a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Size

712KB
MD5

78a26822a19d69d1cc71043a751a00d7
SHA1

7f936bc2287a496708296266b5cb38b1748f7998
SHA256

a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291
SHA512

c5b04e693cff05797b1a8480f1fc00b1a70f39ed51bbde38f706720e395280b3983f11c8e7cfd51a4bed65579117b6dbb7592a28e3997f11be57d3a489fa8410
SSDEEP

12288:f6gXRxLMjBBndVElsUHxFcFYwJFboyQJJCBIPNJ2:ZXRxYFVdVEsyFceotoyS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\$dpx$.tmp\3791326bf0ee9a4e94a5cf195da0d610.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\safe.ico	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Beauty.ico	expand.exe
File opened for modification	C:\Windows\SysWOW64\Film.ico	expand.exe
File created	C:\Windows\SysWOW64\$dpx$.tmp\982d4b0942157b4f8b6a29df98323967.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\Music.ico	expand.exe
File opened for modification	C:\Windows\SysWOW64\taobao.ico	expand.exe
File opened for modification	C:\Windows\SysWOW64\Video.ico	expand.exe
File created	C:\Windows\SysWOW64\$dpx$.tmp\37898e43767c504896cd0d8b25deed66.tmp	expand.exe
File created	C:\Windows\SysWOW64\$dpx$.tmp\cc6122ed3eb2784f8dc110af5f660a8f.tmp	expand.exe
File created	C:\Windows\SysWOW64\$dpx$.tmp\c631352387b620408bd341ecf08b65ad.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\$dpx$.tmp	expand.exe
File opened for modification	C:\Windows\SysWOW64\$dpx$.tmp\job.xml	expand.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000bc7d8519726dcaeb4f14a20479b5e3de822a63631750b297463ad7991d3bab33000000000e8000000002000020000000db2cd3de087a1a7232a569d9d2d41fd862efae6c83d70e4ca3c7ff22afe56289900000008866d3ec3f879769d55a7a7cd9723bce957e3e861ceceaee8f49e828a3ec9b0bc3bc4a29623432f15f5e4276fdc952eb99d5c9b6c33138660d6babde9ff0e018227557a2424580f0191940cf5ed923151c8c848bc3188735d36d450e61d1a1a9ea36ceb32d90248655332aca683713795ae2cb8b4d97dd2b0bcd6ff2763d66446f262dcfd93bbfcfa7ddbb865e79851a40000000a94ce311ea0a336d454f51a375a20e3497a56c6c17739f01b1fd37b3df2fa4b022eaa426d1a1c8cd63fbd1de6894d8e1974ef67bd81a1a16a6337d4ae190ca1a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428498769"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{296633A1-4E62-11EF-B231-72E661693B4A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b081b8006fe2da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c920000000002000000000010660000000100002000000006bdbe1e6db887de38205db57db495437e799e2198adc7f92c80ea23d4f5be6e000000000e800000000200002000000086dabbbcd11d32edc72fc6bc11aa582a9a2657ed83f755f1635f3cb9430eba4b20000000ef021709d3867aae1f8ea5c381b25c33317a6aa659309fabef37b51832548cb240000000730ab24e76591e892f6a7553b914ab3871e05c1c4787c60786ce3c6efd5c93849927365e297337ddb1fe6db7935dd1a929e21c04c894d880f925b0f4dc30ac02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
Token: SeDebugPrivilege	1716	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2708	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1716	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1716	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
1716	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
2708	iexplore.exe
2708	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE
884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 1716	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	29
PID 2944 wrote to memory of 1716	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	29
PID 2944 wrote to memory of 1716	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	29
PID 2944 wrote to memory of 1716	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	29
PID 2944 wrote to memory of 2640	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2640	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2640	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2640	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	32
PID 2944 wrote to memory of 2856	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	34
PID 2944 wrote to memory of 2856	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	34
PID 2944 wrote to memory of 2856	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	34
PID 2944 wrote to memory of 2856	2944	78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe	34
PID 2856 wrote to memory of 2984	2856	cmd.exe	36
PID 2856 wrote to memory of 2984	2856	cmd.exe	36
PID 2856 wrote to memory of 2984	2856	cmd.exe	36
PID 2856 wrote to memory of 2984	2856	cmd.exe	36
PID 1072 wrote to memory of 2708	1072	explorer.exe	37
PID 1072 wrote to memory of 2708	1072	explorer.exe	37
PID 1072 wrote to memory of 2708	1072	explorer.exe	37
PID 2708 wrote to memory of 884	2708	iexplore.exe	38
PID 2708 wrote to memory of 884	2708	iexplore.exe	38
PID 2708 wrote to memory of 884	2708	iexplore.exe	38
PID 2708 wrote to memory of 884	2708	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944
- C:\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1716
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.779dh.com/?ukt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\394ve.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\ico.cab" -F:*.* "C:\Windows\system32"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?ukt
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
016aaf2c7055ae6626d68860e7fafac4

