0f8f7bd670700132ebcb423046e7be5fa686fe64d016d049ee6c577cf3de03b2

Analysis

max time kernel
139s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 04:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
Size

106KB
MD5

b22197f3a3441e17168886ef8899f4ae
SHA1

731b80ea3be453055e376250e6b4088154ff878c
SHA256

0f8f7bd670700132ebcb423046e7be5fa686fe64d016d049ee6c577cf3de03b2
SHA512

d2f339896fd3595ba2e6b65e749bfc14a882b31c51958d726f5a16c17c82d2ab01c0ace3bccb197bd28fcd750ce2671a41d4140ce6084aab7076aa765ceea1d0
SSDEEP

3072:xZMJnTeM4cJJKILa77j2NZmOSyt+DDMuzWtVhUxxC:/eTeM/eILI8Z2yQ/MGWcxU

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1860	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 1860	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000228b1a88df9c8d98e3e7c6632b393fde0869ad9045d97707673b07785e61aa68000000000e80000000020000200000006356ede7392ec91d964554cf959a8b80f03ae7f598da0b0c140885fc91f692ab2000000033a3cbecc0efa9a479918ad817ace9d5feae2b02507d6d1ec4ecc4f984beea24400000006e7e6c54221adbb4e5021649102c194b0c614e29b5030050b7e038c2cbe25fb241ae6ee6acf9d4da43de616f546a3b0e835aaa5f6fc4ffbeec5ab1ef8945f018	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430377015"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000ea07156a14a527a2c540d07aec7a5d5006e56bfd58cdcdb36262a81278b1ae49000000000e80000000020000200000006e53ef344c23588c8bdcc98680917a2ebb3ee2329f8093682bf49aa4b69a00cd90000000998cff18555f8af617ee705c070df1af62e0f2a4ee450e7b2fd39dd11019cda0ea1f4f14e1700e618cef7cea6ee9155f5bcf6775ad2a3a77162fac2e8db596b2eceb9504387d45ae1563c86a6f533f24a0895453731618315f4a9a9d9d7830b814e41dd16c2db5a778b87ff6844468b07f1fc37ddd431acb12fc29e4f09c0adb88643aa0cc707157363a1cc07701b33740000000dc45a552e37291c0048db137352d662ebcf24cb771a08d71d3584d233452768a4ba3155e62149a4d27399de460f00ea3784e6c872cb18a1dfceed84d3df56428	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01ffc1884f3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CEEEBC1-5F77-11EF-838F-D692ACB8436A} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
1572	IEXPLORE.EXE
1572	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2056	IEXPLORE.EXE
2056	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2056	IEXPLORE.EXE
2056	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 2732 wrote to memory of 1684	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	30
PID 1684 wrote to memory of 2604	1684	iexplore.exe	31
PID 1684 wrote to memory of 2604	1684	iexplore.exe	31
PID 1684 wrote to memory of 2604	1684	iexplore.exe	31
PID 1684 wrote to memory of 2604	1684	iexplore.exe	31
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2604 wrote to memory of 2844	2604	IEXPLORE.EXE	32
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 2732 wrote to memory of 1976	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	35
PID 1976 wrote to memory of 760	1976	iexplore.exe	36
PID 1976 wrote to memory of 760	1976	iexplore.exe	36
PID 1976 wrote to memory of 760	1976	iexplore.exe	36
PID 1976 wrote to memory of 760	1976	iexplore.exe	36
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2604 wrote to memory of 1600	2604	IEXPLORE.EXE	37
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 2732 wrote to memory of 1284	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	40
PID 1284 wrote to memory of 2536	1284	iexplore.exe	41
PID 1284 wrote to memory of 2536	1284	iexplore.exe	41
PID 1284 wrote to memory of 2536	1284	iexplore.exe	41
PID 1284 wrote to memory of 2536	1284	iexplore.exe	41
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2604 wrote to memory of 1572	2604	IEXPLORE.EXE	42
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2732 wrote to memory of 2044	2732	b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe	44
PID 2044 wrote to memory of 1808	2044	iexplore.exe	45
PID 2044 wrote to memory of 1808	2044	iexplore.exe	45
PID 2044 wrote to memory of 1808	2044	iexplore.exe	45

