1d4497b7449d3d2166b18b01c79812929a57168477088dbaad9ab4893d4d32a3

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
Size

116KB
MD5

d2ecf4ae19990601e56e92329b3b95a2
SHA1

b9e3a4de527dcf6bd71788cd728c04f9ea52e355
SHA256

1d4497b7449d3d2166b18b01c79812929a57168477088dbaad9ab4893d4d32a3
SHA512

c6d97bf1761c77843f7e032e0a7ab6031d47663d40c11da07f8772e895520a3a1386453d028a1b27c5726d9a2286bf37ea1e5073db1df1c146a234737d5fcc4d
SSDEEP

3072:sOPlfJJJpVjea8QoGCbhx7svtO1tVa6/wUEJy1:39f9Q3G8jNb5/wUKU

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a8c4947101db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000460d088dc02cae59d9519cdcc3e5b66aa8ec11a2ca7b053a8b052f06b5724aca000000000e80000000020000200000002e8367fffcce1f782178b6f726fc27271e2aad8d3eb8a0f34f81b329fe0b218d200000008fc8db5bdc223f375ffa99eff06999cb4af2cc941acceebc52950d3e849cb8c2400000006525c85a33797b7a9ae42ebe5650e18afc731f1b82977ea9739387b78a2ac3614e6d7f3f0ea657b49dc18f6f90684c40c4eeea831cbb273f3dc7355ab5186f5c	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C005CED1-6D64-11EF-9107-E62D5E492327} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000001d9db6600c729d913abd5632bc179e16d8e9fab2c9aa6e4235647e82c5897338000000000e8000000002000020000000867b9f20fb4cbe2ddacb57e2399126e46c7dc558979444e1dcd77aba8419bc14900000000d542c3ca4f5513a85f3d68b518b116c314663df21d20d20c90655eaf57e6c1dcca78111f8b6502b09cc7863122c31b321981c86fdba440ef99d0ad566f65ca43d27b7a87816693829f2fa4393451f343bbb39f56f92d6e150b924b0dd42f38bddcf970e4f33e83449e14016575be638c87577b6510a19980419393909815f053cf90c8894a14c3a6d4959982727bca2400000004cfc9e1edd844de816610a7dbbdc2b71bc8b8cc99d80cbfa29648d9c24e79e1128d3221e33d1906899f9af34dc414cd1e226ccccadfce9f744bdd2ccf297583a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431908362"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C00A9191-6D64-11EF-9107-E62D5E492327} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2344	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
2444	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1332	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1712	IEXPLORE.EXE
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE
828	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2508	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	33
PID 2508 wrote to memory of 2344	2508	iexplore.exe	34
PID 2508 wrote to memory of 2344	2508	iexplore.exe	34
PID 2508 wrote to memory of 2344	2508	iexplore.exe	34
PID 2508 wrote to memory of 2344	2508	iexplore.exe	34
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 2956 wrote to memory of 316	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	35
PID 316 wrote to memory of 1388	316	iexplore.exe	36
PID 316 wrote to memory of 1388	316	iexplore.exe	36
PID 316 wrote to memory of 1388	316	iexplore.exe	36
PID 316 wrote to memory of 1388	316	iexplore.exe	36
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 2344 wrote to memory of 1856	2344	IEXPLORE.EXE	37
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 1388 wrote to memory of 1712	1388	IEXPLORE.EXE	38
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 2956 wrote to memory of 1816	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	41
PID 1816 wrote to memory of 3036	1816	iexplore.exe	42
PID 1816 wrote to memory of 3036	1816	iexplore.exe	42
PID 1816 wrote to memory of 3036	1816	iexplore.exe	42
PID 1816 wrote to memory of 3036	1816	iexplore.exe	42
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 1388 wrote to memory of 2444	1388	IEXPLORE.EXE	43
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 2956 wrote to memory of 904	2956	d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe	45
PID 904 wrote to memory of 1240	904	iexplore.exe	46
PID 904 wrote to memory of 1240	904	iexplore.exe	46
PID 904 wrote to memory of 1240	904	iexplore.exe	46

