08eaad0edf24023dd354bbf87bf57b02f41ee5f214df0bcc8509b265f17c0e86

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Size

719KB
MD5

b3d6293f5ae50f6861211c7d03569ef6
SHA1

8c1e1b8812a9fcd4c149ef7eeb2f5b7db8978ee8
SHA256

08eaad0edf24023dd354bbf87bf57b02f41ee5f214df0bcc8509b265f17c0e86
SHA512

59cdfeb7026a0064b4874e58bf4e8600e1c7d948ca6cd9375619b6e3c90eb8cf03d419b963aac72b09f5fdbf181665cf040957737d13f27b105b83bf74c04700
SSDEEP

12288:AZ+P8/0IWk1rtHvWssOmNgQ6DMY2cO8qLKLfY/ZnmaRoSmCqK5hIqlDG:4/0bcrtHBmNtS2x8sKTjNSmHyRl

Score

7^/10

defense_evasion discovery evasion spyware stealer

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qm_go4321_com.ico	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taobao.haodizhi.cc.ico	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\bg_go4321_com.ico	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\life_74443_com.ico	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\www_meinvly_com.ico	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\GreenBrowser\User\GreenBrowser.ini	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\TheWorld 2.0\TheWorld.ini	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
264	2668	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 60 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000022b2183551db1fcb5e36ea4a017ccdd1adf9f41593346d40610bdb59643184f1000000000e8000000002000020000000542ff95306ed8ea7c10f38516a40907c3058eb3b639b979f39e413371adb96e190000000a5d594b0ef25801f86414dd7323341c4d8a80c8186432d0b205d015092ae8285ab2f4dfb27e17a02f1f9032f8970599a01a96bbe961df4e87b6c214a58b4540c69818dd4c5032813252d6ecf8cdcbb233e91e2eddfc4c7554e9725d4c149d965266e3576c8285982473e1c26c8b286270bc0e6b9e59154011d68d1a07629305cedc8ac7a2c04017b540a00d6dec4dab240000000abb32c43b41134537f251738e6992a2e82e5aaffe1a9706695d4389eb906fec652bbdb1c5f4bced1030304230dc3f50e5cc452f0c9b5e639d191e6a990683224	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2E0F121-5FC9-11EF-9982-6A2ECC9B5790} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430412512"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0e843cad6f3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2E11831-5FC9-11EF-9982-6A2ECC9B5790} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000020e18b94c20040f39bddf731204313bfbe7109b0f8de39ff3dd6b0e555aaea0a000000000e8000000002000020000000e31e8133ff060d5db0f369d6c11eb5eed84978af444921e22b1b4c98ae2830ff2000000036b33e178aab6bb2c4d4eb6966685d0e03ebf27424c7e9c384158afd009b04b240000000985f55528951058a54a805aa743bad65bce2b681da2a02c11a94845be69fcc0039a9368469ce06901e56fb20d92b89d4074d21f7d02752a1d4807cda1358cb9a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ProgID	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\DefaultIcon	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\InfoTip = "Internet Explorer"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\Open\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\starthomegrouptroubleshooter\command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ÊôÐÔ(&R)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ÌÔ±¦Íø(&T)\Command\ = "explorer.exe h%t%t%p%:%/%/%1t.%2v%22%22.%3c%3c%/"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InfoTip = "ÌÔ±¦Íø"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\Open\ = "´ò¿ª(&O)"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\Open\Command\ = "explorer.exe h%t%t%p%:%/%/%7w%7w%7w%.%1v%19%28%29%.%3c%3o%3m%/%?%6s%6y%6s%6t%6e%6m"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\ShellFolder	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command\ = "explorer.exe h%t%t%p%:%/%/%1u.%1v%22%22.%3c%3c"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\InProcServer32\ThreadingModel = "Apartment"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\ShellFolder	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\Shell\Open\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\DefaultIcon	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\ÊôÐÔ(&R)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\HideOnDesktopPerUser	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell\Open\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\ÊôÐÔ(&R)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\DefaultIcon	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4A19-985D-11309D1AC8AE}\ShellFolder	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}\InProcServer32	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\Open	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\WantsParseDisplayName	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "0"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\LocalizedString = "Internet Explorer"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\shell\ÌÔ±¦Íø(&T)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\shell\ÌÔ±¦Íø(&T)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\taobao.haodizhi.cc.ico"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ = "Open"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\shell\Open\ = "´ò¿ª(&O)"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\ShellFolder\HideFolderVerbs	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\InProcServer32\ThreadingModel = "Apartment"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\ = "Open"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}\shell\´´ÒµÍ¶×ÊºÃÏîÄ¿(&C)	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\Open\ = "´ò¿ª(&O)"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\ShellFolder	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\shell\ÊôÐÔ(&R)\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\InProcServer32	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\DefaultIcon	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\shdoclc.dll,-190"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0FBD52D-C4A7-4a19-985D-11309D1AC8AE}\ShellFolder	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder\HideFolderVerbs	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\shell\ÊôÐÔ(&R)	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{138508bc-1e03-49ea-9c8f-ea9e1d05d65d}\InProcServer32\ThreadingModel = "Apartment"	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\shell\Open\Command	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	iexplore.exe
2632	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2632	iexplore.exe
2632	iexplore.exe
2196	iexplore.exe
2196	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2632	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2632	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2632	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2632	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2196	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2196	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2196	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2196	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	31
PID 2668 wrote to memory of 2616	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2616	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2616	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	32
PID 2668 wrote to memory of 2616	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	32
PID 2668 wrote to memory of 264	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	33
PID 2668 wrote to memory of 264	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	33
PID 2668 wrote to memory of 264	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	33
PID 2668 wrote to memory of 264	2668	b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe	33
PID 2632 wrote to memory of 2500	2632	iexplore.exe	34
PID 2632 wrote to memory of 2500	2632	iexplore.exe	34
PID 2632 wrote to memory of 2500	2632	iexplore.exe	34
PID 2632 wrote to memory of 2500	2632	iexplore.exe	34
PID 2196 wrote to memory of 2540	2196	iexplore.exe	35
PID 2196 wrote to memory of 2540	2196	iexplore.exe	35
PID 2196 wrote to memory of 2540	2196	iexplore.exe	35
PID 2196 wrote to memory of 2540	2196	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3d6293f5ae50f6861211c7d03569ef6_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.q22.cc/?c
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2500
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.38522.com/baohanye.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\B3D629~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1928
  2⤵
  - Program crash
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Filesize
651B

