972456029d53ca6e61341ae2d1b5c054e3be03a6562fb3034f948b066b5649f4

Analysis

max time kernel
62s
max time network
62s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 04:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe
Size

24KB
MD5

add609ca54a070d04a605ce51dad1230
SHA1

6ef73b79979557d7fb84cf7f552b509b4f0f4e65
SHA256

972456029d53ca6e61341ae2d1b5c054e3be03a6562fb3034f948b066b5649f4
SHA512

105c2fd75b9b0bb60c233fceda11607999ecc52784fc214856a79515501a63829298e618fc11618fe565d313b8444d61193a6187163b62911aaa8140ca08a371
SSDEEP

384:4QkZbV8i+fIZFQyZpz0q7bYKkxRjK36ct14yvXbB75zLuRi9saNJawcudoD7UkOG:rGcAPQIpz0Mb18Kdt14yvLhlKMnnbcu1

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3016-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3016-126-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3016-851-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\11989.bat	cmd.exe
File created	C:\Windows\22445.bat	cmd.exe
File created	C:\Windows\13693.bat	cmd.exe
File created	C:\Windows\5151.bat	cmd.exe
File created	C:\Windows\18331.bat	cmd.exe
File created	C:\Windows\14779.bat	cmd.exe
File created	C:\Windows\18968.bat	cmd.exe
File created	C:\Windows\29963.bat	cmd.exe
File created	C:\Windows\13534.bat	cmd.exe
File created	C:\Windows\21277.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000f541f703a3491c836234be91fff909583fb43113925758038de1a6c8eddf69ce000000000e80000000020000200000008ed72d23d20d054ccc15223da8117237b642841c2faf2caf67d683610443a72420000000abf09b2424b4e64df3fcf0fe6a7dcb8de2a4411f968397d928812272baee4527400000007718e87f21b373968981641e05d6eb3841061aff67d0677b1f744fb1b47566ce935a6dd285ab10245a2f530c862d5f7dd11cab19e4c143f4e41fcb2b59409fe0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72742E91-5EAB-11EF-8153-46FE39DD2993} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a098393db8f2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f000000000200000000001066000000010000200000005cc52cfc7a88a5d7d297fe9207605c3854d782199c64c457a591fc3b45d08df6000000000e8000000002000020000000dbc993e7c76692215b1c5e1f32f0b10036ea155c6e2e2afac60301c1f124a33b9000000022ba0070766f4b493edcb39d171731ee6d00bcc5356e2c2549d1154c988c97f3dae9169912262813bb5197eeed42af6f65c34283d66514daa038b3981af1879a7c5ff922d358e1612dc5f12366a5292995391854ed79e4e8966f4626a71aa7521bf8425e8cc9d8f33930537617df73b6cf7fa9e715dbf64d102a09e2c72aac2970dc2d05ac449f6de1d2ae27882708aa4000000088f7f6c63b52742239e2494467da55612b800b88ec0e66e7850b4f2133be097ef0d5bad94804c6d578cd4fe2a330adc0f69ef004e67101ecc19cde61e4a759d3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2280	shutdown.exe
Token: SeRemoteShutdownPrivilege	2280	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2760	iexplore.exe
2760	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE
2280	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 1656	3016	add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe	31
PID 3016 wrote to memory of 1656	3016	add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe	31
PID 3016 wrote to memory of 1656	3016	add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe	31
PID 3016 wrote to memory of 1656	3016	add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe	31
PID 1656 wrote to memory of 2280	1656	cmd.exe	32
PID 1656 wrote to memory of 2280	1656	cmd.exe	32
PID 1656 wrote to memory of 2280	1656	cmd.exe	32
PID 1656 wrote to memory of 2280	1656	cmd.exe	32
PID 1656 wrote to memory of 2760	1656	cmd.exe	34
PID 1656 wrote to memory of 2760	1656	cmd.exe	34
PID 1656 wrote to memory of 2760	1656	cmd.exe	34
PID 1656 wrote to memory of 2760	1656	cmd.exe	34
PID 1656 wrote to memory of 2736	1656	cmd.exe	35
PID 1656 wrote to memory of 2736	1656	cmd.exe	35
PID 1656 wrote to memory of 2736	1656	cmd.exe	35
PID 1656 wrote to memory of 2736	1656	cmd.exe	35
PID 2736 wrote to memory of 2720	2736	net.exe	36
PID 2736 wrote to memory of 2720	2736	net.exe	36
PID 2736 wrote to memory of 2720	2736	net.exe	36
PID 2736 wrote to memory of 2720	2736	net.exe	36
