f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Size

140KB
MD5

768f867471ca6a6e234b182175edc733
SHA1

07c5b7ef3e1606d15115890b5d07803f5d81e11b
SHA256

f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4
SHA512

9f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6
SSDEEP

1536:O/+1z/tt6HurQ1I8Nzuek6IrqbOHQ9ocjjjb64Sh0NlL6C753u4vj7cmaMQyHXTN:OG1OHutQu0P6c7L75+4vXaM98qKnIfq

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe = "c:\\windows\\csrss.exe:*:Enabled:Windows System Devices Manager"	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe:*:Enabled:Windows System Devices Manager"	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2704	netsh.exe
2540	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	csrss.exe
2864	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows System Devices Manager = "c:\\windows\\csrss.exe"	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows System Devices Manager = "c:\\windows\\csrss.exe"	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2400 set thread context of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2916 set thread context of 2864	2916	csrss.exe	34

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\ntdl.dl	csrss.exe
File opened for modification	\??\c:\windows\csrss.exe	csrss.exe
File opened for modification	\??\c:\windows\csrss.exe	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
File created	\??\c:\windows\csrss.exe	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
File opened for modification	\??\c:\windows\ndl.dl	csrss.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
696	sc.exe
1692	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c70000000002000000000010660000000100002000000091b78d55189df73ac780875d8ab600b3fd03c151c7d554f4e21f52d4fd8d869e000000000e800000000200002000000062b41dfc350dd7c81e0eaafb9b2e750235f866895a6a77da13315dbc8d38ec0e900000002a557e56af20798b7497fded8dc09a69f440114a52ce5d21fb97f6b0423d9044bef3172484d48576188a3c52571e0316bcc7230baeabb499b20a6157563e8bc8647638fa6d983041d6d8144a0476b88cb63adafb5f0598a02fd785de2c62d77c062e4ddf5ff40fdb6d65579749eed4e066392ca50f42156470a66fffdaa6bd4f88adb79247b3c2490a62b03b819eb4bd40000000865bd6717a63c9f7f10e05b2190895267f97a4bfb008c51b709892425005e03b5c79df2ea4461cf07a5ca0373b17a3b5dcbeaa8b85ddb71f6d83170943f96627	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428477211"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000ea42ed2b3169e71473976d771deb4ae9c662994c9550402a79eafe0ee4d3767e000000000e800000000200002000000094c4c40b7f3b634f72acebc5e5040f532865993e6b65b3c0eea8f1484f23a31d20000000ad8ba44fbe15e4482d92741cfee1125bf785be2cdc20102394007e9ba57d534240000000144223632f0f48963d6046cf90afcebef1af5b314bcfa2bf7b34329d907ecf778c34174f49efeef746e49e5f9d1e2796b4e8aa3495218965bc116c02e66e42b5	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e050fcd13ce2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA6B1571-4E2F-11EF-90E4-FA57F1690589} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	csrss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
836	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
836	iexplore.exe
836	iexplore.exe
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2400 wrote to memory of 2920	2400	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	31
PID 2920 wrote to memory of 2704	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2704	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2704	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2704	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2916	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2916	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2916	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	33
PID 2920 wrote to memory of 2916	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2916 wrote to memory of 2864	2916	csrss.exe	34
PID 2864 wrote to memory of 2540	2864	csrss.exe	35
PID 2864 wrote to memory of 2540	2864	csrss.exe	35
PID 2864 wrote to memory of 2540	2864	csrss.exe	35
PID 2864 wrote to memory of 2540	2864	csrss.exe	35
PID 2920 wrote to memory of 3012	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	36
PID 2920 wrote to memory of 3012	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	36
PID 2920 wrote to memory of 3012	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	36
PID 2920 wrote to memory of 3012	2920	768f867471ca6a6e234b182175edc733_JaffaCakes118.exe	36
PID 2864 wrote to memory of 3016	2864	csrss.exe	37
PID 2864 wrote to memory of 3016	2864	csrss.exe	37
PID 2864 wrote to memory of 3016	2864	csrss.exe	37
PID 2864 wrote to memory of 3016	2864	csrss.exe	37
PID 2864 wrote to memory of 2848	2864	csrss.exe	38
PID 2864 wrote to memory of 2848	2864	csrss.exe	38
PID 2864 wrote to memory of 2848	2864	csrss.exe	38
PID 2864 wrote to memory of 2848	2864	csrss.exe	38
PID 2864 wrote to memory of 696	2864	csrss.exe	41
PID 2864 wrote to memory of 696	2864	csrss.exe	41
PID 2864 wrote to memory of 696	2864	csrss.exe	41
PID 2864 wrote to memory of 696	2864	csrss.exe	41
PID 2864 wrote to memory of 1692	2864	csrss.exe	42
PID 2864 wrote to memory of 1692	2864	csrss.exe	42
PID 2864 wrote to memory of 1692	2864	csrss.exe	42
PID 2864 wrote to memory of 1692	2864	csrss.exe	42
PID 2848 wrote to memory of 2976	2848	net.exe	45
PID 2848 wrote to memory of 2976	2848	net.exe	45
PID 2848 wrote to memory of 2976	2848	net.exe	45
PID 2848 wrote to memory of 2976	2848	net.exe	45
PID 3016 wrote to memory of 2996	3016	net.exe	46
PID 3016 wrote to memory of 2996	3016	net.exe	46
PID 3016 wrote to memory of 2996	3016	net.exe	46
PID 3016 wrote to memory of 2996	3016	net.exe	46
PID 3052 wrote to memory of 836	3052	explorer.exe	48
PID 3052 wrote to memory of 836	3052	explorer.exe	48
PID 3052 wrote to memory of 836	3052	explorer.exe	48
PID 836 wrote to memory of 1972	836	iexplore.exe	49
PID 836 wrote to memory of 1972	836	iexplore.exe	49
PID 836 wrote to memory of 1972	836	iexplore.exe	49