SHA1
450ba464becf986befe368b7d1cfa0465de4dcca

SHA256
554828012809741a32ed52ad73e215ad36f7304cbcb66326240ff9f7b5ef6dc4

SHA512
17036aa715cdbecf9b030adc76654e949db08671c5a03db7663de43f67865a238c8926f704f688f5b00c5ad2c2dffd8e2100a05bc756510e9683b18098878f70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8220256fee95f791680dbb77590efb3f

SHA1
76defe53cb03b34163e18b0e330fe585228fd2e2

SHA256
5c5a9550639c17f31c4e48932d58be49fa3c59eff341dee206c41966e856d065

SHA512
9f151d5ee1e3338009936fcf1383f4425ce2be881d47e57fc5ead736ae9df46e1aa08471009951ab87707b3139daade8f54b41244b1cc4a411d35da4c9106be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaf292b596a5a9a8e14ac52f0ffb52e4

SHA1
7626e937f9e909bb447f4ca21360cea84a7d1522

SHA256
8facf098faca33b7e64267e3a3f3e2136467e4510709c01594131de263be763f

SHA512
71544ce856d939f7f29c3cff0211162f3628aa07df83c0aea2d9a291a4a44ed8ccf50a8348715cbb94b0d811110285eee45924badc53e3ef8d39e659e5d2e464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57586d238cfe2a4606bb25eeea0edd48

SHA1
3d46b130f6474cde70c402efddcbb2dbf681f174

SHA256
c2cc00ea6f73e266f0267e5ced8927d507b60ea93caf988b9416918bd45b3338

SHA512
f4a5f1d50eca4add31b7572468c76c5992e63986e0e411a5450f7e43e610efb0430afc32a97f41eb8136364fdc7b4efbc8bb63d41d22ce8fe8406e60f16dd7c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1b59a12ca5571033500f35c8a64761b

SHA1
94043b1cf4fce31cb72d76a039f900dceb513509

SHA256
ef10c74d4ae3c49da8aac6152afb5a4dbf6ca33cc1cf85cd819a4b7cdd019589

SHA512
5cafed18de18f1b4eb81df1b2512661faa0c8a2aba8bd8da6b9da6cdebb156718e47005467a5a4db9d4d7f07c8fc17c4a1dce625bc0e1042d07861f41d2cef98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ba119410d045595450e6a1a94dafd5c

SHA1
c8cf5820de2a83b1198fbac01f6567cfebad9aff

SHA256
01ee3a2750d3a3f237fb77e9adff4cd2ad9e7905ea270b85c0d3cbd559d46a8e

SHA512
6a4535db810524e47de19a79cd4f56565fbac66f2a6e9b3c73d5f7abc564d98ea9ed5d3e244c05186ff1cae073c2f5d94eae146214715c90dabe6e19760227b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30297bb90bd5f988f3d48c85300a51de

SHA1
b4702754173393f7db816a731aab31429b255014

SHA256
4ebcd665a29275d19d42ccb4521549134a179212f393f989fc89b9cb889d3716

SHA512
5db22ee26429a8b5e4e5ab801fd0f24526971f2323831ff98be1a5358acd27217b35eaa3e04582ba6d59dc963735b9f5a4a30e1aa5940dc9fbf286ce291cd855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80d6fc40fb645fb60b9eb68527220f29

SHA1
1bb72003df5bf0d6bc97f191b53b6b428ebf4fce

SHA256
bbacf1a2674eaf48298dc20c1bdb3535d7bbd0d83109d5303bc52331e5b4d32a

SHA512
85e487f30ace0ca9b6dc7a882931996e8dc496be794b3118d3a38d3224cc9a2bec46fbd8a6ef9fd3e7c61bd939eb8b472de1065942bd3f6ab2aa4306f95576b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1ed16964dd9d6b56dd7d4c6bc40b99d