MD5
00faf3eddb8234c67f4fc9dda35f4d0a

SHA1
52e9529c3ee40e7c9a8ba710d9bdfee63c00b155

SHA256
e0dc28244e3299765be7cd899fbc2e4ea40410ef56e4e03c7d6b397aee5c1e59

SHA512
b310067afdc422fe45b98a398cde8e0d62b610a7347f0a5e47a28e0ddbc6ce446e76887a06b1ffc4bb84484885886dc01aa471ec79cc3aeaf7be6c5525c21ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd68f6c5ee18212f3697ce975ea2930a

SHA1
7dfc6d3b9e6bd4b586ba6adf27263f521177d78a

SHA256
81289898192fb286dca1ba37db76ddeba29737962595aebaf1d0f354ed6f341b

SHA512
5275eed93d5704db22ef06b39f49fe822eec7dec007489bc2234f403fcf9d6a49621901bf5562694576a17072da61f9d13d427b4138496d2387942c33d6ee3d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c701aab64070e129df5e7008a53300f

SHA1
bdc7eaded618e6c679ca0b3577538fa445d27523

SHA256
d57d4573746584fe61a9076b182fdbb848495a0377366498833ce263176f932c

SHA512
f58d8272f27ec3723530d1c13733a4b879504e036970a11870b63065e323e227ba6d15bfc7c6234558012dd2821539c8fcc6613bb96617403737b1b5e555bee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
536df301da2caf5661a9dbeb559b726a

SHA1
89c4d1e6a20515642f19b7c4aee1a00141991b46

SHA256
f71fccf34514de19d3dfb4bf9750eab93bad5a3aa797da23e1f8eb2251f4902b

SHA512
f894b9e2daff350361eb3c670a752b97d82b0f75abec2afb97a40770a8920f2de29d091a6694d68c1cf16d21e697bba78a738b6b0e41725ad85aadf3ddd5d510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
121b730d265ff32be2cc21c572bbd7bc

SHA1
c867e807139402b680c043ae5f631699ea68659e

SHA256
d1901c1a0d132371652721322487718234d1dba8b79f62e0c3d2d2b0b75158f1

SHA512
c7df9de493e2f22f793be3e73c5c0d54d5c864e3ca2e127c65b33c52aebc8f9b685d2bb7ab8c50abf051aec1b6950a9ac300c9a3fc955b28d1718f73c345c1f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7c27ec805bd6628007c123cb903dbc5

SHA1
2d61b2ef73de341eb0d47e4a1a89edc60ba12f05

SHA256
6035b4db926a3b78a70c3cbb38aada15b8e368303ad6c9ff431474278ee4273e

SHA512
141b71d261c3a9e902500a8cd51bc652283187f0b58566282ee85d5a6c86aeedb4c5afeee6e14bbc83ebdb8ab11ba287e2bdfa2b5b25f943c65f73c446ed3852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0888cb96744db50352c371f4dd1ee394

SHA1
8973b99fa562cedc7986d95689225ab8f70b7c0e

SHA256
cfd9920167a74979db7a48ee889d0435e9c2aa35a188279200dd455767a05207

SHA512
5375b2c734fa1be382ddb90135ba51760f2babfcc997462091ca3a2c2b490490a2a11c153e43dc44c1080292824eadd82c6ed402390a6b88442779c25e15d92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaf62f7649f399e2e119d8dd9d144538