C:\Users\Admin\AppData\Local\Temp\b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b22197f3a3441e17168886ef8899f4ae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=821&i=ie&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1=86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1&uu=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=821&i=ie&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1=86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1&uu=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:406551 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275493 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:209982 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2028
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:406599 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:3093531 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:406638 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2056
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:4011043 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1468
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:760
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:2536
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:1808
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:1948
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:3060
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2068
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:2268
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:832
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2500
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:704
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2592
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:480
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:1620
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:580
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=821&ur=JaffaCakes118&86b2c7c375b1c1f9f6329ce351fc7e74b1cd9fa1
    3⤵
    PID:2892
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a558a84057c1337674e62abc11f8214

SHA1
cb73f4a5f4cd0e4cfe0955cc9b3257217438d14f

SHA256
8ea95aec4faf142f94259bccfbabe25f547fd1d71908e60ed561101d9fd447c6

SHA512
5fe0dc981c4fd03a59a436151eec81865f6be780afbbb117c7788014c01fa9265424aa5d3d332f6639a40437258370c6e6bb1ef059bacd3c6277276e216ca688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7cb20bd0bd9ce1a7f64dc2723c0926c

SHA1
010b7c8c43b37cdc9c6426621b2bf1b50b760fed

SHA256
3a39fc9dae595de046a2c17dd4d15aa4730fb799f3cb16bcb9992bb6fd6745a3

SHA512
c801390f93206e9af051d3fae2898cd67a8dc6d4052d3ab61e88f348759619a34e529196cf480d7581ad5b8d17e5d478ed5fc50ffdd0dc76b07d22491f3e9a03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08e3eba6f4763476bd70041a660a3915

SHA1
5a990c168e5bacff520fee206883064d0ec51e26

SHA256
b8cf2754a1ce77c9abdb4d9796f3979627ee7002252c6e460f7dacc180daf2c2

SHA512
8c9920a2b7efbbd0012a98c7bb2aa16080ad77fe2afabf0a6c1f5d36e204e3daf380aca074bcba0b63fe1258b653c3691c72889c3938141d4a29b1b58adac961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dfc414d68c2b4644224883719f85cf6

SHA1
600ffcaebe1656d0483f5a622c2d8a7e9ef1704a

SHA256
2c20828ba64482cf3b3d490c434de0212e29d84121e6f4cc4f63b900cb91345a

SHA512
4fc63577630fc76d221f7d4ac0ac061d04285d112c10b809a93cc1ab7e5cf7344f3b88de1b49f6911b4a4447ef06f7cc41dd0f1b6ab5da2ee732b1f75ff7c9c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b11d4fa93ba38c1227176a04d8ebcb9

SHA1
f1525080a8558e1eb62ef02a3b59c4401704c13d

SHA256
9f2251586726e62d36d39c4d283ea82ea593d02c22f667898af60026c8c612aa

SHA512
3e68936fccc5251620cc5fdafd8d810ec1908cbf8b043674d5e2678480e7b407eccdd9268438b241a80de88125ecca393eb6e5b266b8bcbd482b9a52d1e480d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ffad343b7ae0227ca58bdc209d7301f

SHA1
80a23cbbd6f91eb5207031f3ac556a8879a7dab7

SHA256
2b3114cb638909cf683c201b08352c4b82308307585c1154daf9825cee5de984

SHA512
71f0537e1ad7b77c5548ac7bf18f98bc4830413023e90570c578fb617bac10472841efe67cc549111ad56285e9ccb0d2ebca980468e3748f4e1178b6e6a1f691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d32b88eaf2ee5a95a3c708943798cf0

SHA1
ad14a6386ef0b1547a7b1e51287afcedb204255d

SHA256
7224419443125ecc829687bfddcb4a390a5c64cfee62a6d4ed524bf08b35fd41

SHA512
c1287d572f70f32782d018511ee56216bba99d380920d08dade2cafc1f7512f4b5a24a1245224ece0095ad89fe0d51b4a1a8ca5df8fe256d474584a35619b705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aca3a909e7e04ec793f9dc251fe8f30

SHA1
54d60c9faeb3953f2f1c3b18972a07018755de5a

SHA256
10268748451a2eb664186fbe56ede54967e2d1a01a5c69a58066c367e8e641fc

SHA512
eea805a95e7d16bcb1810f3a514595d8fda3c87c56eeb7c5156e81853c6c1c1831ad4f38b07e0762733eef7afe7502322cd26e71f822dc79e4a84a6ea2343108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3e3aed6feb2bac1af111d1b48e76071

SHA1
076a582b76fa36fbb9c0d17c932dd5ab0626f9c7

SHA256
202130e5d87bd7aec31ae405a090bfb1e42d38205614b1ce978fc373e60e937e

SHA512
0da4e14acb9186ba8008ffd20b225bb00793b6865bf592bd828c7fb0b08f6fd9a7c572237e8675ac950ac28fbd2dc3a2392e411c889539e177a230b1036f78cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da1338447bae38ee5d5eaf54e28a82cc