PID 2760 wrote to memory of 1808	2760	iexplore.exe	37
PID 2760 wrote to memory of 1808	2760	iexplore.exe	37
PID 2760 wrote to memory of 1808	2760	iexplore.exe	37
PID 2760 wrote to memory of 1808	2760	iexplore.exe	37
PID 2760 wrote to memory of 3064	2760	iexplore.exe	41
PID 2760 wrote to memory of 3064	2760	iexplore.exe	41
PID 2760 wrote to memory of 3064	2760	iexplore.exe	41
PID 2760 wrote to memory of 3064	2760	iexplore.exe	41
PID 1656 wrote to memory of 784	1656	cmd.exe	42
PID 1656 wrote to memory of 784	1656	cmd.exe	42
PID 1656 wrote to memory of 784	1656	cmd.exe	42
PID 1656 wrote to memory of 784	1656	cmd.exe	42
PID 784 wrote to memory of 1264	784	net.exe	43
PID 784 wrote to memory of 1264	784	net.exe	43
PID 784 wrote to memory of 1264	784	net.exe	43
PID 784 wrote to memory of 1264	784	net.exe	43
PID 2760 wrote to memory of 1536	2760	iexplore.exe	44
PID 2760 wrote to memory of 1536	2760	iexplore.exe	44
PID 2760 wrote to memory of 1536	2760	iexplore.exe	44
PID 2760 wrote to memory of 1536	2760	iexplore.exe	44
PID 1656 wrote to memory of 1228	1656	cmd.exe	45
PID 1656 wrote to memory of 1228	1656	cmd.exe	45
PID 1656 wrote to memory of 1228	1656	cmd.exe	45
PID 1656 wrote to memory of 1228	1656	cmd.exe	45
PID 1228 wrote to memory of 2584	1228	net.exe	46
PID 1228 wrote to memory of 2584	1228	net.exe	46
PID 1228 wrote to memory of 2584	1228	net.exe	46
PID 1228 wrote to memory of 2584	1228	net.exe	46
PID 2760 wrote to memory of 2280	2760	iexplore.exe	47
PID 2760 wrote to memory of 2280	2760	iexplore.exe	47
PID 2760 wrote to memory of 2280	2760	iexplore.exe	47
PID 2760 wrote to memory of 2280	2760	iexplore.exe	47
PID 1656 wrote to memory of 2272	1656	cmd.exe	48
PID 1656 wrote to memory of 2272	1656	cmd.exe	48
PID 1656 wrote to memory of 2272	1656	cmd.exe	48
PID 1656 wrote to memory of 2272	1656	cmd.exe	48
PID 2272 wrote to memory of 2060	2272	net.exe	49
PID 2272 wrote to memory of 2060	2272	net.exe	49
PID 2272 wrote to memory of 2060	2272	net.exe	49
PID 2272 wrote to memory of 2060	2272	net.exe	49
PID 1656 wrote to memory of 776	1656	cmd.exe	50
PID 1656 wrote to memory of 776	1656	cmd.exe	50
PID 1656 wrote to memory of 776	1656	cmd.exe	50
PID 1656 wrote to memory of 776	1656	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\add609ca54a070d04a605ce51dad1230_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\9E61.tmp\Death.bat""
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown -s -t 61 -c "Now try to fix your comp. sx3 u are dead"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:406551 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3064
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:734222 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1536
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:1192976 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2280
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:3486738 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2248
- - C:\Windows\SysWOW64\net.exe
    net user 19039 /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 19039 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
- - C:\Windows\SysWOW64\net.exe
    net user 13410 /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 13410 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1264
- - C:\Windows\SysWOW64\net.exe
    net user 14632 /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 14632 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2584
- - C:\Windows\SysWOW64\net.exe
    net user 17162 /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 17162 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
- - C:\Windows\SysWOW64\net.exe
    net user 22459 /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 22459 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1760
- - C:\Windows\SysWOW64\net.exe
    net user 24735 /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user 24735 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
174099b82fdddd6dd30f64026098adf7