C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\768f867471ca6a6e234b182175edc733_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2704
- - \??\c:\windows\csrss.exe
    "c:\windows\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - \??\c:\windows\csrss.exe
      "c:\windows\csrss.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2540
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MsMpSvc
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsMpSvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:696
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MsMpSvc start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1692
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:836 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f497b29fa52d22d1e532422c5babacd1

SHA1
57ca31905a637a1f5fdf219277ce428fba199af6

SHA256
55aa2777e1ff84286aa774d2c524223177730d78b380566e814e4ca1548c646a

SHA512
0d1a93fe5088012ae497d50122741a9dd215d5226996d52bbbe670e3b6150e1333d504e4c9340e555b1ef37c5ae6e7016cf765c1b8adfa3b3546c922c71e7870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe63ddbc43ed8b665eb8f6acea7d7fd

SHA1
25ab6810087652a797fd0fdda32cdbbc6123bf2d

SHA256
e7dbbc6b4003aedfaad4cbfb64ed6cc519532f8c72f10053a227748605706b36

SHA512
4ab521f8a8efb251a897d2090cd831b783a6f5592f422cf3d1847755611ff3663037b65f6986c7ae16ba0c16d708aa255b8ac0d0eb9428d98901086b028b0a68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
398c719bda18b657ef4585c1d6f02cd5

SHA1
32527a8136613f156904c0db7fa58062e57d0fbf

SHA256
1ddf8345b678732b8de3e4fae3c2448ff74636700ad6825b6ea4a9ebeba61232

SHA512
903015cdc2b2dfdf226ceba9e8baee56f45f9d5fc1bbfbce0fc96bb485511a6c5dd70af703b37f9f207c78fca6278ef5e5328d96dda178d84d141b2576ccdcc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fd142cb23abf585400bb8c2e37764b7

SHA1
c640864468f339bddb0269549054d417b0cc43b1

SHA256
65c8b6495d639a817a81579a2dc0b3e9d6dd63c5f721f8e056457c348a592166

SHA512
b71f74c5cc6eaeab26a3535f7be0bbfd5a97f2517f95f6a7ea6384224bbd405370d0615f73c536a11c32ca10756501530552b0369b953fabe5d2d2e4f4bb5406

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ceaea347e27f5da4359c80f9963a51

SHA1
60e5a903e3b1de73da721229c5a87ff4e93d5cbf

SHA256
b7a222a8e0c2418c64a0ae47eb06b43267ea2385b7cfc4881839c25b1b796020

SHA512
478b349315ce1c94fba77aad41168db3f4538f11d9670b39431a9e1a30c09cfbea3f8f4f974f69a339d10dca62e9f666170a066b74b3e1cb70cf57c68e6f2328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a7b96475cbad20c364758f3aaf4f2fe