SHA1
94a3cdd5fb02969dca25bae46edd016af3ed07ce

SHA256
6a9a8a84ee25aed41e682cee99ee2cf5c975c221b683e2de4c750a45cbbbc1d8

SHA512
f36abc50bdc37b573456ce18cdd2378c25bcac1406759a31e3e84fea40e4ec93701f5f6c5c85d6dd477f1f53fa12e79376a02518bab20ad8f4f0d75aa226c4e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f798556c3100eb51e1cbd5b97c21e485

SHA1
9023ba4abdff20bc0f3de5ad8c10ff4e4554b606

SHA256
2e15db9a7bcbbc0b8b968dbdd30fb12b04ff967bb964a61620482f086835ed29

SHA512
bf07d724eb5f91dcc93bb870c97a3fbe9a21bb92ff22072fa75f1b079ffcedca2b257ade19b222055a899eb9635715b7cb2625a1f14365cc008ce57936c738f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deddafe38bc7a639bde4cea4848f9fcd

SHA1
b86cc1dbf7c0c8962798e40f0c2bf16dcb713936

SHA256
4c20ef5fd4dbdb4cdf663d200c417c650a428a9b7ccf7e96c545c342ea027b7a

SHA512
fb60accb8b8aa6f098fcc82571ba1a4c4f5c26d546a6dd5a7c07e33efe20aa7f8141395f923375cbaa64ed4a5e456a33235194fc342e616ca3bbf9bbb2a5cdfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
763938147da5a98fe0e1b15e959c6177

SHA1
f3abb6d823f3b4ea4dca873ac1fa5cf97c4debf5

SHA256
a8c83de7fac3e3740b8018b5a2c69f9c7400c4c19afde4258f819e10bff113f0

SHA512
89aecba27a79fb29da372b1ab396065234e3b7aa4114cf89c938424f170b75956bac6f2b556d66f1785384e365f511e7f5ad46b233158571d5f8e2b30ce14d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7281a524bccf522d115eb7e0cfb285d

SHA1
55afc4f26619620cd54d3947ccd455621320dc17

SHA256
01f3c117accb18abf076e9fb53a59e248a70453a461d3acfdd3aa96c5d35dc78

SHA512
c28a7c7aa3a390cb3c0f1b93743a4902089aa9c24804318b3398843e7870e854e026c8fc58d48d32bb08211bac7fe43b86c2269868cdb39c6098a5fe8eec9219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5c37108c5570b2e48a1da50e1b71558

SHA1
aeb6039e2fa14db13680a3a7b6797593f8e295cd

SHA256
4b07399d73cb08aa2847d2de3477dd1b0e37da6047705f96763cd1ff18315eac

SHA512
bebecfe653ce303f288a262019ec9441273fb22e5317d5a7f96264657e5823c99b35d859dbd2f6f395fa38b05313924568ba3683c725b906f8cf955a1248e0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3378f6aefbd4a44aca34c63c2d51b509

SHA1
e5a9d787d6c0608520c03cfeacec5fa2cb8e1206

SHA256
a5bf83a85dfb6fd25045f749a64b6867f5920465f52ecec7de6cb9e33981581a

SHA512
436fb40418afcd02d7e0f06c6785ef6ccdd6f748df3d098bdad08fcb6fe7a333b53dd1e8631fc7faed0910494dd793b2d975835c60fbd9273563eef98b511e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
866a27c0ca1a741c54eea140db850a3a

SHA1
e06b79806c009572a02915fc9f79498a7a9e0c8d

SHA256
b0239df00636351820f7181ba5cd3dfea677539169129919d526e24f368c4d88

SHA512
6460329713f716f0cc47f785ddbff3010dbedd2465bba61044849139d761d2682840e74982d5d104271da55f1262e33f7b556149230b7825a6f09fb3d9ea7193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd0db499dd14abc2a305f98872462010

SHA1
50a299b14ab57b330d9a3fd1642fb6814ec0a029

SHA256
3a04355b49bbf73006ff16e533c96582de2bf2bd5b4b3013c52dbb658eac7523

SHA512
08fed0b0b107e6bcca6a6535754299488b35646f98aac3290a3845568e1975893ba13dc347bbfe056a773619d05a24efece5801b73d6324f13326567fe291a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4RXRX1VH\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\84EXSCRK\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J7FHNNOW\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OX8Z8GR5\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8A96.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8B45.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nst71A8.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/2732-9-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download