7e5b54e6db6d030cf720142053170be118b9f44632404ad879434a8ffbdf7dd1

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
Size

104KB
MD5

ea8e8ce971c18474b6cb2fc98a45f60b
SHA1

92e6ea487de354914d5e02f3cd2f99b78c126c0c
SHA256

7e5b54e6db6d030cf720142053170be118b9f44632404ad879434a8ffbdf7dd1
SHA512

71921441d98ce9575f1a681ae0dc1f5340707a77ffa8a98ea196a97f7b809006cc8c7beb2b948fda3f5446a8b57d8f02600bd276fbb98a677f04d581fd47ae8a
SSDEEP

3072:MzjQFJbJJKcfsSbbhOpVHKhpOZ8+BXJAy+:uyVsSJOttW9

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
904	explorer.exe

Loads dropped DLL 10 IoCs

pid	Process
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 904	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	65

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000bd19104ed897f50d28469f943ef2ff5be1df89289cc39d6de5a936d4da74c1fa000000000e80000000020000200000000fd6a39507a4b499a58d98b55e3f5911592e0fb9e465410ba753d406edc27cc490000000ffd7adfbbb421d450b29a008ce26ea40ad7d821245b384ed42c6775a62449e7ac04bf0539a4bac776ccb67b88287487b77321a1d37d012d3d1213020cbc5d3e54eae71eae8c363cfc332b778f1896de9d665aa16c380cce76530034f82559651069e226f88a53834f2f8b05f55b25c8eb91c111f95544da72a7656f91e58de056f6a06b74eadc7be332c7cb2fd7aa8fe40000000377f5222d2c687a091d3da44d106682a2a8d49e7874d31987db199fc222f3318f61c230e57bfcc36ee5925b31f62d8669d938134cc88dcf9976132e25c120e6f	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000500a858506a0725896540abb962ff3b625c2f55a470a1ccab082330fc1e50372000000000e8000000002000020000000690db0600cc486d6bab9904907ff35ab8632bc21eef929d352bf575b267ca8a220000000c45506c44f1149c58dd2aafd1c7f56eb5f38c7c3aecc10c62e4d5da8e2101d8b4000000052c3acb76e9fce959ed99580ed1878827d22352021c816ecc4d712c998e2e3b7b18e04ad9fc515052edb89231c60718622239a30c69012ce05c21b26e2b3e71c	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432880721"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B24A4D81-763C-11EF-BEB7-46BBF83CD43C} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10b09876490adb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
2868	IEXPLORE.EXE
684	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
684	IEXPLORE.EXE
684	IEXPLORE.EXE
1984	IEXPLORE.EXE
1984	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2424	IEXPLORE.EXE
2424	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
1448	IEXPLORE.EXE
1448	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
3056	IEXPLORE.EXE
3056	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 2100 wrote to memory of 1164	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	32
PID 1164 wrote to memory of 2868	1164	iexplore.exe	33
PID 1164 wrote to memory of 2868	1164	iexplore.exe	33
PID 1164 wrote to memory of 2868	1164	iexplore.exe	33
PID 1164 wrote to memory of 2868	1164	iexplore.exe	33
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2868 wrote to memory of 2424	2868	IEXPLORE.EXE	34
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 2100 wrote to memory of 1068	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	35
PID 1068 wrote to memory of 684	1068	iexplore.exe	36
PID 1068 wrote to memory of 684	1068	iexplore.exe	36
PID 1068 wrote to memory of 684	1068	iexplore.exe	36
PID 1068 wrote to memory of 684	1068	iexplore.exe	36
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 684 wrote to memory of 1984	684	IEXPLORE.EXE	37
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2100 wrote to memory of 2932	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	38
PID 2932 wrote to memory of 2916	2932	iexplore.exe	39
PID 2932 wrote to memory of 2916	2932	iexplore.exe	39
PID 2932 wrote to memory of 2916	2932	iexplore.exe	39
PID 2932 wrote to memory of 2916	2932	iexplore.exe	39
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2868 wrote to memory of 3056	2868	IEXPLORE.EXE	40
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2100 wrote to memory of 2200	2100	ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe	42
PID 2200 wrote to memory of 1036	2200	iexplore.exe	43
PID 2200 wrote to memory of 1036	2200	iexplore.exe	43
PID 2200 wrote to memory of 1036	2200	iexplore.exe	43