SHA1
0a92fb08e3f8fc74fa0ff4f05a65c4cccb565c9d

SHA256
1aefef7163521c03b6649ade15d3315902523251dfd739e298f2a7bfc4820aa1

SHA512
d4feb88270952f9af2fc6abd5798b45f119da3db1ffb81a7228ddd7c36705ad3fd7204e98f8661969919cfc59513672882d6d7b4e86d7d5538944814c3c862bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
586bcba4d613f21e2700367b68f5902b

SHA1
362d10e04a1f4d33f709f97abfe45a7f68109aaa

SHA256
dcda4ad6d0de7b87fa6c970c910fc8529c5fe245b4871aa6ce0f0fb379104854

SHA512
eebf8c52ced559cc3fb32cf89e3f5c1e52b2e4260b315fe3e6781bc70c9e83c088eea88f11fcdd90c91e107996e98c09fc6bd93c9bd3b156a072038880f5f2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a70c2988eb2f393023293dbf3953731

SHA1
a1cc99db53669ed26d48e88298b39f1269a38e83

SHA256
b65eeca04ae51d0ff242d4220120a7af3d6594952a08133fd7523815f7d7a246

SHA512
cace6ba8ae6ffe3d0516e9c26ee6bfc29e6730787405c2323cb0fe3e01b6707a8485a0e1c6c7395413fb6fbb25821bb3b5cb3d0d7f6c54dd3bc21b53c5a62cbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f9408cf7ec35180e890e16cd362a192

SHA1
88618203f51b29c02d04251d98817a160858cdd3

SHA256
8a0ea07276e84294a46194183ad7b6377b8031e5a52e94efeab5609aba4c8d19

SHA512
e56facb4b0cb0b4560f31d9052b7296ca55428ae6e35d139dfe8db36ec6113bf9b7058cf069caa876a7e565e01ef5da1da5ce2c7580c9949cce9b1ad9c1ab318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee5f0689e86e5e763ce64838100b1aad

SHA1
bf2bc76ff30ae73d07a855e7434d81a2a6e37bbf

SHA256
f27f2cf4bad4ce0ebde4d9af64a1d8daabbb2fa6f867281ef26f9cb255f3fa47

SHA512
aeaf9ec7a999835c60c5570b66b20c976feba182010ef4e694af44e5bcff6131ad50f1a88ac4a7158346f3bb24561a8300587abbeb0de30bf3bc9a7bd7f36ee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bcf6405bf88dd4fc79be5d0a3167b4f

SHA1
5371ecf66b00186d5f1ea9bff04994b6ebfdb801

SHA256
0667fb919397107893fc1c12bc347422988058e825d494eaedf5fc967f6ab6c4

SHA512
e0bada5dc9d248f2280bb31e064f246e7aa03ac656322a8a1586c3abaa342460841573debe38f2ea0885682b107dace84a4cd9f632849500c21eb4f34bfcc6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
359fd2d9a9ea1087120934332f2ea8bd

SHA1
48f6590a229d6c83cd8cb60f6b50424c7074a945

SHA256
a663cf3826c1c1643304effebe8ad492727c130a5f7d43ae8a418d0622ee55b2

SHA512
e317962c00bea58281933b17fafcf56842d2f54f6914e691c6afef651038ec52c1afa763d148003169c8c0709a35c253fcb41f5cb43e5d4f07b5fc44f53df5ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2201c2855519e9484c5e92eefaf30453

SHA1
74072a714b251619e5d7b4b7d022922977d9ade2

SHA256
ce3bf4fb861d0e2cb461230611d264e775947c3bda91eb8cecc1145268243e58

SHA512
5e773cea0ca1299a1d5561e10939f0fa4a2e8e9ba3bcf87d8298a955f13dde1fbd914e8e57bbb8ed8d9192bce6896c4d4a57fc39a23b6657d3c0bd9d83676bc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b288890f5ce1efa7c89f4d7ae36eec47

