isrstealer | a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9

Analysis

max time kernel
140s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
Size

928KB
MD5

c8b104888f5195155a25c0f10a4680ae
SHA1

736222962c56242b83070ef37fbb8e7a6fc0685f
SHA256

a7cdf2bb2e20cc4046d6897a2299f3aba3cc6dd99e5e7a06129a9bec8d627bc9
SHA512

b07004fff4bb3cab06ed30d034b2ddc1a61f9d29742952fd10090c5c1fe4d4764d07b734497928e3331cf241800beed6f09b818607d28b954da7fdfaf3ec4438
SSDEEP

24576:q/hlwX/1brBVGSPBcagNcMJN6aLkkgl2:WlC/E8/gnJwagkg

Score

10^/10

isrstealer bootkit discovery persistence spyware stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1380-87-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral1/memory/1380-85-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer
behavioral1/memory/1380-82-0x0000000000400000-0x000000000040B000-memory.dmp	family_isrstealer

Executes dropped EXE 7 IoCs

Processes:

csrss.exeinstall.48596.execsrss.exewinlc.exewinlc.execsrss.exewinlc.exe

pid	Process
2588	csrss.exe
2992	install.48596.exe
2744	csrss.exe
2656	winlc.exe
1032	winlc.exe
1380	csrss.exe
1928	winlc.exe

Loads dropped DLL 20 IoCs

Processes:

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exeinstall.48596.execsrss.exewinlc.execsrss.exeWerFault.exeWerFault.exewinlc.exe

pid	Process
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2992	install.48596.exe
2992	install.48596.exe
2992	install.48596.exe
2588	csrss.exe
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2656	winlc.exe
2744	csrss.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
1032	winlc.exe
2596	WerFault.exe
1632	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1928-110-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-115-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-112-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-119-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-118-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-117-0x0000000000400000-0x00000000004D0000-memory.dmp	upx
behavioral1/memory/1928-157-0x0000000000400000-0x00000000004D0000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winlc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	winlc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	winlc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.execsrss.exewinlc.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	csrss.exe
File opened for modification	\??\PhysicalDrive0	winlc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.execsrss.exewinlc.execsrss.exewinlc.exe

description	pid	Process	procid_target
PID 2208 set thread context of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2588 set thread context of 2744	2588	csrss.exe	33
PID 2656 set thread context of 1032	2656	winlc.exe	36
PID 2744 set thread context of 1380	2744	csrss.exe	37
PID 1032 set thread context of 1928	1032	winlc.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2596	2992	WerFault.exe	32
1632	1380	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

install.48596.execmd.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEcsrss.execsrss.exewinlc.exeIEXPLORE.EXEIEXPLORE.EXEPING.EXEIEXPLORE.EXEc8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exec8b104888f5195155a25c0f10a4680ae_JaffaCakes118.execsrss.exewinlc.exeIEXPLORE.EXEwinlc.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.48596.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2972	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D14026D1-65F5-11EF-A5CE-F62146527E3B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431091060"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2972	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

winlc.exe

pid	Process
1928	winlc.exe
1928	winlc.exe
1928	winlc.exe
1928	winlc.exe
1928	winlc.exe
1928	winlc.exe
1928	winlc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exec8b104888f5195155a25c0f10a4680ae_JaffaCakes118.execsrss.execsrss.exewinlc.execsrss.exewinlc.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	Process
2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
2588	csrss.exe
2744	csrss.exe
2656	winlc.exe
1380	csrss.exe
1032	winlc.exe
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
304	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2040	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exec8b104888f5195155a25c0f10a4680ae_JaffaCakes118.execsrss.exeinstall.48596.exewinlc.execsrss.execsrss.exewinlc.exewinlc.exe

description	pid	Process	procid_target
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2208 wrote to memory of 2688	2208	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2588	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2588	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2588	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2588	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2992	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	32
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2588 wrote to memory of 2744	2588	csrss.exe	33
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2992 wrote to memory of 2596	2992	install.48596.exe	34
PID 2688 wrote to memory of 2656	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	35
PID 2688 wrote to memory of 2656	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	35
PID 2688 wrote to memory of 2656	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	35
PID 2688 wrote to memory of 2656	2688	c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe	35
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2656 wrote to memory of 1032	2656	winlc.exe	36
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 2744 wrote to memory of 1380	2744	csrss.exe	37
PID 1380 wrote to memory of 1632	1380	csrss.exe	38
PID 1380 wrote to memory of 1632	1380	csrss.exe	38
PID 1380 wrote to memory of 1632	1380	csrss.exe	38
PID 1380 wrote to memory of 1632	1380	csrss.exe	38
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1032 wrote to memory of 1928	1032	winlc.exe	39
PID 1928 wrote to memory of 2036	1928	winlc.exe	40
PID 1928 wrote to memory of 2036	1928	winlc.exe	40
PID 1928 wrote to memory of 2036	1928	winlc.exe	40
PID 1928 wrote to memory of 2036	1928	winlc.exe	40