C:\Users\Admin\AppData\Local\Temp\ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea8e8ce971c18474b6cb2fc98a45f60b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://dsdc.asdtravel.info:251/?t=919&i=ie&66dd452da8f7726c8f0eeda8517a8bf2090df582=66dd452da8f7726c8f0eeda8517a8bf2090df582&uu=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dsdc.asdtravel.info:251/?t=919&i=ie&66dd452da8f7726c8f0eeda8517a8bf2090df582=66dd452da8f7726c8f0eeda8517a8bf2090df582&uu=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:603147 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3056
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:603152 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:603169 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2420
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:603177 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1448
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:3814419 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2408
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:603210 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3048
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a1&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a1&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:684 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1984
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a2&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a2&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2916
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a3&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a3&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:1036
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a4&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a4&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:1628
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a5&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a5&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2192
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a6&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a6&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2312
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a7&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a7&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2284
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a8&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a8&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:1036
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a9&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a9&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2828
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a10&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:552
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a10&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2136
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://ac.asdtravel.info:251/popopo.php?gg=a11&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ac.asdtravel.info:251/popopo.php?gg=a11&tt=919&ur=JaffaCakes118&66dd452da8f7726c8f0eeda8517a8bf2090df582
    3⤵
    PID:2732
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e59c6b7dddf37178a28c885032ac6b7c

SHA1
a3ad43a6c1babc771740e2037a90685b1724094c

SHA256
95cb7436281e5bdb42279ebf332397d4a13747f19d4b00de664c5732528d8af9

SHA512
a05e735bca01bd6882200d007355fa743cd7f2c668cab9c6d498cac2acd9603edb87da812fecf0256815b67b60b485b6f490a0ca8f577a188d6eb23f20a02bd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1103b98c598d038d67db01f319aaacb

SHA1
7de8b361b2bafd5df6601564abb9b478229d74f9

SHA256
e4df47095a63f4821dc2cd28dbfe61d0026ba1e55146f7d525898864e1428b02

SHA512
2315a90534a86c8f604f3cccf34a3bea69117d08800bcbf2e2b6885179d200a655fccdad289429d41ccae1dc24bc544401f212e913c206383c021913792a544a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b1a55e4ff46719a43b748a8c28e9578

SHA1
1467d852e3fc2e4590b3ed3e9500dc35b5965e18

SHA256
4a7fb97ced4cabeca6ff4f0c64f3834cdc3414c6b91a84188ec7543a59d7279e

SHA512
c0e1ed844158144a8f4c984d58231d3cf281405abff6ea852df261ac83a19f005eac36ce141d8c50727c523398f471c17c7e89378f7725c5437d80b89c000e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba1f5deabae643289b172b12c5544565

SHA1
a5245bd35910a74ffdcf63d6184817cd66df81a1

SHA256
13492cb4656ad1cde276512b773c484c610acefa2cf969ec549ae524fdd0cbf8

SHA512
5db2c3a570a631e3e2e690642e1a80f8684b72296686f227256e58e05fb7fb1b7ab4cd631fd43c41bae8c0cba74d66412e2c4c0b3db4b56f4ca2de6985b0afd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44ee156174f447a65268d2e3fd6abc2c

SHA1
166cc1f0e667901ed33de57716e1021fcb3c7069

SHA256
e666120c900b6aab87d18e4b458f993ad71d2dff91a5dc2340f26f1d9e30433e

SHA512
be25188c928338d8df59c90193a383bd7fa8023c1778cd295812c30f73e59a8e8efb50bd657b63ceae7fc1da6c58cb9eee71fbdb9abf54f6a01b2a1e409df819

