04b5545842b9f59d10163e09057f9f76b0b623a49d0baa4307b924c80e96f46d

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Size

25KB
MD5

ea9f981ad92649e3bebcb81ec10f5bc8
SHA1

925d61a3359dd23b5f3b0baba3467be411820417
SHA256

04b5545842b9f59d10163e09057f9f76b0b623a49d0baa4307b924c80e96f46d
SHA512

fd9809227e614da63c4323744c84f2c65622e322eaea4afcaf289a78c73a1d6ff62e936c4dc20879294ea4d1da0e10fa77f51bcd0a7112b3746be2c47ad47b6e
SSDEEP

768:46FvP6pdwqLkUJ2sp7u7IyIhL95mYKLDpT:BvPk+qIh4u7Iy29BKLDpT

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\setup.ad	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\setup.ad	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\gugprd.dll	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\nTimes = "66"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000099a7c14d4906d9e56ed16340a23ae24113bb10cba48210625c3a986b759c351b000000000e800000000200002000000011287878c70bb4bb07da3e665a8a68bef04371e0e8a4746194df4cda757f74fa20000000d032a5d1258f47fdd736f55bce6ca02c2a271fcd53e9dde192d0b954c8e093c140000000fb6df5d2baf4fa24323a7cf7b5dbab9d935b6fe52cb2c61e958245ad2c484ce4bed18cf81de80f4e441f93ec95f93a4d1921f8cefc6bd83e00fb47eb7ba1f6df	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432883545"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60db7f08500adb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000013d4dea103737f2204b3b42d4f305eb3a990f8ed5701ad9315e2fa76d1a75965000000000e80000000020000200000003500b389afd3210d8287861fba4bc8446b0e91ee121e644d49c3fad41223c030900000004232560daa0a8139be4c8a4017a00df19b80b553787cab02d8f3b71b991935e2b5c2d138a72fe2a34329eb603e7a914a4ae58684c7b3d9697c25c0147fc5b7dc697cee6fe2b9966939b9dd064c55e72a5528cb0e9af67835c7a69f64133039158ae780a54db07fe5bec77bc34ce8081ce5578cb51db5b4d124a8bd898e6b206dbe0b4e80db23cf7395048967c9e7ae4e40000000d6e4f6d71deb7552d1fa1a98d0abccbfaf9a3ae9e11431a6fa6dd4f708c4c2d8462c7d027c3460e334d2a57ddb760caf6a7b8fbdecee39c0c92bac903de0b74b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{458AA031-7643-11EF-BD41-DEC97E11E4FF} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{459B49D1-7643-11EF-BD41-DEC97E11E4FF} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE

