debd0525305bba0df6cdb11d978a119fdedfa378ee1ee78bcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88decde98c1ec95813ce6c57cd39d011

SHA1
141f8ddee61d4bcb7297ed8854be5efbddd0bf07

SHA256
6798056368610637e13daf90f40e99857247fd1151fa4bc99eb9d856e36e9d1e

SHA512
564249110aa3aae44eb818b7b0bb1a9870b8b15efd86d1724b4a64ac273f16ec4f7c53fde0bb9428f18051a15a1808e528161394c73b5e4b79d5ba3dd798a1ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd5e3399df02ce58ee74245336e0083

SHA1
29ab8b02b45ec4f2a487296b8e2d2a81e6fb78d8

SHA256
f72346d6b39aeca2e95b18e97b00d8d6d8d38260085475ec78e5844698be2058

SHA512
a5def34d804f0de80785ba0ee78b5a5b8572c2390ad2194aaad1abdecea8077597aae5f2269fd61b49ef9d8fc054b79773635a6f17caf1b9c74fd303096eb6b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fed255fbdacb306500e24996d03012a

SHA1
090425b4cdc706864ed1ecf3fed70a8f87487a41

SHA256
c364ba011fd2e3823a00024f3466e9bb1473ec3f7cd6b344511493da81677225

SHA512
9576f2a03829796c22bb5fbab8fd40d6a97a77c25945b7eb6b83b0865f6cd39059c7e26c78f73e42b6550d7bfa80a0142f7e3e8e97dfd025f18d666a88ca1d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91d8903d532e2ce15b4e6a8768052fff

SHA1
68e566646b12cb3c2e6f80beb4cb74a8cff40dcf

SHA256
fa06435f61848e1803bed1e1cc0bb5c7ccdde9a833c9fc9074b525385f49de9d

SHA512
14f76cda98dd768dff70dbe44cffef14f3fca876ddf82b49db35b3b5233d3c527bf1e1652d5ebbfebbf60d41dfc438418f3afd460624382d211603db9f3a417a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715283c64abac8af61c94df307e240a5

SHA1
ada32fe28e255840e4cbea7f875310606b5ae28c

SHA256
00f19666b249adb82c4934b09eeb758af9cc0f0f8348a7d957a0fd6c478b17a0

SHA512
56028e9c95dbd98a9aa48728037c977f6ddedeb6456219bb1656f851bf48b97e0dd483116a647260828dbd27aa7471b270d056f48017f930a2ced9bb0ddadc6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84a407d838046af6acbf686a2ba173c3

SHA1
81149cb23d20be98fefae61c6e5063a3560f94eb

SHA256
0a635b3589da0aeb042febeff807605dbe0fa3ded5eaf58d1cbd68f9990303c7

SHA512
f6b68545d2b49a42c29f5f0d880485efd727ce1d2338afac264dfbacafe3f182b82a411c864465bb57aba4e59c28c884f9ed36b19fbc0056da7e7f61d62d0a69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33a6fdcf5c838535dc3ff0a71759dd62

SHA1
bbd173c0b852fcff022614d51cb0f71e64535bf6

SHA256
b21233a051742515a48ee2c5d93391900d7744bf828512fa04995ec7ef4a4e58

SHA512
3adfb51b4350a4182344acf0b846a27d58f01a98eda3612b597988152cc9d3d1c282bfa548834ea8ba79acb4bd3bec488722febd5809f6f46a78c61217219985

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31f096b4222ca044f13c9373ea78b85c

SHA1
8ee1f1b85b95cf12dc4913005f40ace189c464eb

SHA256
4ea64396fd957e7def445516ce1251ddd7196dffa645e825a451e5e12e62e77a

SHA512
01066c6480f57e10ec8bf9653c6de0661a4d856cd1a5c88852b7d9bcaa3258e14c6484a7f5de5f211f9d73e67a1322b92e66b1a6ac0ebc5a408ba4ead081f3f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b3d1d6762f94dfa861737644f871805

SHA1
8c733bdf88b34e659ff7d1be64559d27d3cbbdd8

SHA256
6da4b4f2ca257e82c03d776163a861551654b2cdb6628655d72d32b7d1f4f5f5

SHA512
f62f2b878b7e2c75ad196ec8110970c68c8d603782494bf10b94da5dcd8fb84d824dc1271827509f25d048100f5242959f78aef804f9a94159e8675a7ed85ea9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dffabcd7e7a48e85a3e794f2af90b1c

SHA1
618bd3eb16622bee1c0c8ae4bf9172988f48c154

SHA256
5295616ace2af78394668cd67c77c68cdaf5026d7a6919937be1af155934f153

SHA512
f190a692c5879eb4d4b661adf8e0326b4c831a38adcf95e11d460be069de8cf1e09eb53ffdabf4fe3eee119ba24a70d1266815cff8447f4f0cd18c1ef144b17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
152908b46322c562376c811eb4cc2e8f

SHA1
8bd6ce3c19988659d520e2a08d981ceb15af156c

SHA256
3ee8db184d5de5da43a14b7a31569bda3fb47e452b471c20bdab050beef8f8f9

SHA512
9dcbe333d5b4dcbf8e8f1c17e5b7bb24af1a0b7d91729652dd324b2176970bb350c6ac9c896c4c01fa64e594d245ab73a464029b733507cc864df48260ec7249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73fa012583d7f1cd3fd3d7c35f91dba0

SHA1
f90bed2a0b285e5562ef8657942e02d1659b0f0c

SHA256
1a2c205699c4a6a52a12048c314e1565433336b08b390a981a1b32c8f28bc148

SHA512
1cba9927590c5e3cefa268b3cba8018411bf359bdb96d289ba7cda24bb130cb7f1365e82d310b3ebea1345e101d8672cbcfb0205f73ac84ac191f426ec76592e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
014b02ccbddb7c834bfc677bfc4728cd