SHA1
42896343193f20a9565c75a315edf786f5a64f40

SHA256
c8c9d89e10f7149924a8e4d02e3dad6ec5ea5027f7e6699795280d5590759fb2

SHA512
1464489d699dbd5aff0e741a1dc59b6147868b0e61dbfb9bf8635e4f6ab94beb1cb5bd33ae863f1d75b85e7ff2c4c0e80c1b3437b707bd9c0ebf2fa9bc247369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb6e75431093ff1eba89e855ec09106d

SHA1
2df16dfe0beb08039826fa4ad10a14c1f8b70383

SHA256
5a63d9fa56d5ff8880d70dce101fa2edc29da247090d9e0adc94f20ef3bbde5a

SHA512
1bee246f840e98042e781163a844e43b9c4d54b1ebf557ca378872fe31fa502fd46c85316783ab3dabb990e2f9a1400c6cea6f778ab51aaa03e1658528182e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aba244e48d9a47daf3c200df54a2469

SHA1
6b08f214d4d62477e8beaf872ec09c8117d6b634

SHA256
b64988f8c7607c3b94ab14093d2265fb85f02ec05dfb97141a001f29e612d0f3

SHA512
414eb4de4764a5bae7844facf1d62dda3013ec3b8c5a69759f33f327a9f1926308f79df2b5ac69dfcb8ad6020c114fd1131a59e7c36a85242c63c8b8f0eeffb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
375f1add97678a32e275370401aa42f8

SHA1
5ef344ef4623ccd92a7dee1e8583b2994adb14f1

SHA256
2e9ddb245a4c156b3934e3e47ac73213107a6fbcd1f9cc3d906cdd65e7f9b488

SHA512
0f38402d58dec1fa39f2e949c5cba3d4a9e29e6d882f3339f027270ff2291fdbf8b1d8a907aa81b47358aacffdf4cfed126b4d972490924b25a01d081b73a5e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5baf7149383b74e53140abc9a0baec5f

SHA1
a8476b9e8ef3183d4cc904a608e0838e9ad7a7c4

SHA256
cb19b936c3f3c2a5a7c376da3ead6b33a8c67b133cb48f66cecce3c9be1d6387

SHA512
f0ee220e44110784c0ce6f804033fe10ce5c698c6b53615bf7a96d2c5c5ab3bc94f9ca306de2449de4ac7daddddf898723ff4c202e6a70c25f4819b10cddc04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
001b2d59812985ac48610452404aa17a

SHA1
89f61f15f14cb14254a9a7124b1db50efb155f44

SHA256
0aff8fc5c03a19286ea815eac7f165c895ffa5bc2295fe20f47dad2fe6688609

SHA512
38be63538f644e18b695e8663f25d4ae73a7ba399bda1127f77ca79f132d6c347b386006eeff0b7e77cb13883016b9c32e3ed2d57b29a10faa36ff896d06a4bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
043e0e9127340c03894d70cb8fa6372a

SHA1
b1758ec3c8f84937fafede0131a5b772e3ed5d4c

SHA256
7ac526bf2fdf203acd0ed9e2c1af735ba222bd5d0af47571b020cdb573dcd97b

SHA512
78c1eca7c97ef1704ae880d28ef62ec2d8867c0990385b35f8b98361f9505e13662378c786a0bfcb6f2d5b1e81207ab5ec3ebcafeb5bf7eb5c19df34549a003c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3243683653e0fd75b5162fb010064bbc

SHA1
404f88c6461781cf146ce6978aec9c825743e02e

SHA256
5173654064394372a4a1795bc174076e3946a1c3b58fd0efe4862616512b75e2

SHA512
0e14590b79b27cf0bfe7071328b0a48bc41e545b59e9de4f8eee919d2ea17bc2e1b469265934625df2579587a8895e1f1f215e813183a156fdd7bf8aaeb83e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b28c85ee49399a9dfe447dd890fd4942

SHA1
37e92a7b3ec54ed4fbd004fe5d9b4eaf774d0470

SHA256
0f7488363a947ab96cd12df61beb74b5d9dedcdfeec0e4262dad65453348c8cf

SHA512
9c6d87b80326147881b27ae3956684f14f0666154c4ec763b9a610ff93adab291ff40f32a3e1a489395b3774dcfb334ce6231ffe57d9e3b02ef21868bf104807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7efed9b39002c0ad8829f39a389f4ec