SHA1
321466fbc6ebfa2ac25ba4b96a8a05fb6c0c0960

SHA256
fcc582b8769525b73d21d3d26dfcf0dea9fcfba7813b96565c7f1af19f84fcbe

SHA512
14ae8b3d94535c93e28e84aea8e9588c5abbf695b2694f835e5b11ab728c96ec920dce939e5dbe3160b319c11545c547cd645866b909ae77910436f4878404b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_0FE7F9E544828605E8602D3A6629EA0D

Filesize
471B

MD5
76e2a4bc148715eb677196ff573d2604

SHA1
94356d11919b1d31aa07670a6cba4e022bc74fea

SHA256
8c76743fb3ae529ac9e3f4f5a29cd714133d679ecc7d1f42a2ee9a52a339beba

SHA512
6633150c8653733e8dc3ed1ba2529423940e1aa09608a58361b133f2383901bcc7b44eb5f1ce2dcdbe041d43e6b1b10de704dd4566560ee78b56edd35b561912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
861e17fc420b58fe822daa8e830da3c8

SHA1
e73bf09a2211d24cd0c677aba881c97aca198511

SHA256
91d6f6e50d4e7581006e3b1ab7f30b1520be17e22fda16bacf4981a3061b105c

SHA512
268fb9b7fc59c16dd43625956e5f53d5f4dcb59bcf45d4613f74d792a34ff3fa3685b75b412ece81fba7276506daf36e7cdcb3431091ea495f462e95aac900b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
22b259d68b5568a28c7046fce747ca52

SHA1
2f699e725b70a4c0db991769e5ed2ca895cec662

SHA256
aabe91628c07ddd419bd60a3281d9c5de415ca64f1095482ae91ee42187d9cfc

SHA512
8f86cbb2a95ac86803adf6353eb611ea655322ae6e346e721553a986c29e29ff3b1a61db46c3f614fa09e687d7159bbe193aa95ffc06dbe4ec11f4c661b92c82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf213970cc8997f786009185813b295a

SHA1
e9601558f7f3a5a5d0160ce45942a34e59ccf34e

SHA256
5562f475c19eb7a13043aee31479e4e6b3cadd2cd03e825dfe36fb8a28c7b1d3

SHA512
67ecde7b37d6c43aa879c2a9dc174e878fe6e286f566bb509f1d92fc3116024624fee38f5da9f192d300fcbb5e115a508fb897fd5976647493ca77c020561f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e3efc6100e8d17ec155368ce58deb1

SHA1
60464e6e4b62b37e36a485bfd2bc2ddda1a4fda0

SHA256
8fb636881d44ac6cffd7274d23f939b3ea59e9ff77b009d7ec43a8ccf826d935

SHA512
f5f074e2eaeb9e5f8b148d2539b3e878b42511948c9cfd52cc0938acf8b4e59eab95dcdb6abe1c4aa9bdeb81a1561444c3cf638ef957bc628b67ab4d3b6376a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d6501ef120b628dcdcab2949234abcb

SHA1
a50617f06523faa8149dd516b1d3487775cb74a3

SHA256
685ba224924233b5390c2857e723129cc1f21f7cbfb126470582ffaf207f85b7

SHA512
1abb281ed53be6f0f39371fb14965c8ce54ebb78455082dfbd9b3582c3b8fd0bacfd76b80d4759fae3012eb2d2e28ed356f79b148f30f70bd0bbd18cafc77001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6c4f437d0c780c19db1dad99a494acc