SHA1
8ea265439639d734770b5e7ee108ed24d628edbd

SHA256
e3ad084fb740963ea76bd211d178a08830071d27ef78e123988a9245809e8e80

SHA512
227ccbc7e22addedb69dd02a1a61573ccddbfad66d2f0992059d343e7954d2d3f87baeed3cefcdce65006172dbdbd534d7e2a61dc1a40c004af0cebcdaa42437

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d286748f160d1f78abc49533954a0eb4

SHA1
a60378970e7f266dce8305ed3620a9994a2920fa

SHA256
1dbfe081e1fdc740e7970eec8c1a2c9cf2a1cf68e82df9869936cb722c2b8759

SHA512
e3e4033934541e57b52a965914dcfa6cb3e0395825a3daaabb310dddd4f1fc097fc9e35d3ac1d73b4b4524662fb306c3f50052317aa23a4cbd76c69dcf7da6f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb58730767721f02c4bebea5566f6fb

SHA1
14fee66b3bce76cba712793a0663fd41e5bb96a3

SHA256
f07d26d223e567ead0dccf4eef35c9f7840b76e47f57c7079de061e547994d33

SHA512
1c6f988b8d38d6d3688f584a869e1879e565c31400cfe240ea9369f11f8370ecda56e8b977d1c238008a05bd937bfff9030f55f0d1891ef25e60686a74a0a39a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4790a08e1523ce1b161b8ad1232b1e59

SHA1
53d45462d90c51b47ad2a00381f9f5ccd37bacb7

SHA256
b5039cb9f411bac9c8bf29654496569454ec5fc49e3679ce0acf995253a29bf0

SHA512
8c4e126bf74077bf7048484c41471f39afce5345561fba1bea6876253b5f8b45c311f04df05cf9ba4d02d3d57a6897f65693a927f2c6e7ad1eeca01450ac6939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec1466e36d1e0f1656118eaee6d5ca71

SHA1
c4a6dc26109b314c59506f52e7ed8ad665b1f939

SHA256
781dd558ff041df1656a50f743569184a84cf8a24ea24a5d9c8f864352fe37e3

SHA512
0fe54a8a8e748df1d41c7abef52be253d08ec46b9c06131015ab19d733f26ca932fa6485952b84c895d4b5cf45d68ab08b5b1f6447730ca5c3be234015e13334

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c35f6b737c842794a31c3a8a4264053a

SHA1
0c72796c3dc84ca7294ef3d8769c60ff6485e56d

SHA256
44826cb0b99c182be763bc68db47a378822e490031b63c5cc7d1d49c47755a5d

SHA512
c9b17baef5b989b63dadd4bd4a51b938fc24a3861266ad48a64d0e254df4aa4c1d1dd5bc8062d50ae854b3a6ce8bac47f14ed2e081b96628fc64a30f165882eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5084b2bd267325fa65db0f7cedc552a1

SHA1
0ca9e3932724a377b20f3355fbdbaf8c42d4547b

SHA256
ece75b5e962ef1580742762538830777975d7527d2b808e002eff8cf1fe9084c

SHA512
7ba73c89a9d09678372df88e38f142855c2effe9e4c417e9e46a9c56784b62d21536617009d5a3b9f243d205d17c8229f080ea89b30d9af1c3cb5a8ba1c44ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f896415cf95e88fb2a160d25fec945c

SHA1
ef58ec6b4c55e70b7fee28955dd2a838f7e1e97b

SHA256
e8508058e7b289bccd82740e5de35a186c4cde642ee2c9793216e7f438f15b73

SHA512
38e0691d6d6f56da6456f1a39797ed4154edbf3fc9470121266b80fff4d47dcbc6f986bbae431f54712afbb55ecad0122809ba2667ffae6f47445fba83fa733b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c9966b98b44da0ec33a4747416c5ad4

SHA1
5d335adc3f68ef8ae2d6c3f9487095254d625a7e

SHA256
971b68962dc332b8a9ac5991588ceeb4704add98cf943aee28d94637dd7ce86e

SHA512
1f3cb4758e019893740b9874a555d86d9e8269a86e9c4b2af6150e2f436ab2610a9323679d3ea7e1baf9967dcb7a7e57c1b944082e7ec22df984b616e3b74493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1A34A7F1-3EB2-11EF-BF59-526249468C57}.dat

Filesize
3KB

MD5
83e901d127fbb827a9d26dfd91424b40

SHA1
38545dbfd80ee71c317570b25bc451505b46177b

SHA256
c2dfc7cc9f44a4205e191f186b5ca4afee03f70caa1b8bf1d1a1a6746be74894

SHA512
d6c906043f5f9d68915352d79b98cb7ee6152615184bf95a69fc82c2087cbca26fc3c71931f8cff5faad07023c8ff28a63c7e9b66261457b7774c2860c28e3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1A370951-3EB2-11EF-BF59-526249468C57}.dat

Filesize
3KB

MD5
c1e81cc19ce1181ecfe5c35b178c81fa

SHA1
d66c3692575c7e88c256313d215f682c0b1f94b6

SHA256
4dda17da4ff688198e06aeb33d7bcd63b258601c27f808e53918ff7225a1bf26

SHA512
c45865f2cddc97764fe1d6b24df0e1b8bcb3c114b6e13a755fe5755e062476780b36dce55de508493dda80f3d5127630f558a2f771d302f0a627e1c1ec8b5d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC3CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC43F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1828-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-70-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-9-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-46-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1828-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-4-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1828-6-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2028-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-21-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-32-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2028-38-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download