C:\Users\Admin\AppData\Local\Temp\d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2ecf4ae19990601e56e92329b3b95a2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.thegab.info:251/?i=ie&t=97&8e16d3004fa539dcd1608b78085964dc4a40c655=8e16d3004fa539dcd1608b78085964dc4a40c655&uu=JaffaCakes118&8e16d3004fa539dcd1608b78085964dc4a40c655
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.thegab.info:251/?i=ie&t=97&8e16d3004fa539dcd1608b78085964dc4a40c655=8e16d3004fa539dcd1608b78085964dc4a40c655&uu=JaffaCakes118&8e16d3004fa539dcd1608b78085964dc4a40c655
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1856
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hnbgv.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=suying&t=97&uu=JaffaCakes118&ssc3c228e16d3004fa539dcd1608b78085964dc4a40c6553a
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hnbgv.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=suying&t=97&uu=JaffaCakes118&ssc3c228e16d3004fa539dcd1608b78085964dc4a40c6553a
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275470 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2444
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:734222 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:209989 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:828
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hdcxs.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655=8e16d3004fa539dcd1608b78085964dc4a40c655&i=qianming&t=97&uu=JaffaCakes118&8e16d3004fa539dcd1608b78085964dc4a40c655
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hdcxs.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655=8e16d3004fa539dcd1608b78085964dc4a40c655&i=qianming&t=97&uu=JaffaCakes118&8e16d3004fa539dcd1608b78085964dc4a40c655
    3⤵
    PID:3036
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://lkjnv.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=4&t=97&uu=JaffaCakes118&wwww=a3aaa8e16d3004fa539dcd1608b78085964dc4a40c655
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://lkjnv.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=4&t=97&uu=JaffaCakes118&wwww=a3aaa8e16d3004fa539dcd1608b78085964dc4a40c655
    3⤵
    PID:1240
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://cosj.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=ooo&t=97&uu=JaffaCakes118&sd=ad28e16d3004fa539dcd1608b78085964dc4a40c655asod
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1504
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://cosj.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=ooo&t=97&uu=JaffaCakes118&sd=ad28e16d3004fa539dcd1608b78085964dc4a40c655asod
    3⤵
    PID:1580
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://okjhvc.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=oooo&t=97&uu=JaffaCakes118&dsc=1ccc3328e16d3004fa539dcd1608b78085964dc4a40c65523
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://okjhvc.thegab.info:251/?8e16d3004fa539dcd1608b78085964dc4a40c655&i=oooo&t=97&uu=JaffaCakes118&dsc=1ccc3328e16d3004fa539dcd1608b78085964dc4a40c65523
    3⤵
    PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c2b53463602a851d91206613b87feab

SHA1
38e5dd7b8e3633de4db46f5d09cb9fc4db8e138a

SHA256
3adfa7369ce16be4800e2162ed0a3c7c20666b9826cd0611a776e46fdad3d19b

SHA512
fbba3372ea775eab48f3f91e03be48eeff174c31aa962397683b5bcf4ebb764a4d0596434d4c57584cf792a5bec1d2f8d3ac93e98b8da0e6cb3d956adfa7385b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a086a50c1b71bd23ae059b6c91c4905

SHA1
d098bbff4ba39d79863cde48048c35462228db36

SHA256
e04127a88b4ef4eb36d3786bc6500c04f999dc34b13e29f181d4bae111f9df7c

SHA512
5f88579929836d356747de6a0e1f81e3800e631c8c6cd38c0c5649d55c987e96b01fc9da5ab2cd59b5534c5c5d7441e921f058d9e04292ed55cb3a711ae9a52c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
003b7e0d7e641f9801794537d7d0dc9a

SHA1
899f9e78fde974774bc8783ea5b9c145c4e29646

SHA256
c0a80e9a2d6638a5bdc8c313b486ff222982bf9ccb4430dade692632321a0620

SHA512
a4cf5b17a256043f8d3199c8845c8907d15dd9384b920ee1e1294472524ee5e4a1d47030d4bacd94d00a4c4f8e78e96ab8d5e8f069b0d04d5a21b8b92998c85d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc219f53af869a0034aeef5043c4fc1f

SHA1
24ac366cd56ec611f6cc336fc02d7ba59bab7ba4

SHA256
03a38c8520bbc6b9ee3dc47c9989f94bba3401e0b9723355b9e32f284b4a92a3

SHA512
86bfea5f43b687c82029e5a0ce19e5163df93f906cde6b6a9d390b70eed254d690c5d2055c10b447a8daa6e4230f922cb73dbfa8920be7e456cebba0b2c302f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a70684b0b2c383eface80dcbb96e759

SHA1
d438400dbafed8624562937d14bb54633587dee8

SHA256
86172166542faab68e90d90b8b3c521555e9a9e573becbac825214da54caafc4

SHA512
08aef46223d42f829ec47c02d660f12aaf5cfed44d3462487af742da5e57e0e926bc6f2a231166353f8d057800cdff40f5b0243a6c703249d54b66733c20f6bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dfb52224f97f17beb2863dd645e5604