SHA1
6736d3a196a7df56dac0083dd629ada42e68e50b

SHA256
acd030f55a2a658b3e4caf8d0bb5e43ed83b635a90b4c6bb6b4817a4528089d1

SHA512
7996252aeebe1aa059552ebedfa77ce24634379f1bfbee102cc081ae2724d513637bb349e3809595392bf6a09af9df78f4860ffe0a5c3fbbe8715b17fe1cab41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99058bcb53770589166b132f022d38e9

SHA1
ee27028ba82663c97ebeb7a4e648f952fd4055fa

SHA256
74e0a8d1fc2e83b1297f04cb6fb6361d009ec4311c791596a2de7c177fdc93c0

SHA512
c5749a01bfe289dd9897615201af2b3ca56d8b3e09a3b9640c54c27cec949ff873fc49309981a033371e9f9f360ac971687e9d8d4a00ece2977c1c8e7c4ada84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3c8f2077f03a268e8269c3e58f58708

SHA1
10036f3f015e1ee33dcef9aa3c52cf8f197f0dcc

SHA256
4944f67aee0f39e82dfda38329f5a8490937205a0ab32c7bc52f0ebe1b77e587

SHA512
4a48ddf3a48bb788690d9a5a1d82eca021d6418f7ef4406da69a8465c747456db7d8edf1554f0c9c16f6be707fe6847c81cccfa820ac221581f0b63a5f1f70ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7c28ca426d4f062223710ff481b1a61

SHA1
45e416b69963560c772c47ab2fb50372ba5497e6

SHA256
7a6f82795a176fa86b5973d42a4f5aeaf3162d5b76826c937c449975d295e212

SHA512
abb115bd65390b0c80dd96d3ca19737257f4d8fd4b26e78328314288d949170f5bf55a946c71f764dfedaefeaa1914cbab509d17b6f70589814936b4e609633d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce24b0b190ffb1221fa236eddfb44392

SHA1
529be5288f2c381392b3150ac2a7d597f7cb6110

SHA256
f3ddbb8cdd8e18a51e00f7ae45f718f60c3f1aa8e0552eece695461e477fa5a4

SHA512
252e0ace7e702fd1d5143fbe148f21910679966354464039ff8bc9a05450a362ef89789427688cef5847c0adc9b3351305a3ad9067ef4fad9c7b8af0562c503c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7d86287ec231b659c88421584ce2002

SHA1
6636cd4d8fb0636ca31ba38005a39bccd8ac4b22

SHA256
e5230481427db44816610761a043f8c1c30aaf52b106c110699cd731f19ac56a

SHA512
6f818e653e379b5651e6594deed6159552ee91e64bf87a13a9779eb9487e83ccf51d4afa97e4d71c938f14bb2b0cb2ca1a56f627005c6fc4fabe776ae6c01d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fd4be5b341591db83c21ad08b6faf78

SHA1
b037033d4068617ce774dcf19c1353eb5b6c0972

SHA256
ebca22c496cbe736d8371c34ff8647f9484d7e805e4b6c046924e10d0ee22cb2

SHA512
9774d9dc7affda8d84961d7cedff63b9592d87e7cca314fc184d71bad8a6e54f5b314dd3fe2fa620c76938483443575d582a464bf4853434703bcc078cb35c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e90f3e0e7c1aada3658039953c1682f

SHA1
d9ccc02056fb751df8540d897839c2ae42b2e7c5

SHA256
5bb13e6bd1fd0d5b103a883d16e24d329c93dfb0f83f0d7923232a65ed8f3c93

SHA512
05564dd1b9489c2037fb5e4adfab433c36af0363cf6d2f484c5ba467ee9016a7ae2b306534e86d5b2ce69af10c88451e85f6ff17f6fc21a98eb4edae66f6e088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_0FE7F9E544828605E8602D3A6629EA0D