Modifies registry class 49 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ = "pIContextMenu.ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ThreadingModel = "Apartment"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR\ = "C:\\Windows\\system32"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION\ = "1.0"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\ = "{9B3FD067-74E7-4809-B908-DF358CF1A511}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}\ = "{6DCB487C-0DFA-48C2-ABDC-296BBD892262}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID\ = "pIContextMenu.ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\InprocServer32\ = "C:\\Windows\\SysWow64\\gugprd.dll"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\ = "pIContextMenu.ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Programmable	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\HELPDIR	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "_ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\TypeLib	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\VERSION	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\ = "IContextMenu Shell Extension.."	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pIContextMenu.ShellExt\Clsid	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ = "ShellExt"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\gugprd.dll"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\{FCO94F32-9210-4A7D-AAE8-BB0320CB1D10}	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\Implemented Categories	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96B27E0F-E2B6-4CC4-8F14-D2E408DDEE23}\TypeLib\Version = "1.0"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6DCB487C-0DFA-48C2-ABDC-296BBD892262}\ProgID	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{9B3FD067-74E7-4809-B908-DF358CF1A511}\1.0\FLAGS\ = "0"	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2724	IEXPLORE.EXE
2724	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE
700	IEXPLORE.EXE
700	IEXPLORE.EXE
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
2132	IEXPLORE.EXE
2132	IEXPLORE.EXE
2984	IEXPLORE.EXE
2984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2248	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2248	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2248	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2248	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	30
PID 2248 wrote to memory of 2680	2248	iexplore.exe	31
PID 2248 wrote to memory of 2680	2248	iexplore.exe	31
PID 2248 wrote to memory of 2680	2248	iexplore.exe	31
PID 2248 wrote to memory of 2680	2248	iexplore.exe	31
PID 2680 wrote to memory of 2692	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 2692	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 2692	2680	IEXPLORE.EXE	32
PID 2680 wrote to memory of 2692	2680	IEXPLORE.EXE	32
PID 2432 wrote to memory of 2808	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	33
PID 2432 wrote to memory of 2808	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	33
PID 2432 wrote to memory of 2808	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	33
PID 2432 wrote to memory of 2808	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2684	2808	iexplore.exe	34
PID 2808 wrote to memory of 2684	2808	iexplore.exe	34
PID 2808 wrote to memory of 2684	2808	iexplore.exe	34
PID 2808 wrote to memory of 2684	2808	iexplore.exe	34
PID 2432 wrote to memory of 2712	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2712	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2712	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	35
PID 2432 wrote to memory of 2712	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	35
PID 2712 wrote to memory of 2652	2712	iexplore.exe	36
PID 2712 wrote to memory of 2652	2712	iexplore.exe	36
PID 2712 wrote to memory of 2652	2712	iexplore.exe	36
PID 2712 wrote to memory of 2652	2712	iexplore.exe	36
PID 2432 wrote to memory of 2572	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	37
PID 2432 wrote to memory of 2572	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	37
PID 2432 wrote to memory of 2572	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	37
PID 2432 wrote to memory of 2572	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	37
PID 2680 wrote to memory of 2724	2680	IEXPLORE.EXE	38
PID 2680 wrote to memory of 2724	2680	IEXPLORE.EXE	38
PID 2680 wrote to memory of 2724	2680	IEXPLORE.EXE	38
PID 2680 wrote to memory of 2724	2680	IEXPLORE.EXE	38
PID 2572 wrote to memory of 2596	2572	iexplore.exe	39
PID 2572 wrote to memory of 2596	2572	iexplore.exe	39
PID 2572 wrote to memory of 2596	2572	iexplore.exe	39
PID 2572 wrote to memory of 2596	2572	iexplore.exe	39
PID 2432 wrote to memory of 2560	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	40
PID 2432 wrote to memory of 2560	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	40
PID 2432 wrote to memory of 2560	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	40
PID 2432 wrote to memory of 2560	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	40
PID 2560 wrote to memory of 2616	2560	iexplore.exe	41
PID 2560 wrote to memory of 2616	2560	iexplore.exe	41
PID 2560 wrote to memory of 2616	2560	iexplore.exe	41
PID 2560 wrote to memory of 2616	2560	iexplore.exe	41
PID 2680 wrote to memory of 2984	2680	IEXPLORE.EXE	42
PID 2680 wrote to memory of 2984	2680	IEXPLORE.EXE	42
PID 2680 wrote to memory of 2984	2680	IEXPLORE.EXE	42
PID 2680 wrote to memory of 2984	2680	IEXPLORE.EXE	42
PID 2432 wrote to memory of 3000	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	43
PID 2432 wrote to memory of 3000	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	43
PID 2432 wrote to memory of 3000	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	43
PID 2432 wrote to memory of 3000	2432	ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe	43
PID 3000 wrote to memory of 536	3000	iexplore.exe	44
PID 3000 wrote to memory of 536	3000	iexplore.exe	44
PID 3000 wrote to memory of 536	3000	iexplore.exe	44
PID 3000 wrote to memory of 536	3000	iexplore.exe	44
PID 2680 wrote to memory of 700	2680	IEXPLORE.EXE	45
PID 2680 wrote to memory of 700	2680	IEXPLORE.EXE	45
PID 2680 wrote to memory of 700	2680	IEXPLORE.EXE	45
PID 2680 wrote to memory of 700	2680	IEXPLORE.EXE	45