SHA1
d53f8aeb94c60306b84dde9e42d2cb806d19f5f6

SHA256
6230d5849c33c43abf8a37f9be92c21a8bd47737ffef41762c039aa1b1e10f9c

SHA512
ec5bd404a49a5b83e7c6819f72f09e49076db65494120ddea965d834198f6545fec569802f08037d1707f6d49387ed667e83bd55fc9405c7eb8571631d051502

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4e947e3640080cc712029eb0817b74a

SHA1
d743fce4663f941dbb792d15b16f3b690a67980d

SHA256
8584432a34df563dfb8fc1c53716a837c5a91bd7a04d7e832ed7e85d73168708

SHA512
163a4a5c891eff680f318bea4539b0dda6cc1426f5001bed0aeaaba7c33701d66d0085abc960e855d8021bad7d221cb4ab9b1cb36b64de19e6ea8c87e17e7eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57893f7ae89d7898565a66f867b93327

SHA1
086be34e85e2114b0501fcf1b2f1c27b352e102c

SHA256
8b6914af84aaa2ef96d05974ce6f66cf64206f686105c272e66d139011bf0fa3

SHA512
d677cc127fdf59dccbd99d9183860b410c1d43efb0b9661e7d079d2ded782e2fbb0932eb7a64023f51289788d952f23dfe46b389b6eea351f9326a63437f933c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4212015d71225d6c91b44a22426bcbaf

SHA1
bcfa0693aaed8c1f06d2894769488ab6c8f14b18

SHA256
f0a911916653bbdb90f3656eaface35c4e5fba234349c7cfb12653416dc41aaf

SHA512
91e06b1c95175aa55e8d1a3599ef014d9b0549e425cf61af60ce3418fb24677d6b67583f9101e1e967229878c13baac929ceff772d3e548925acf5c75502b9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b851fa5ff922b2934ca2bcacc1ab047

SHA1
93e8dcf0f73a4f0ec23a8bb8a2f475f6a60ac222

SHA256
1926029e56f7d7cbc823637534de805e42b79f81482e51e7069f845fad72cf9c

SHA512
d85db9eeff069c50afe666eec94ead5f1e72022ce5894cb52ff3fd9e7fe52e683d2b6eb85d9b9843651595ad5cb99fef15d53eb8263f19956608f20b163fb439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484b679f8f1f3ee1f702d911db5cf615

SHA1
9f0518ff588f76f44cddf25ba9260af4c65a5ba4

SHA256
4ee3538be58e35149824e1f4894f9ba575eb33c7082824ef2a26993654595cb8

SHA512
06149fd6b342eaadcbb1777523291e339b39bebe5d96e938177c00a71a56b78d59443cb35ce120ca097f63c0a5a53f86d8d480e48b17d0beb05ad45e17198f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb2fc0be0d494607e6fa0b4f7cee6d3c

SHA1
1388a09ec579e7d2c97d6929b6c73b45900e4975

SHA256
0d069fe7498308999a2440a8343e6fe740db7fb52fbac55b6c27792d95deb522

SHA512
03747497dd55b11edb03686f6109de17ba33b459f3a4fd4cd101594b1fff41c463fefecf625153e1413f14683366534b60e0f5b43e35ea76780a15ffdd90f6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e33290109d086886a4fd9ee24510e798

SHA1
61c2e8ab7bc81966eb23fb571d63765d5b6063e3

SHA256
6150fa78de54e32787b15db012066d6eefeb4de6ba60508afcd01f7f7548dba8

SHA512
b74509299d2c4a5c4b9a4db943ac58be557819b070bd5aaea3ac80d1f7457dcc965ce3c9acc8288d825f49b41929ff08a77a6dfac941fee805308e8b87cfee73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9bd2e1bf0169dca339e65c0fd61f8cf

SHA1
1d43bf629c3b9d2d6c3b25c71fbb004f740cc09e

SHA256
914c74e5a41c1a59ff5939b9fa5c9863ab3198361c3f2f3eba06ba0ce9ca083c

SHA512
95a83f5969571f610f0629777778cf31e42fe17821689feb6101a9228567bcaadb371ff1fe6b6227258b04ea84a7ad55f682a52d31c1ffb2cc99e309b03aa1a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5601448723c40115069a07b4fa437b76

SHA1
28f6815fa0a7e7177e0d97c0f9f46fd0586360ae

SHA256
26e588874a286a2a541a9e4de630289a3dc9d9681b13da5972a1c7d1471ba2c3

SHA512
1beb8e0f09d5f9d6a5fa118647c23b9ccec537c051ec6c511436739cb17d51629f64ddc6940ffdabc4e7765e52ca1cb74b5dc81ff57400924f50778b52d5040c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10e59bef4f314fbe7b9bb34e95e3e426