Filesize
402B

MD5
93a6833788e602d96ab23439391c56ae

SHA1
364e992f498e6a4af8238b7a9ecac17b572ee5bc

SHA256
d234af343dc83282e3f8003361d9e4eaddc2e69e6d63639779c5092faac6c9ed

SHA512
f937c8b3558e0dfdf7db38723719b7e0ec3bc31822d4a9f35176142d52d55b6baa6f4a05370751696848a038cdb5bcda34eb12430fd3135fccca3aef4991ce0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e343b953d7af1c66126dc312f67eab6e

SHA1
3740033a178808c340b680a163f61a96c2fe12a2

SHA256
a02eb540b4e11b0e05e346f27864da02ad3d658e71d993876932c68c0455619b

SHA512
8e6b94e63e9cf84335bd9533b58038f38f824d92f4dd7ed2b024b703c639f6651a850196e9b540ae8f9d96bf99e2b5631407ab0b32a4db839cc80586a3ed81a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\TDLY1R3B\www.google[1].xml

Filesize
98B

MD5
dc5a06bb4487f0d8a269c16345627de3

SHA1
cbdb807e0d97c279f8c8ad1450dea25534086c05

SHA256
491e677e5ed887fef4af5aca6dcabefa059a097a047340b7b8b99bf3f78ee509

SHA512
ebd9dbf4a3ff65d44787566dc6390669ab0d4e94d8dd517601386d4f5f84776c8faad9a7505361e03dd6f0ccdd863f0e56c1879d70ebabd10cdaae61af4e63ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

Filesize
5KB

MD5
e8676672fb30dd5769149776564541ca

SHA1
ed74b5da93bebd5d5c8c4deb175f5838b340b6d1

SHA256
53204a819656bf9fa887b068e4e5dfef993ce3ed1971e8b1b218f4824a6969d3

SHA512
c5e76d9d1cc08d7f07c2c2035435267dd920dd53cbe465d93606322cd59a618e6bc7accfa881b7b0bee2a41d5e5bfbdd588a36d5648337901d7d33b22dfa8c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\webworker[1].js

Filesize
102B

MD5
cfb75de5b30bf427c44f5a02e8616345

SHA1
25ced704596e89f7a2e50227129d71b0e9bd5da2

SHA256
82d3b76db4d62ac71bfd0abd0528fc3a03a8dc2ce3c65eb90ca4a3b0181122ec

SHA512
8327c6e09830f0c3526c439dbe2213bfae5de2485575ca8b74fa83fcc2d3b1f824a94ef324511c16e8aa2d35a8655da0d5792eff46b9e37ca3202db175802be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\YrhSEqBigngBm13P72zv5BqzMvKqyJnkT3jMiVTjS9g[1].js

Filesize
24KB

MD5
31515f0619dac58993216970a715b49a

SHA1
9a09dd56e972cbaea27a96528516a82b83128ae5

SHA256
62b85212a0628278019b5dcfef6cefe41ab332f2aac899e44f78cc8954e34bd8

SHA512
94b7353315cc5b0ceeb9dacaa04679e77608c1c481c8bcc42c5fcbeba2d072557a9ed553d407434fe9b51b1a6716c5227fb9e9601036bb9fbed3cced5f0686b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\api[1].js

Filesize
870B

MD5
aa2728d09997079c4292657aabe3e50f

SHA1
12deb1b28ea79952fb582cb6840e5e53e3d01667

SHA256
1bd9d97ca6363b413d3721647ec0cb1cf6d0639221e47c91b62ce31b63862d50

SHA512
4d758d4197335f8d703a69802180adf7d75e3cfd6446301597736875dcabdde0a15ebaa4f177a39ea22f8082e1ec3bd705b66c7563be0c5b41b59f7225d8a3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\recaptcha__en[1].js