C:\Users\Admin\AppData\Local\Temp\ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9f981ad92649e3bebcb81ec10f5bc8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628546.html
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628546.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2692
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:472068 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2724
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:734210 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2984
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:209924 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:700
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://u.9lwan.com/cj/direct/628635.html
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://u.9lwan.com/cj/direct/628635.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2684
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2684 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2132
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://86.826060.com/cj/direct/629073.html
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://86.826060.com/cj/direct/629073.html
    3⤵
    PID:2652
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://86.826060.com/cj/direct/629108.html
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://86.826060.com/cj/direct/629108.html
    3⤵
    PID:2596
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://g.100goo.com/VipUrl.aspx?P=6181
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://g.100goo.com/VipUrl.aspx?P=6181
    3⤵
    PID:2616
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://g.100goo.com/VipUrl.aspx?P=6181
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://g.100goo.com/VipUrl.aspx?P=6181
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_ze3j.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94d9dcbb96350f7ce42f459eb1ed783b

SHA1
9dc59dee0cc02a99e787a81689d03421011d5b13

SHA256
fe3e475c77cd1b8c3722ba279c15ce4993a3d4889f1863a2eba01df56e630f7b

SHA512
7650958554c8e71185316eee35a044cc2c5d6a39afaf61bf6cc225d0aa39336a4b5cfe556b54f01379b7193af0e9ce68d44a71b00683c54719bef3f6cfd95813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27c90e77f0576d918da1514f14031f38

SHA1
50780952f0ecc732e2b3828221a57f4574d8231f

SHA256
7b5f6c7aebada9396e22ef64684a796c86ab1394ed2a8abdce81d6486c3c18f8

SHA512
451ed3910996ffb6c4cc58629cbbfa07fe48acaa0ae57d1925d9013aafcf024cf2f8170d71fafd040c1252b2bc0ba9138c5cb5187a21a46c1fa7b59779be8272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
682d516b966000884cd094be20cb098e

SHA1
bc249f1ec4bb20a324e6c4aba9977267adbe9e91

SHA256
60fffa8c72cad42542a2dd966d7ee4a3a94a3492b3300c20dd2a3533e76b9866

SHA512
9903e133c114227557e9e1e3fff1cb0a3a4483f509b5f46e324b3defeb5225cad02c26b4c8bced63e7aa79a66df7b9781dcf56fbc175f46584fe073d73c499d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4270d612eb7f498beb20882afea15fe

SHA1
25fdf825556a16355a210e8708327bd9b3a50d1e

SHA256
146769d9c770aecadd269097a23edbf9c963447928006edb4277def19564145d

SHA512
f555a09bbd372a534cbcf04cc08c15ddebc31dfc5d6b725c21c18d03cf3fb7ceaa9cb918ca2ee172486ca1b2e92479a7b158d5c2f4e3fb8fdca37f85437368db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27923186dff67321b578fa15330fdac5

SHA1
c8069b57ec33c28a8326484cb27345d2f0edc99f

SHA256
380846bde3f050998ae8102b080deb65ae14ed7f2ebe03296646a3aef8900a2c

SHA512
f8fca655e4c84bac20d5ce5079a9036b795f82d884505ba19110dd5c371aeb24c0f3096e21f5617b48d934e7022ec3d2351971d94e625a0136f9ff08e4e315bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a765fa84f35fef0e429e355bd80d5e7

SHA1
1e1ecce6ec673228e516b91f432e2c62f04dbd68

SHA256
c57a9d48bc7bb467897e2b4015a3731f450098125af798a6fa0b93849e9d0b42

SHA512
662828b2f69055f2ffa6d8b9c36e6366fcd6f1364d6d09c2fab1d2aa93564b6b88d55375e4ed70d8c61c0e6cf5038cf87acdabf701430541352540c494d03b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e84e0638239f0346c056d8b51641663