SHA1
2e9528f336b90e2617cb5be324483c78c115c49c

SHA256
75715ebbd1f4a4657ebda1e95988adb4f9aae8fa43ae364e89cbaab546066fb0

SHA512
73fbbe4745456cfe5d9aca1e48c8fd132037ab37b5119d75e1745d3e5a12294ced84b596b7506e15bff4e64d8aa8c525cc18f739fe6a3c57bb5f1fc98d1f6873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5c067e8136d30b15c4ecaea525f48e1

SHA1
a88968332a0655838b5ea251a744349f32fcd1d3

SHA256
92290edf0f1a61b6abb090a5fed27855e6076809a34c869dc28724da91d27beb

SHA512
7286dcd5b18b14f680e7cc95ed383a34da14881c3765f70a181a1e141f84d5b39d9147cd1b451f1becc6c8a1303735b2f18a90958f118acc404157a6320e13d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97f7babf32a6bf4b9e78b13b68c8c1f1

SHA1
571a844f05186bb3964947d40ed6c76d019ec6d2

SHA256
eca7f8f86cbbf21c82af9a2e1780210467d6ebbc5d0d5a9d8f085568f1bab30e

SHA512
90605bf5ed7c522ecf597bd4e94d86d21c34b1d7f5a7d5b0eca3f9856d3f0a758632ac29d324bf2943240189421caf97077b4314fe4bacfcad120fa63b98fc07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b00a9844d7ef3a6550438d4a40d20ed7

SHA1
c1346ae5967441638713adea80dd68a3f6142648

SHA256
83bff9a035a29e6648364f42f61b128b1acbd242755642c61eb0fc7e2e251ce2

SHA512
346c939dcc44986f0be7993cc8aea9b540f9e9ab36874594c76ed260650626afdbab46ca6c1657e2665df67667f03a905d2e3477b408ea00e472ce3f41d16a1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19c909270dbcf6fa8d3049be02c28dc5

SHA1
6c0179eaadd60c1e698defd84ea436ebd24a50c6

SHA256
866182e4c6a12fc813460bb214c906d683db33d484517524d89fca4acc9edfd3

SHA512
9de513aed181d7876896c0934c1a384846c4cca405669cba5c0ad26a6b857521c96bb717b2f077d0726d68f7f3d8fe72ac488aa96084c86fdf040ad509dfef3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebbc228245612c6abbf7c755f0a3ab60

SHA1
9092ae8518a5c70b6dc30cf335fe9d19d7ccc420

SHA256
c86e06bd2bc26355bb0f95846b7bb10038b7c6f7c662356baa83cb4d161442c9

SHA512
a2328f16a6a122c4637f1c6981f055174f40a0e0bc87532903d33d7e871e037ad24e54d8f4606586aae4542b52705c864283803eea63cecc3e9a0a378dc3c8ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c33296b27f9146f6e810c0ddb8ede1

SHA1
8b2930245d85d09dffd3a89d57d769faa39bea56

SHA256
514371db60a7e627922f72b6e6f1fdc3f0d5c6136f8d6f868e6abd02c4caffaa

SHA512
7d7b0d77e8cca85d833b3f6dfeaa6ad933aea0491502502e551123f1182eb0ab86dfaecda5ca570d7cd4569d5ffe016a5d7b1f44dadcb1ecede0249e130d6a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F2E0F121-5FC9-11EF-9982-6A2ECC9B5790}.dat

Filesize
3KB

MD5
62576f3c027c87f6acd080bf6c6d7974

SHA1
f95f5b6eb66a9cd04581b6e66d39f7cbed58dba7

SHA256
699116e16ac5e1f5742742eb24bdee4204c62880a88d52785df40dc1b44d93b6

SHA512
f72ff81beeb772354027ace672fdedc61f109494049a18b7ff1e1f343b10e32569c8c77db4aea26ffa8600b1079b371ba78cf661aee5bf69c9ebf219c3c11092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F2E11831-5FC9-11EF-9982-6A2ECC9B5790}.dat

Filesize
3KB

MD5
44763cf696465929063f7ce6c7acd691

SHA1
58efd05ddc89cd7d88e88446ec2a957a1fc483a8

SHA256
2de5de6dedf3a5e26620ed920784582f771b36fffd7c8d251888769df88a298a

SHA512
e2e87278e0748db811585754e85db8f82e9659ab62002c14136ed8887efe423428883f360d3856ef316b24a92104b2fd9dd61fc6a79fef315afb263906b912de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\favicon[1].htm

Filesize
285B

MD5
1da1038b94c6d2e2424ce9ad48aee1db

SHA1
e00492a36a02447c420e25098c008a979591e1c7

SHA256
5bb7a1677cdde53467ab997a4020396c4a9ecd4ba65dc7bec707afd7f3cd2f3f

SHA512
515b7b6b11a10c94e1acbff74c35711987b2919d85f9cd088d7a31efac323ba9f833d7e221f06ac6cfa7c7514ad7a0c263faed15b3c07c9532876067f1f93ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6107.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar61D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2668-2-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2668-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2668-1-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/2668-3-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2668-27-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download