C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c8b104888f5195155a25c0f10a4680ae_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\csrss.exe
    "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
      C:\Users\Admin\AppData\Local\Temp\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\csrss.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss.exe" c:\users\admin\appdata\local\temp\Program.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 540
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1632
- - C:\Users\Admin\AppData\Local\Temp\install.48596.exe
    "C:\Users\Admin\AppData\Local\Temp\install.48596.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 272
      4⤵
      Loads dropped DLL
      Program crash
      PID:2596
- - C:\Users\Admin\AppData\Local\Temp\winlc.exe
    "C:\Users\Admin\AppData\Local\Temp\winlc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\winlc.exe
      C:\Users\Admin\AppData\Local\Temp\winlc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\winlc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winlc.exe" c:\users\admin\appdata\local\temp\Program.exe
        5⤵
        Executes dropped EXE
        Maps connected drives based on registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2424
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:304
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:865281 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:472071 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:472076 /prefetch:2
        8⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2312
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:864
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:2128
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:3028
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:1700
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:2044
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        7⤵
        
        PID:1336
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\cleanup259467898.bat
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Windows\SysWOW64\PING.EXE
        
        PING 1.1.1.1 -n 1 -w 1000
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac671259d622c0178453cc6840910eb8

SHA1
e3f2efbf0358f0d717c51e08eb3603717062f0ef

SHA256
767d83a3cef650ae58ebab6457f28a14d5e981094d3c05e46084847af76d9127

SHA512
18318ce5d9e9c49f72e0708399b106528f7d3213455505942b1755d4d6ee72e74905fb40efa807619e89b00e93510e15a6e480a96a2fa499d5cc237691d7ea25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41ee2b89a3d3835a3c704144237f44b7

SHA1
757e85936319c3b8eda729ca65fce67c33d8a9c3

SHA256
2e416d70418a14efdd0ec9dcba9c84580c580d4df9fe01239e8cc19706c74eac

SHA512
b8b47249782c6fd6c378983f8d96e1629de5c4c710b3eb4c18276ff8833b4dac2d97bb4aa56600464cfb0777dfc0aeb1c74cbad89755508e866319b421dcda27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b901fe117ffe10aab9165e556de2cf2

SHA1
68bae47ba887a8b9ccd370a3442a552e3b43043f

SHA256
0bb02ec1908ad2ca48c6e0cbe0e85d3db25cf583fce6685783af2cc443f3023e

SHA512
14c8991b71eae28b8c7ae21c928aa32ae1b058b2251ac9cdf2c78c8c7c56c01a48a89abf74cd943c6065fef8e6e40ec25e5d142a25998854bfdb81697e1e1fcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b51db179b377e81b793a69b0c16f7b95

SHA1
c819a0089daba2315868c67cb2bfc8b459b682ac

SHA256
564e844a353076a2bbf1ee33e9767e1c6f6922f81ee7d29efbac77ec2373f64f

SHA512
f37186c1543bca342279a3d8fb3a9decc21f8a62b73617fa603acc493cdacac9e4cf4bb88a78351aa41beac847891231397e2bab9b004159c3507f872ceefebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f0d79bf9fe26324b27660be3ea062f1

SHA1
db02c2af0237e2b61421da36e2b131b806d723ce

SHA256
3cbe704af56a815134d1123620a15f11191c22077ccd9040492cf8ee5f4ef3bb

SHA512
b4015e62770b907082e3f385d8c6dc11cb8f4c69e8279778579acd1720235f6ade1c172127a401f95f12b8e6e64ba0368104fd26545483daf44376862a4718d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1821c7dd79a334d041a7e81d9442e679

SHA1
71da9abbb3ec40c2704dfb6f2b924ca739cb48e9

SHA256
5538c7be4e765192dfdd69e823465c0677a17b32165e707ae7a4ce2ffe174d7c

SHA512
7f42a55386eb4704c31b4c842d80686b2dff0af50f969a6f1f6e9b56edcefac76373d663b7faad7f0795301802a0767216b02e3ecdebfefc2faa00ef033db49f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70765926e480b1b4a3222ea3586ab12e

SHA1
3cc1194060f56e098f37268e1a5d1bb5b287ce6d

SHA256
d4b7d2cf4bacbf064fd3213620bb2331b43bd1e6a01b8eb33cdab124121c8706

SHA512
ca8996e321e51156df74c771e5707ac800b3c317040ac89b5e47c6a02cd2e3156fcad807ee0678a816971ef7ab723cf59068bf9eedef8713119e378872cacb23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93daac53819305396a6879c20d2cf1d3