SHA1
be8884f2ba99b367f7632af4d37ee0e57d77c6af

SHA256
2c7f280a012b0d499943d7a5845823f29bc1970311566d43a956a14024bc6d6b

SHA512
5ebe6ee82c68295a6ac0349daec9b0e5d49349c7df1619fd58ce5d533d78c0491aa6e6a317c5b09ac97c74e98cdf683786b938bb1c1b8a8ac5431d77af08e944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3f17b55fdaf3c1033bdd357adbebebe

SHA1
2ffd764d78c0f5b16e26535f0d24be8d7a87de0b

SHA256
cd4f01276c9648de61fb24bf7e6b919c2916e780285a3ec79730df391c27c141

SHA512
fb0598a71e27a3682c7cf758af3898afbb5a0c6662e034193006397d22d4c3de9b6c1ff8ed363e6d6f118df9f56774bcce2e76dc843c6ca456c606254e2a6357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de493783acea475f9ed309e22db1d9b1

SHA1
7f15593664b4fba7e49a358604cde28d9f9e9b3f

SHA256
be75f9d154e427c667d4b399f5cf9b1a67bb6724d7fcd8f6ca972ad7e011a92c

SHA512
2bd85aa987c9cd08ac1edb022a58910583fee555367a61f59ab523acc95f7e4ed3daddece653b8b3cdf250de509ecf593e308060cb95d40a0713a281b84441ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c960deff09e25b1d1fced1577572063d

SHA1
69f26e59fc50316c856b359d8558316fe994bd3c

SHA256
cae1c455c363ad5da0ace8ac83ad5addff019a1c9abc8bf3f4afdad9e37278ce

SHA512
c9d82be86bb94c41185180bd499ec8e75fdf85e26937c175ebe77704d5a84a69df2c234818095c2d914ea3d38952898192023553d8277f3774077e0a153ef1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfadb04ca999f8289f4568a6255eb729

SHA1
739de52eb6aad3a9a434d81ba483f7df2e3c9e20

SHA256
d4954c564a29da7891159c2f6014c314b8bd4ccbcd7120ce96586ee99f2f36c3

SHA512
711916e593236bb6cef1ee324d23c4f42480ae7c217826509129171170e3a99dc5dfeac641d11379f1eeab742838666b88763316f8b62df0bb3083265488bfb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
859abf52f6ea792ad88bd9e41c70563b

SHA1
ca728e90a71adb1a58a9c23930c67b7c68bba5e7

SHA256
dafba2c77fa3e742897c6f609bdd201e4f6ea2dbb6fc72856c2ae38af55329b8

SHA512
f8f10ce52346467cf5a9f1f85f705eb24aa0a9b26a83c7e7fa7e60bcf9fcdf37c79a05c2c854c65801e06c95132ee806517c18e9e7e35aeb70c4f4a2cf1a0012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c84a52aba513af6248c7ec9d24ceba9e

SHA1
cc4769c9f32c3fcadde3a9025c2153b33a539ae1

SHA256
0b9969fde2c60e6b9f47fe84f7932c147f6931843e656a8918738fc4cc925bbe

SHA512
ae362df12bff67c031821ae93d298aa7b4e10e7f9c186f6e8ba554a17c00f48a66bac52cdc28a5da0618621a66c96947ce69e25eb4a9f068a1be118b7b8c1ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
609e976073730d0c3c5ad2947b9a584b

SHA1
773db7beb80703a47cf2a6505b81b20b63a0b7b3

SHA256
ad2c0bb4003e5d01351a123fc18adade199eea220e20f8ceaa7d8b599c8ff00b

SHA512
8401617f5350a0d7525e5b2f2ed8fc65ec34214c78f730d3a95ddb8ae3f46e5a55cf36da5493e80e5db48e854a84a67e7d9123efcad7df8eb2b1f264ca44ee1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00a6fcee5cfa5ddad31a7f08f1a1ab0d

