a0650937acab2627e5ece8dac3ea80046b46695e884b4f3a012a8d3ec640bdc3

Analysis

max time kernel
146s
max time network
125s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Size

325KB
MD5

3943a2b440453ca9f57ba6e7a095b4de
SHA1

65c9fe297ffd280d01c877c66e40a7d209c4e348
SHA256

a0650937acab2627e5ece8dac3ea80046b46695e884b4f3a012a8d3ec640bdc3
SHA512

717779f5fd3e4003f59fbf4318b28c05057ed3d32133be484ca44ceb6662a9aa637bf41ea888fd2ef7b200b37f6a7d046f8ac7740ecbbbaa3d73070800dec67a
SSDEEP

6144:BXI1OzcRifAdmb0Zan4l+jMhSxpJoXI1OzcRifAdmb0Zan4l+jMhSxpJ7tZCFCw1:BXI1OzcRifAdmb0Zan4l+jMhSxgXI1O8

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 29 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2204	netsh.exe
1136	netsh.exe
2512	netsh.exe
952	netsh.exe
736	netsh.exe
1960	netsh.exe
1740	netsh.exe
2548	netsh.exe
2872	netsh.exe
548	netsh.exe
2488	netsh.exe
3044	netsh.exe
348	netsh.exe
1464	netsh.exe
1980	netsh.exe
2384	netsh.exe
1692	netsh.exe
1744	netsh.exe
1104	netsh.exe
1772	netsh.exe
2260	netsh.exe
2452	netsh.exe
2884	netsh.exe
1712	netsh.exe
844	netsh.exe
1680	netsh.exe
608	netsh.exe
2104	netsh.exe
2268	netsh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HijackThis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe"	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared = "1"	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RunDll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\TypedURLs	RunDll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Cleared_TIMESTAMP = 0014576e94d3da01	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395168194"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	RunDll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395168194"	RunDll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RunDll32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2280	RunDll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	31
PID 2284 wrote to memory of 1104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	31
PID 2284 wrote to memory of 844	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	33
PID 2284 wrote to memory of 844	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	33
PID 2284 wrote to memory of 844	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	33
PID 2284 wrote to memory of 2384	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	35
PID 2284 wrote to memory of 2384	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	35
PID 2284 wrote to memory of 2384	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	35
PID 2284 wrote to memory of 548	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	37
PID 2284 wrote to memory of 548	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	37
PID 2284 wrote to memory of 548	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	37
PID 2284 wrote to memory of 1772	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	39
PID 2284 wrote to memory of 1772	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	39
PID 2284 wrote to memory of 1772	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	39
PID 2284 wrote to memory of 1136	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	41
PID 2284 wrote to memory of 1136	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	41
PID 2284 wrote to memory of 1136	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	41
PID 2284 wrote to memory of 2204	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	43
PID 2284 wrote to memory of 2204	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	43
PID 2284 wrote to memory of 2204	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	43
PID 2284 wrote to memory of 2260	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	45
PID 2284 wrote to memory of 2260	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	45
PID 2284 wrote to memory of 2260	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	45
PID 2284 wrote to memory of 952	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	47
PID 2284 wrote to memory of 952	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	47
PID 2284 wrote to memory of 952	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	47
PID 2284 wrote to memory of 2452	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	49
PID 2284 wrote to memory of 2452	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	49
PID 2284 wrote to memory of 2452	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	49
PID 2284 wrote to memory of 2884	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	51
PID 2284 wrote to memory of 2884	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	51
PID 2284 wrote to memory of 2884	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	51
PID 2284 wrote to memory of 2488	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	53
PID 2284 wrote to memory of 2488	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	53
PID 2284 wrote to memory of 2488	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	53
PID 2284 wrote to memory of 736	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	55
PID 2284 wrote to memory of 736	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	55
PID 2284 wrote to memory of 736	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	55
PID 2284 wrote to memory of 1680	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	57
PID 2284 wrote to memory of 1680	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	57
PID 2284 wrote to memory of 1680	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	57
PID 2284 wrote to memory of 608	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	59
PID 2284 wrote to memory of 608	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	59
PID 2284 wrote to memory of 608	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	59
PID 2284 wrote to memory of 2512	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	61
PID 2284 wrote to memory of 2512	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	61
PID 2284 wrote to memory of 2512	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	61
PID 2284 wrote to memory of 2104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	63
PID 2284 wrote to memory of 2104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	63
PID 2284 wrote to memory of 2104	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	63
PID 2284 wrote to memory of 2268	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	65
PID 2284 wrote to memory of 2268	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	65
PID 2284 wrote to memory of 2268	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	65
PID 2284 wrote to memory of 1960	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	67
PID 2284 wrote to memory of 1960	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	67
PID 2284 wrote to memory of 1960	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	67
PID 2284 wrote to memory of 1712	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	69
PID 2284 wrote to memory of 1712	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	69
PID 2284 wrote to memory of 1712	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	69
PID 2284 wrote to memory of 1692	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	71
PID 2284 wrote to memory of 1692	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	71
PID 2284 wrote to memory of 1692	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	71
PID 2284 wrote to memory of 1740	2284	3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3943a2b440453ca9f57ba6e7a095b4de_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1104
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:844
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2384
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:548
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1772
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1136
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2204
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2260
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:952
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2452
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2884
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2488
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:736
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1680
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:608
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2512
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2104
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2268
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1960
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1712
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1692
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1740
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2548
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1744
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3044
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:348
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1464
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1980
- C:\Windows\system32\netsh.exe
  "netsh.exe" firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2872
- C:\Windows\system32\RunDll32.exe
  RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:2280
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -ResetDestinationList
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14aaf098fa54796a439bdfb68bcec552

SHA1
058493ba1e8aaa592b1ba43f752891de24631989

SHA256
a1f53a5dff96d84400a4a79c76c7c187753e4906763cf2ef5b8841596e7f2007

SHA512
59caeff940126420f0075072fd0677f131b57f798ddb6257717a20dbe5820d6f9dac838427935d1adf44711d3ef78d982bd9af8fc8e949c397d2958b1d8a2181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD7VL1X\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UD7VL1X\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KJ834MBR\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KJ834MBR\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C7D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DD7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2284-7-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2284-6-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2284-83-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2284-84-0x000007FEF54EE000-0x000007FEF54EF000-memory.dmp

Filesize
4KB

Download
memory/2284-90-0x0000000021B50000-0x00000000222F6000-memory.dmp

Filesize
7.6MB

Download
memory/2284-0-0x000007FEF54EE000-0x000007FEF54EF000-memory.dmp

Filesize
4KB

Download
memory/2284-3-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2284-205-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/2284-2-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download
memory/2284-1-0x000007FEF5230000-0x000007FEF5BCD000-memory.dmp

Filesize
9.6MB

Download