SHA1
4423272afbd7dcd244667eb771cf2a395e4acb0e

SHA256
41643b5aa52fc4ddfe7cfb31ef0befa199a4cbdd7f182407bfad019682bc5aff

SHA512
bd5457e23817bcc32b5f7cf380dc06f90c2865d967fe0d0a3557af1dfdead469503611d079f18477c1af318c76344856977276cd64a73f1d6771b45fb3b2f540

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2b7c8bc916203780e8af320c5726687

SHA1
8172010954210e1c17bd6d1f1ed526111bcd79e1

SHA256
dc36a74213424785b220b3b3715b85819f838f7cec712a8a0a299ab10d9a0026

SHA512
043ab39e88c3449e0230c53a0043e89ec9889c038ded3597b94e3b5f8a6b658e323b1b6b50516396fc8a7dab9b34c5e1da72724b57c928d7cc8da2d61321ab32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30b33b9a37d23078b596a9413afe0c81

SHA1
5c7d14e61f088b212b042ea720d6355e0b8580c1

SHA256
e779ecbffa7a524c1b0dade91bc2d2f0bf5717da240ed71d1b421b7e08d64cfa

SHA512
676eef27cd2a7f833fd25c281a82b1e194e6be18267606eec1fb7c6a46f42db31e79dcaa9dd4a0b323f77211f5426deb1e625abba2b4cbe4eace66bece92e840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f4de125ccfef117e2c591edbb9a6282

SHA1
2e62a2711d3e0ce41e79553afb68434c69ba486a

SHA256
96586627427af4e00b031f28c17665e9760da727e376343ffcacb8405424b10f

SHA512
07b3150323f95dc156b444ed6d292911e3b129844784b14ba967d9a2c21ff8d597ac71233d2f2206eaf50b2363061ba69569c4fe050f60c9ce05f2d93ff4172f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4051eb441d4bad40784e0b16c01ea364

SHA1
b1838b56d406125ea2c4d99b5bf622e7708ce167

SHA256
d38e23c26aa27e2a9b2da2ae44dedaac18717903153961764ebb0eca2a5e4727

SHA512
0a574fffd8bec8ba133adf5377cf7c48505f8fc5d543496402757d1660ec351918dd8bf1108e0bb93d06a33026c2ef83b061c340064933d321d2777a02c44663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d5a01683c608081b0f860cab56d8549

SHA1
2b106c0a704e34a6aedd2b5276553b4f33fbae31

SHA256
07d090650d23fdc39f5cda4857156f152fa3e0ce6fe882b82da64ee137e153c5

SHA512
451734836cac82808bf3368be1451519571e3fa4da8f1242d4eadb12f5f150e838f3f2b110541e59c5b6c4da0375da142feeaef25fef532e7f964a5e3ab1f05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a11a8e4fe655e2d4784a506da0af2dba

SHA1
9375583fde298e82f5495970b5cb60605384cfd6

SHA256
0574747a067ac516e966321e34a66f3651e04eee4b6850f5716c6f77a8625306

SHA512
7421bc340a07e56aa16de0285e9cad463ce63987ca6bae54925a532b273c866edca2463346f6d05475992d8914b332f3310132859af8226a12471a6bae35b994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9da07d4bef31263842629f32c7a4e798

SHA1
9337be803b56723ef9429709f0ec141bd36a0882

SHA256
4e0d51494ceab883923016ebe1beefd9892920f05e19dae5e5077d5e86f5770b

SHA512
a4847d804666c4e5bf971cb24f2a2c235acff95b3cad69653ee014df406c7c9de1a486a44f434fbbed20aa2a8a8acdacd6846dfdd190b460d187d0263f09d413

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0b7d0f00ea4f635bb9421be377de2fa

SHA1
ef169ec1a2d8b358b86ad7a15b7456120adbfb47

SHA256
2909fbb9e2f7e78b3181fdfa0ed3183c541ec7cb25aeacac62d94463859193a9

SHA512
6ce0ee58793df77a86251d512735361116759425ef9d65aa18838ac4d6d6def72ef44b91770dbee071ddf4b9d65435c8dc86780ec9c83eff4cf8f0fbe6c6477f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d11d8e57581d97d9af8f6821fff2bb9

SHA1
0ac7b1b1b784cb339f58aa71d8c80aec7bc50f44

SHA256
9ff7a018f627f422d2f1656ad9186c3add32473a66c35fd5c56e27a4256b30ea

SHA512
d2527e4d74bbd64da7e05cb1e83679efc5aa93daff5e6396d4075ad2425f31353fcebcbbad313e8130b4bf15b3ef8f4a89c1e388617a9647ad9328a2f8b947ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faabab4c4d96cc3fd31c9f6c4ea01388