SHA1
4438a11eeae101f388a8ace01d7f562e4336bca9

SHA256
1ebfee095d5197fce23d39833f780eee335d7f11304fcd3d086486aabcaef46a

SHA512
551b414acf09d94303988b735c63e538b0351447dc93250a7f9df301f2ddf0ad71a7a83ac7e8c8485d07b41052fbb120353f45bb586ff694beb72076635a1597

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c49d4a85bc39d45290b82fb12d29f85

SHA1
49658a117063180ba2dbe2f70b66d270b7de9959

SHA256
6082a0ab4fa48477900c8e20eb029c4d9dff51c59adf0dd6e485bad0fde03b71

SHA512
d8b60b70072a30ba8f87d79848e1cfd0ddf7beb0851c2ca08b0ff470e19723e376a7fa952f761b61e7c18874a1cad6dbbc360b6071864f2398d25c781a08c094

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
929dd96971993ca6508b483a5536bcbb

SHA1
32a1820646bd9a222d37226485cb2387b955d92c

SHA256
7452245c9a4668803cd572bee8d6ac84dc48ff3c9429d028512bad6849e6c504

SHA512
7179797f5d76c1fb79c2d2ab1adcbc4582b9683e982d074b84d50d0fa35836104a0b00266a5e4b9947a2a290763b61c1b4b3236ef2a604e1a74145f7449bc3c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ffe715d64295d4f23c54f0542e1d3b

SHA1
ac2e19d29e78d6c00f031fa0527f46e024005314

SHA256
1cc660ce462a80bd620ff76bddaaa6cebff06bd21c619359e354e3fb74482ccb

SHA512
810859eec6e57b0677decdf225794a78c00eb3d5f1eb44320b01c82cbcf6488eb91f3e00ab7851c4b995852e397856570191ad19ff3512b0cf6e23d8ce7c4b95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13648a7193d8770dbe3fdd24725f20cd

SHA1
39551ca5f83c1159f0140297acc38ef2ba5cd13f

SHA256
d537243c3bddb3d29b31904e848f2d6d7c632cab43f69ef5524d8a772cd832c9

SHA512
8872d62affffa44490ef18522efb8db81ea89d74f47d09f976fed20604b9fe34b1a002c9517a863cd39cb975d02dbf757be3d8ca7b4a1110c631bc794c273244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d455d1bcde6e8a3e78a2014c839db5

SHA1
53da65b026c143f601306a439676e29a74aab946

SHA256
d8267b5a0a6526f270bbf004c248299602ca891c6dd81446d81c068fc9bf4934

SHA512
86d61bf75458441c73c9550f1cac741b97c16233028f6ab34d39fc5fe3ac654d90c15612df2aab1577d309747d91bb052f1235586cdd4a204a0e60001bc50f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a0876f7e1f245dfb8b0823a0be26d19

SHA1
3a232da9acad0858c18780ca7284aba3a9ef708a

SHA256
b7def6dfb7516000bf6796f4b7366809d47215e1e437def15b68f7c755153afa

SHA512
9e3c7207e627492cc453aff631262995d39ee50ac899da57ca0691c85a57a48652204d8db0c5f83b6cec57b9948952abdcd9b715ebb7e792913411921bbafce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
206c61eee1effcfb37b21b1c8dcce16e

SHA1
ff6b54b95625ed7a8edda6f06b21fd21310960a9

SHA256
b625caa57886fc433163dd4ca67dc60b8aa3586b21d0d706f6f2b505b0166a17

SHA512
fd5ecf5b843916ad4ef9dc20c0122a3a041a19305fd1e1ab35cd6c5c6d9fa4fd49635e8666f72df0aad7e3a89fce71cd3ba3c006153137edf37d06e1847348e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a016ce07cfeafc903bde5b49d0fb2eb

SHA1
d5aa8898b2f20a6178d9fd7b51d6f95f26275496

SHA256
fe8537dc20a5845eeb6c73210e8d67a5de4981615f45095c3f06b44f97ec0660

SHA512
e74394027072bd3a8952efad854b966d15a5c67e8ed5b2e1e812e9fd9d290f1d8826249ebb97f92b0e4d6968d9b3ede6100c64899c1ddaa8388779e2098a63f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c419af58c47cfc92f093a7b1b8b5de0