SHA1
ef03410f8ab52c827289e2bb2f9332e16f723856

SHA256
259e3a4ae391d0357a975244b4ce3ad03679ffc8af351b463629ce8578253b92

SHA512
95897a507704767d41a4aecc9f7d0c58c49b6bcd07cf08fc183209f4ad1d51dc88ecd34f9f292e1eb82d5eaa73719813c76e84219504d89c297867ec4607c8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b4afa32c86fc67525e9f9b825d4302a

SHA1
49709eaa70ca45e9fd329c8e0c42404e27950b4e

SHA256
e9c2b135d9a8da163d6e79f56f043219e3136b31da4e530cb150812ec130558b

SHA512
5ba4cd9e544e3d098d82c212ee9961c244710064481bd4d2e7aeb3afa823cd20b0ab96e60c99bde71026f5d24be502d773e7c3cb20dfc0b6d629c283fa9e467c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8fb974dbbd51a5683055c6445c754ab

SHA1
a094de565d8425ba4318dc70b3b680bdf2d20e09

SHA256
d6a4a2dbc1c7557d3e874dddc6c9808754ac96513b71b3f816da7f450ba0e4d9

SHA512
327746d0d39d2bc242d73fb739b3e1a0887da2e70731bc967b3157eae185257271975f596b41fc1a6ddd857630b7bfdc4c1549325bbb1e62d04602e52ecf84c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce60472211bc359eb0d0b21a5c4f5324

SHA1
aae10dbc98460ebf12934a4889e4cb62316079a2

SHA256
f395a63c3ad5b746e5d9a03eb7d2e018787bae8ed5b996b0e5e57028050eac27

SHA512
a1960b9cb833bef1c752faf6b2b3ea91a41349a20a4cfb3d7906057792bed30559a1acaf8f59948741956c3452dc560cafc922567afe2c150a4c0f9a1e62f435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fc0353880edd11af889bc7f07311637

SHA1
b6eb8210373e3874e9fba317e2867c4b8d89187e

SHA256
0a3b50851dbe4d83092f604c51c99e9b956c54fc568623ec4c5a7749b3bea0ff

SHA512
8cb054405450f811c9a14e10586905817a2ee576f5382d31140c6db82f6a53c45a65ea46016def9d365c30ec1c68f705635576f9da5173068934e5a9485b9778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d15ae8985749bef1c5fceb414411c166

SHA1
08a250ecd353c6a9bc62fe475f7044897cb90a14

SHA256
15255a5ebc35a8c7cc7acb6c6e16e1241552b8f63643a6cbef7ed040dcb35c21

SHA512
8bcedaa399480f73cbdb479fa5809e6df27013b60f0e50fc3756c0889771a10a506df6b885e5e3559698c98bd30221a753277a0a3464bd11aced25d2af38e315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae5d6f601770c41b2a1b026436b50e2

SHA1
543db9f582b96fb7fb94fe53069dba4a2f213b31

SHA256
ead5641b707924e888cf3113035fab2fcd6b4e599e31686c3cbd4c42438a4280

SHA512
8045f74e6ea5ab9ea384f6be27360365d5393ed7f56cb1af49a170737d8ebc70a264e78b35ece39e6641a595123a682ba022682266c2470bf82102f65011ea53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C005CED1-6D64-11EF-9107-E62D5E492327}.dat

Filesize
5KB

MD5
46913a1dcda93fa5c62588ed9a3a4a06

SHA1
c3d16fa54ff90408373b04fc2749fbe279bfe4d2

SHA256
2ecd6aec2f1d67add35d0317ad9bb74d3018b66d59fcd50f40a35370a079542e

SHA512
40c9f87f871d3737eb256807491533ff52bf62123c6ba6fec08c55581f9619ad9a4b2a583b455801b75edf56b231b173cc6dd073ad69552b48a4711c332e224f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C00A9191-6D64-11EF-9107-E62D5E492327}.dat

Filesize
4KB

MD5
6f55d2ee57f4cfb9ce576fe319f726d6

SHA1
12366f852cb5406a44d4bc7d8444b49b73b9b6cd

SHA256
f41882be75b07857bd796e959234a2e1d54cb1b382b1eb170c83d0575a282c0b

SHA512
d6b437cce7316cc3af8d3f590668f47686cd6a3cc141d025f2102e9773a6390ad8b87ab621948ff8892c11dd5b10b0edae496982f291856945dbe55074dfa75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\01LB6K3J\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEEB5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF26.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nstBBB3.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nstBBB3.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nstBBB3.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nstBBB3.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/2956-9-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download