SHA1
b93e9eea700159903037405ba53a489e5c0bb8c7

SHA256
fa545f62e60d64b920e68551ce4b3d1eab26d935875a74b1ab494442d96bfc7d

SHA512
ef3c58072d0a65a5c0d9d8a780778960a0ddbd5370e983e66b809c4382d9f52cece56c1ebc4082191b35de92db122df25c12ff000b215423425ecd50e6441d5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
658eaffc5e4c6d24ad14eefae85c507c

SHA1
f0972045865fef3432266ce630078de0f723cc89

SHA256
cb1008a87e496bd394fbb2c0d9b10477aff657201a623a1582521ef7a9269f6a

SHA512
b82eadb7946dae6e9bcf187f8248aaade1ae07800ff1d92f498617a34f8371cc24b2d58ef8508281b670b83c3f55d0a19fbd8283faaae01e3396c5a3557c57d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e863c70e185162673da3c9c6cb7838

SHA1
3518c2eafd7bc66e410ac6ce4291c801cf82a09e

SHA256
3f47a4459b839b2e835cdcc508ba6055100779ac8c96e6474a392f7e1beb6074

SHA512
c7f7b9cdced8815211fa73848fa260651d2f9e9f315213b5f0067a934cddf0c3525d4a423c156724962001ccb4c4efb1ef56ce29e1b3c59780d4a9f3482400d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab402D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar409F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanup259467898.bat

Filesize
222B

MD5
9b8338195c28fd4806256d6b2a08482d

SHA1
0d85a41945984264507a1d9af95525a2c83b50fe

SHA256
abbc1b4e9b8f910dd36dcbabd053b40be608a9347b097e45a64089b42d74cfc8

SHA512
b4a8b1fda6343d2928c708643ff18a145cddbf7e2c560e7066d3c1b3fc5960feedeeadd514d50ff389f7050663e1782d8bb755930292ea9948b3d10d407f3823

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.htm

Filesize
1B

MD5
7215ee9c7d9dc229d2921a40e899ec5f

SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6

SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlc.exe

Filesize
464KB

MD5
78b57fdf3730c389d0526514fa8df08e

SHA1
4314d0fb73b7e67bc72daee197721c56b552b995

SHA256
86b794532c26ee2145e8eabd2ddf4422549cb9721ea442550f7caf1470aff278

SHA512
637cc76be5b881e2fe4da8b96d963012868ca6f932a7b4a38e4468484b030f671ac9f051ab9ae4c443cc75ffaf99f92813b8c383240f8f046a906d4d60a5aaf2

Download Submit
\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
204KB

MD5
b5aeb98e0e14fe5b6877cb9a27ebce00

SHA1
7d8a6a669a81b62f147e379788b9c1971bd46244

SHA256
56189179906e318ac38550003b012aec612eb9817890e0184d88b2caf9db01df

SHA512
e131d0a54fa2edc964352908ec452fa0a86611bc8af8be0b1e6508b73031428418ce2040d75e72db1c3f0fe331c4a2a2b03fe3bf660c7794ae349476406efb0c

Download Submit
\Users\Admin\AppData\Local\Temp\install.48596.exe

Filesize
88KB

MD5
bfe55111946229eaaddb7f37c8979897

SHA1
23fa938ad18eb734849b846ee7398223815a20c7

SHA256
8401b22dda1a2f9af05ea05f8262123533423312a6d9878ee7790aab8bbd71a4

SHA512
b74fe5273a6ca467c93eecac28ab3da2f999a915425efcf32b8af879cf116f38ae16ece46230cfd434a1063b91298f92234f36b3dae7de6337dddf4104f96821

Download Submit
memory/1032-120-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1032-75-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1380-85-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1380-78-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1380-87-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1380-82-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1380-80-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1928-110-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-117-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-157-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-125-0x0000000010000000-0x00000000100CB000-memory.dmp

Filesize
812KB

Download
memory/1928-136-0x0000000002B50000-0x0000000002C1B000-memory.dmp

Filesize
812KB

Download
memory/1928-128-0x0000000002650000-0x000000000271B000-memory.dmp

Filesize
812KB

Download
memory/1928-131-0x0000000002A80000-0x0000000002B4B000-memory.dmp

Filesize
812KB

Download
memory/1928-112-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-115-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-108-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-119-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1928-142-0x0000000003090000-0x000000000315B000-memory.dmp

Filesize
812KB

Download
memory/1928-139-0x0000000002EC0000-0x0000000002F8B000-memory.dmp

Filesize
812KB

Download
memory/1928-122-0x0000000010000000-0x00000000100CB000-memory.dmp

Filesize
812KB

Download
memory/1928-118-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2688-6-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2688-61-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2688-2-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2688-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-8-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2744-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2992-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download