SHA1
adba66d7755d5f008c7bda3d8cf96d3df5763a42

SHA256
bcff2f7fa3eaa506bcfd2c15be02e8817fa889af547845b0e781421a6e429051

SHA512
c156409feeb7cd515479e7e0e56d0c35c671976f8bde6cff1769a4e86a4cfd62d3c8984873cca90c25c3d827a958450f4edaaf4399d57b1568e9932c4e8780a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31d7747c58006e5bd3b1e5a33c4572fa

SHA1
4c5757f3828fc91e45012b90a6beb2ed8e6acef8

SHA256
3f0538f2300b496e6ccfa13344d3b35200d3b2a814841e7289a577ad7c38f505

SHA512
d5ba168c36c7829651c0eed554aded8b07f663f79f4f006724ed1966157d78203cd4d144feda7454ab292b61dc778d1d0d4e9fbacc2ade3236bd2ea3018f9aa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de4fb5239f4b3c5c03b27eddbb7314db

SHA1
474a77e1e3584ec6d2a513a9b8debecb1a46bc58

SHA256
f1a0541a9f05a78d945730d06b2ee3b5c31d115c03e7bb649ca44e22fbd166c1

SHA512
0cc5668ad10d80aebe3fe1af644a7b4c58420563bb741352eeffb54f40019463dc8014306ef24a410a2ccfb6d10435eeaa1f4ed75ba211352d9f9ad05d6598ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18c690cf4a5b90f0f970c48ba6594b66

SHA1
b0624767f00e07ea8291edc047e6618cc7debfb0

SHA256
fa495a7f28f35b76aedfc06420831917fdb6b06919f93f093e53e1be78abd1f3

SHA512
12642eabcdfdaacfbf6e8a19954a0752439f78bb604c531477284317edce002b08cf1d1ef93a58d79efb116137d9e5dd27b3ac0c46977261edb74837b671b8ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
273f3b9574f198df7903f8f951b8eac9

SHA1
bbf027b2d1276e6ca106bd34cdbf639f69f5e4dd

SHA256
8ff7be7a9f5a5bf9906e4ff6768b5b00554820e11ae316e0e852fefb275e4bdf

SHA512
b29bf7441585646b0d4a8fa14931847e1a2f8cb05164a07725b9cd49cb768ee36d75b64f17e726550371fed12ede2accfe363d5fe7242b022d1fba326ed05434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35f61c7e9a81c2528e23375436f50e2e

SHA1
0bbfcc1769119a916dfabad92e1cd0e7702d4ece

SHA256
fe932f1c38b5b803bc5406dd3379c821e1c59bae2343a8d2c61bebe79ad1f73f

SHA512
2c09ac2a2942b15c0cfd612ce25fd0c7260026ddadc89792eb58e29712036f31673198404a0a43cb8f9d397af057005e5ee5e0611b9f1e7a9061201ba1d31c86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c112b0699d419e88a58be310c7f712f

SHA1
14b2c480427e4b70b4297bf9ff8375e0c3d534e6

SHA256
baec8dde7b648eb52385cd0965e01ff34aa6d61dd555a70ffd9fb6c1381f220c

SHA512
870d91363170777761c4b8d493350dabd8d2c54b5cc411892c995a725ea05f6feee081c60a3fb7b3d21901889d2d47939377197ba2cc625d9354d114678ecc8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4686cad3e255be6a75b7ce60fe299f

SHA1
2025b28e90093c57406e6e00abede94f7bb6afdd

SHA256
0d1b3e31c433b6cad0ccaf3286a50dea7272c2c2e604804f29a2c0de291f806c

SHA512
1dd47a5cfe99710ce8c4a91f4eab77539b27eee33474138bacd0ca0e86a26d93dcace5b026a9897fba478095a98795c4351636d1422733584a02b1203b7bb365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9c3b62a884e5ed56f7ed293cddc4646

SHA1
5c9c5e40ed44222154b80a0e921bee7bcf4519cd

SHA256
d1a632a47abf32194a43c3b0d7a75bfa2973fd6b4981e5d6f338561d010c53e1

SHA512
43657042fe9082df65ae92e470d6d763c80e40ec526f0ef1f533ebd37a27ac96efb1f153caeaafc3c083d6a702cadd733a3d725aee8253f9a7225f639ef22e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0a51ba4d935e268d8cf3cdf123e7b71