Filesize
531KB

MD5
1d96c92a257d170cba9e96057042088e

SHA1
70c323e5d1fc37d0839b3643c0b3825b1fc554f1

SHA256
e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896

SHA512
a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E61.tmp\Death.bat

Filesize
1KB

MD5
1d211984a1f9ad2fc9ad20d91cac59d3

SHA1
f42c752c3266d92500a1b55fa4a87f9926bba07c

SHA256
f258f24818cfe5a4b8a1245a1cd10a55539b4be35feafb2b78c556268944901f

SHA512
eac47a5fe7dae25de5267faa4ba840dd71aed567f0ae386998d48bf2a0fb39a995d4408b63e1bdbdae811c21c3a43c2837983699565882cbd4e63254f52df376

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8DC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC8DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CCUKSG57.txt

Filesize
122B

MD5
3b69d8bdf56c564820168970f95585bb

SHA1
6495428f72a30ef1562e4e0de1c6c56b3936cd14

SHA256
9db2f44294baa307d36740cb1efd2416c3b04d9b47ec97be9fc69790f0a3eda9

SHA512
e3623468c410dc8e3cf535945efc20fe70326573529004cca3aeb58983be9f27d2bb088129b4c0e00e88b2d4f51eed64ec9af65c78f9cad7e4bae58c29687bde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\F7JWNL9U.txt

Filesize
121B

MD5
72a5a623c537eb7c727ed9b2ee24efcd

SHA1
aa66bcc007cc7399f43f352243d13c54652f6905

SHA256
5b364faa727c892e3eb0f33ae0ca2a9ceb1c602eec97cc99eb72ea1069507405

SHA512
c4dd9d766f0beef0c0639cfb1b90933f8f3ab31546229f2a1785c7d9335ba13215bd4fc013d740a8aef68b6b04a4f3d81946a4684764af0887d8f2f39fa5ce4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JU0YQQ5V.txt

Filesize
121B

MD5
b13677167841309807d190856e95321f

SHA1
afba54a493f758b2758373db27df9ddf00a50659

SHA256
62067366a241650824933d0b8bc644037c58bedd704e6c206cd1fab84409a98b

SHA512
f972baab5f56d76b6b3a143f598366c6141141193f0738670583d6edd6c125c1130572ab40cd8153c0594e181bcab424dd06d9cadf91dfcfa17c1e9266c22d27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MLVUNMR1.txt

Filesize
121B

MD5
64818bdd6562f944f4854100e3d8f7ff

SHA1
5fde2f424f2a8ad04ac3b7f8aa791207c06c7e43

SHA256
00bde308b69ca1454bf86e08f42db5b826df8aaa5c5e1d56b23266344a2d3d4c

SHA512
5f05012e16a5abd77942bfe5a0768b258eafbf634e77b196d256b175d7fe39b097fd450d43bcef2d463d08aa44dbac314d7af1f8b145b08c36c7635aa7014bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAH4GT7F.txt

Filesize
121B

MD5
dc5a10dc71322285f55112cd64bee5b2

SHA1
214a8864988fe1eabec5817f695b1b6f80b91f56

SHA256
93550614081a8794eecc5d25edd131416159444915d647538de29418fe636549

SHA512
d68522aff750ad0dadd86fcb62a20d35dad30a5b08c613f5450dee320ef088bca43af07ca23a249fa8ec503869032347fb73ef23054bacfd38c698a804cca795

Download Submit
C:\Windows\13693.bat

Filesize
65B

MD5
9ea9b128503f4b12ce58892da208a2e0

SHA1
259bef66b139d5aa1a0041606aaeff3e1cb13125

SHA256
5261a057c25f7b8cb4c4ec22bee0ba0cf60cb212d95c97ee6664fc1787f132d3

SHA512
24663ffa5fd253e8033130d19e73cabb7bedb6e21036c556abd871f4954917fd55c38eba15bb7b167e208f32595bd1bfe721c2eeb32c199953098a415d9af595

Download Submit
memory/1656-53-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1656-128-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3016-126-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3016-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3016-851-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download