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffd71f518a65d73cb9323df03f043f3d

SHA1
f088c594e5d2b05957daa0887c41ed9886cd5f2c

SHA256
a4d03ea2c7949bbacbcfed783d3a22e50b922c5e9ef02103ab6199ae3fb4b082

SHA512
5f72b0471ab10e70745b72e1737f16996cf8f09d27726dbbfbae5ca78d0aad4783782d5b6d7f9ed5b0d6c06423f1ac7a947be2210a7ef0801fd5934d853d4081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33412d2f6d145796c88de8d30b1d1127

SHA1
48fbe6df4459dba36679c1d5c86d783cbcbfda46

SHA256
4f14cf9b48ae25568e7f4e41e04b081d11f34f3c90a875585915456cdb121706

SHA512
0288b5110d5f6cc7266e6be0dff07d5fa7d19f9cfdbed1ff0d82a2f821e8bad5f3d4bcda368ed5895843def84dff8a06631e184ce6ea03a749b14954d28ed328

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
199f895d2db64878c954174ca8b5c236

SHA1
ccf6bf95a1143eae34cd9982c89249be7eb6a315

SHA256
464ddb5df2e6dcdf1954625a378b5b02a59e87154850f1d5b9818b2644b66b12

SHA512
7b4d29b6072cd46843bcd69f93fa7438f2e70f7e555ae2a478c3e2ab5e911fe698becbd71cab3e1f5c6463d52f92bbf80d12fff1d4293f21748e74d89037e12a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a1d0c7c15f4bd3b4baabdefa737f33

SHA1
f45067383ca1e169e792988b8616bd18c2c817fa

SHA256
48b8f79a3a65a76fadc8a84c81219c4f0b23ea1825fc7600f0efdeb456aacbe0

SHA512
3d1293c4edb79625fd4efcf4835cc8728f247c7392df70a273c21a94c8493f7b73ce33bf0a4405e6bd5d1beb43818bdea87ce0f0cb9e4a7f13e25fc6eafc6886

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a9a00649c3363aaf090dcc02a277f4

SHA1
7cf4672f7c8c92a1010926ee45a8fe124cb69724

SHA256
b017572eeb921b4b1108cfb9595f8a469d975f8f98a4530850c4b8d8b62fb567

SHA512
45ef412baaaa1bc3e2ef3292a89070c20166c49dca78ac6b41c00941b0deff83fc9a3deb4696fd0724e88b09138d01c06d63eb67b08774a36246d7c63b67eb6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
183f1277f7be80a4f329213b9f98099c

SHA1
cddbe9c00ecb646b420cf5321194c28f886fcee0

SHA256
7aadce71ef56ae67c5cddb8ca06b4dbb5f333d2b8ec69f453e97405add845a0b

SHA512
842feafe04df5e206ae119065f74fa1e1438e698c19452d06ba08f07de37b0c1bc61c8ed7d52985f398689bb7adb5403627104fb2cd2f70d52aee24dcfe1ea8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70e637f0985f15829227c2d752ef0c61

SHA1
0765296bdfc4d6ba90fb0057436d3dc0f59d6e04

SHA256
900e98727c483ecc4ef22c14ca844bf5731aba4aa6db8e713b9065141800319d

SHA512
efb492ce604f857e62e8ed13f2664fb79390fb62f8d20f00719c9d041f96de27d2ab4a304b0671f7bede83cbb66de873b650372e16f161de09af223bb29895f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8274d4df2116cd2030f9b453c4ffd173

SHA1
c2a819665835d61a9889aa100f4f0950614962ab

SHA256
5466928e5e0257b2c1172f2fe94fc81af2af9923024d4a5dc687200ba5d029f4

SHA512
3d57d1a2a54b983a5577ca63cda1ae137fc07d1152fe1d3e9f718c1e3fc41077a239f167b7e12571bcd6d74b3f3f10d152be4ca4352479da7d7c2bcbb2e0460f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31cf997950af3534688317f0a0700c38