SHA1
56c68eff72c2a9d4c059eb0784c0a2d74cbf8b69

SHA256
915f5cc470e6140cded6f77b7ae566c6a1e01a956ddf9f9fd0a9c1d777db1da2

SHA512
1804087e4582f224333aa3e1bc5114ab54985533ce4f274bde3fa9eed84ad0eeb049de7da39db024a25fc7e11a6f59821e6fc34617574f6778a9786a31120f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7019fea5c67195564c8ad92f15738ecb

SHA1
5a9fac9ed56f305e8ce7c0ad9ea321b1db0cce80

SHA256
c7babd2db74ca181263c35abaedf080a88907c823920c2e7f57b09d02e1c562a

SHA512
62588d65a8fa3532385b20868c6771e3d395976354884d516d7e0e847454f5409216675bfbc0c88792e17034d5264649388a1e0982135cac0fce6a1676468884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7e71253dd9eece869d4e59db0d9f94c

SHA1
a4e119d8d3689465a79625ded8a0e9f3259608c3

SHA256
243921a5212db8f4dfbf62fe8a35d84673f07b33a1ad351199e6a7e45b21120f

SHA512
5f80b157f92f714288ce2e45bf54366fd9798b33055d917ff6d8b1199c358df9f169ecbcbf59b67f0b7accd5345b4ea2dead35b9e94812135bdfb8922c93fa88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55dec5fdceadf6efbd35b178477cb64a

SHA1
8adbf275f001ed0859d350616d7c7046240f9e14

SHA256
d62dd49efa93af2a8007e798993048a2181b70a2ebbe8773775c60f7ce3be729

SHA512
1ab4bdfa53766e77227171a59b6dcca4fcc479ce061af1ee842b3c030beb13442034b8445d78630592d929d11872e6e493ead294b94a05520ca8bf0a0d3cd453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e83b9e8e5934d00d5cfe8df887fc6254

SHA1
939c2d72fd0cfedbb86d6b6de2445ffce11e46c0

SHA256
e5f241bf667a0e38a78ddc0466af745715b1b13563156fc0430c11102a3445ac

SHA512
7f6f5299935962a5627b79ac072bd391eda5fa7fc8b8f9737e2a6260bbd929f2f6cff98cbdb462a91f5a3d23c5eb3fa53219fe0ffe95b6e53f230e773142906e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
338831c54962754a0c57bec57d2cf984

SHA1
1ac93c042508374d8f56cb6f8e5158421d1e159a

SHA256
0ac0e8ba97eca28004fc3585cd2525d7e4e0239db09b23898e719dc183164de7

SHA512
8d92c022ad738f74c5de702d9a47308a7605067e609e0343b07cef6f4c3846ea15bfbeee6c5a4723fd65152047cbbf3a3ffd948c93feaa188eb1a11b91dd0560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fdaa532b454d7804d5a9ab896e796aa

SHA1
2033c3996066bd29bbada40a602411085af48193

SHA256
97f4e52c38ba11e56d6308f5e0a7e24ad5495faeaa0b600ea2bde187aedea12d

SHA512
8cf15fec3bf52def28b0979ae3ed4c9026be883507c72f14f476c83fda1668bd29500877ef39b8ec5324d07adf7cf475eaf1aa7bfc9d3c7955d01fc3411f34d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF088.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF195.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\csrss.exe

Filesize
140KB

MD5
768f867471ca6a6e234b182175edc733

SHA1
07c5b7ef3e1606d15115890b5d07803f5d81e11b

SHA256
f3dbc037a91be139f33f7cd49d37e546cb58b7debf315fd3dee431b42daf73b4

SHA512
9f00fdc7d8a93e496c05a462fd241ebbabfb46d737bd188b2ce4eafb1009c20f02a4a256f9d32e54793e4c7d95d836ead5d23afecbf42d9aa13f38f0320ae6a6

Download Submit
memory/2400-1-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2400-0-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2864-3099-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-2665-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-40-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-41-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-46-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-3535-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-3536-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2864-3095-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2916-24-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2916-23-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2920-2-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-8-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-14-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-13-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-4-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-17-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-6-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2920-47-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download