SHA1
92c83c13d81285ff09107471e7f5c1746f681ec0

SHA256
51d9665b48ab2cde8509f82a188b5dc939aee82ea922479bff69a7c177470e1c

SHA512
43544d048b525932df5ca6aef63acfbb3277b7555ecdebd7c2df865267114bebebedf1b8a52ba40ce1bd3395b76224de70928db914299b458eb2636b3e556429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca3a85bb1e962c5254695295facea5aa

SHA1
4ea239dfdcc198365a89d7b7f2624a8eac184e76

SHA256
08dcc147c9c4aea9970e08cb3bc6e1846352be63f758738c223f15e1496cde6f

SHA512
9c2506e5697c46076330798a413dc338d470c31ed490750319f13fc74874e1412d000a793d8f533dfdef92790fbeca72a3fa100957c0c010ef583ab5cc7337bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4420ce7423e6635b7b38c4b98c8491b3

SHA1
d84c5a100208375b93fa337b11c51f23e323bedb

SHA256
4e82f88e807c72061e88fb4011e12bdb7adb6da4f8589f24a45ac724ff2136e6

SHA512
b5c99178d4069e605a4285243642d452d93c232e9bd3ad80a66eecc724b32eff178a2e069416e4826452255f5126072033936018606add5d6633841b22d10a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79fce6e20f8e53ef5777c17c2992435b

SHA1
7eaf100cbc54e400e1596dadbe60eb9784b7cc2b

SHA256
f53229f369604925fa43106d495b6e9e1a1937a2f5c3c18da40ec0283ee62dc6

SHA512
e06e6105777f224639c388c45e032e06a785e74e110dd647c2773d0fa18c748d2ebcf220916c4440d18e09051ea3470e8f4d393b51f39e4a99bb0a03c23696ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\394ve.bat

Filesize
102B

MD5
1d195a138c3cc7c2099100779d273198

SHA1
998a370276c102c52dc86c5a78490a9609977b34

SHA256
cd1d36b93ddaf2327f1e46a620d32104509a5b4e16d226534b04dc910bca761e

SHA512
137c6dbc7a577945ac91ea67dbc2e51d7a3b7d3116f7b94da7c0dc1bbd4190ac3ebbe29b5c0d759051cd584cb7e0ce2a75401c5325de5ff0f3ea7f0df180d655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8F46.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F49.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\??\c:\users\admin\appdata\local\temp\ico.cab

Filesize
15KB

MD5
dbdc54e84c7d8dd5045b4404dcfaf1eb

SHA1
bd7db05e8cb833788c0fd02d90aee3e7729c743c

SHA256
b92db05a6360c50bbd3fa2c180007b104c5ec042403d14aaeb7629b3e9f36554

SHA512
0d76ed2cfc11033378cb7c7d99d4bf7d936b52e790826be3b6941f93e3c20a516ccbf9c65c2a7e444f496c7aa3d33c413f2d12bf6202b3b45ccdbfbc447e696d

Download Submit
\ProgramData\Microsoft\Windows\Start Menu\78a26822a19d69d1cc71043a751a00d7_JaffaCakes118.exe

Filesize
712KB

MD5
78a26822a19d69d1cc71043a751a00d7

SHA1
7f936bc2287a496708296266b5cb38b1748f7998

SHA256
a864166ee1b7bc386f5c9425b0fdd928b783906bd02cd7b8f786b0fc45c70291

SHA512
c5b04e693cff05797b1a8480f1fc00b1a70f39ed51bbde38f706720e395280b3983f11c8e7cfd51a4bed65579117b6dbb7592a28e3997f11be57d3a489fa8410

Download Submit
memory/1716-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-35-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-34-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1716-14-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1716-15-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2944-33-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2944-32-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2944-12-0x0000000002480000-0x00000000025AC000-memory.dmp

Filesize
1.2MB

Download
memory/2944-11-0x0000000002480000-0x00000000025AC000-memory.dmp

Filesize
1.2MB

Download
memory/2944-2-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2944-0-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/2944-3-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download