SHA1
a84ea5402c7a45a04d2d1c79a2db05dc5c4a8389

SHA256
b231ef53195c306504c18aaf88c9d40f558b1edfd062079dc4030b1016bc620b

SHA512
7f29240fdb3325711a2ce4334ef6d04b12f7de0c93565eb24d3b78eab4fe5fa49ea131019604bf8675ecb1495dd2f606680e0865a5b13cd240f19e9a02630b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b506680fb42145b64cac2bcba5938a7

SHA1
e0571cff01c83fd6d490d60190e83d87a735294f

SHA256
7044edbb84fdca5a2e2c993e5e526045691fab6a024497bf20abc3e1bcb3d689

SHA512
8c48c1124fc6fac3aa926dfeff80a642372cba28facd24aa8de7e4338e02ea58b955260919c19d43f5f04bfc2282f3daf1ddfab8f7df605508725342ef55332c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7636ef5db633086bc806563a2f2d5c2b

SHA1
0b79da8ce5401d4e8fec206c82ed0d1a1d9eb018

SHA256
56c50b4cf99a6779d615f4f303e30334153a01edca604e00796e50051a5bedef

SHA512
7f0313a5b7d9a5bd056cc3c4687cc04cc32d2f09c21b67db83d1b5f461403dafeff6d9bd5726e546dff43d91502b52776b202ba3078edbc96b03cdebec96f1c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d16872e66cc84e7389cac42b4b9c045f

SHA1
5664432e834fbdf85161c5eb39a5ded084ee9b29

SHA256
f50fb3f65b44827a00e413993347e17d452d53a30c2a1b7b412e85a9d6224c6c

SHA512
e54f82db09ad5a1007b991847a12682f700bb4798f8844dd3309e29d730f00db7e2497cce598eb559911145d96d308c641b02b2d45cfc044deef3d78d73b7136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85e77063b4f93b1cc5182bb44309d390

SHA1
0a9527d4c97217ca9f8b6e1aaa8c09159b24ad67

SHA256
5739b6337e88845fe36ec520dde352a4aa6bcae713a0b29f07f3560825726299

SHA512
ab585bab6f129923f08fdb490ccc97f689d60afc7764bb3ab68433a6bca8ee62e1790c09897f91aacc038a091184f6424d8a91577eaf5356e846abadf4257eb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeae49fd30eab7e9cc552b23047964e3

SHA1
d2fb72673260d7e4398f5e436ffea602b8ab2296

SHA256
fc25ff57c396bb12f17c6ea62394aef62ae667542bd6cb068cd54d54c3472259

SHA512
d9ef6f94062608379b63ebc2ffcffbc98ddffe20b9c9912346d002216cb0401496e3fdbdcb119c7e5009c833dcd3faf41162e5de75dabfdc78edc5484840709b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B240C801-763C-11EF-BEB7-46BBF83CD43C}.dat

Filesize
5KB

MD5
7ee306a4363411ee92279050976238b5

SHA1
97980a7cf43b86f5312f9ee4305906f2d5c6e635

SHA256
278df987ce4c685600f6e159db87e7fc6383c3bbac4643b56c502c724a01b6ae

SHA512
753c75d3e21b9215e6bb3d03ead2bf87f3f139be0b6b4f0f4a9a68d864ad78d39df61d48b1e5332c589adc5efd604d071670b6c7b08940c693410cdb542bbbbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8BD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC96D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA72A.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA72A.tmp\SelfDel.dll

Filesize
4KB

MD5
5e14f6774c43bdff6ffe0afb0d51c47f

SHA1
fb1e7b6e63afa6db6aa2033b5e7e90f1f4ba5e27

SHA256
7cb51ccf21655e9590a6c3232920b16a3dfef15ffe9df7b8e71f487ca8c24da9

SHA512
6ac533c0485156a68bd1460d8219acf7539b766590910cd646f4d7d4572c072f45369712d88d4e698f4e94aead8082abcbfacc3d6fe890046898f6c6d85274e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA72A.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA72A.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA72A.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/904-537-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2100-9-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download