SHA1
421ce570caf791855c2b279f854182b036aa8b2e

SHA256
2ae11d2a89b5e4bccc857610127cc3faea3e13d95aa2efc9d4f75cd586aa32d0

SHA512
3e633c1dea55d13b533cd056ec6c4cd7bbdc7dff95164bc76d81256ddfd1017ba879ff8e10a524c04d22ece4cbac5dbb1fc9d8d6d96405e3d312084ad28c61f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66af46346866fe271cfd3140c41559e1

SHA1
6f5bddfac5b009166a057e9e64f1aa1aa8f610ef

SHA256
168d0af38b64a5d2f4ebbf674d53300c1cabc20504e19c5269666dc92e7c73cb

SHA512
015fa17b2647d4bbb067258bf76876cd61993e895ff2e2b1696af4370120ad91a180791f6ed1b348a75b367545d11082d7f09ee2fd67b9e0efb6b2a6b0c02f16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2bd54a7898400669d4a070e0eff53a7

SHA1
9337ba4f38c368aa33453bfeb94ecd900ba846dd

SHA256
8d895feb5ca9aed1d6b42ba97555c1a340eb59d16170d755ecc3c9156576fb4c

SHA512
50c9f162426571585e744d46feafa50c0d88ee83d4752bdeb6683f281bfa7d6497b130a03a7ae13e2411b2f4c892810a348d459b753128452862fa1cfc7ccad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f7ec87a31dfc1e57559bb527fad1b96

SHA1
d5782c7024dfd246a947d0e084fd543fb7eceb1e

SHA256
821d368846ab61c4b5608293d5dc55d84623578d7e7ba5fdc42fcba3dcc5f41e

SHA512
d2b7814ff28c93ef4de83f4139e836a72cae2024710b56be07d39dc6d66cee8cf95132c242e8e398059800262182dd2821d259bf92223ad763a60786d3d8817d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fd2360d9f7bc5b5b47b57707cd68ab6

SHA1
ad527d1de081561708f96cc5867ceaa7b97b070f

SHA256
cc1d9ef08f33b5a24d2e19278383c683204ded0baa51170e545abb846d9d299d

SHA512
2973025ac218aa869f571589dc7fcb71f993cc61624f95ba3516fc033c1cdc3b7ea4915f5e5cf646f954356fe4edd811bd2dbfd04c3c27fbb13300606e570df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
225b78e1e59107af291e5e365de28f46

SHA1
da5025951613848e76bb9c784bc4fe751fc23028

SHA256
885c2aee090b683190822acc454add9eb243d7c99c5918a72baa0d67238db4c0

SHA512
fae640eebc10a07bf41ad4e340d403fb8f67fc3c3ae5c7b9452b81e8c3cc4ba9d635bbe7308e3c39fb7290d64febfe0e4fe659b29c39a7a589c4d99082525404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56d1bd0a4a42cd7e5e789f4ef0bdd6d9

SHA1
c39a154261d0145eacaa6e17aac4f991aab6421f

SHA256
526e2a2db184e2be767af9d7e5d71c2d6f56b5bfb59840fad62bb685861ef2e3

SHA512
027b1c83d49a335e313b4be07a56364b49d2b52aa06bbc75a33650e23bc544863be76dae1858f16198b03e510bb3002898cf57fc39fa5929743fef824fe9f130

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d81402e14e3b94ba962294f8006c1b

SHA1
588b3a398cf2aa8c54b9f3d38b5f48074dee2a18

SHA256
89dac6643f4f0a985d9b9710c9c2181d663719320cf10d7ee8bd91cd7f86c3a3

SHA512
825eea9cd90db3cd728409f84967e5eb213577de8db4ab985baa264f0ca56c29b60bfdfb8f8dd3630d349eedf120ebe3d244a825aac9e55525deb6b8a0c5ae01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eddf4a7ec4cfd13fb24af32cea4bbcc

SHA1
4fc919711d0804e0d0400cdd1ea9ced2a78992f7

SHA256
3d0fc4bc3eca400890c6fe0ec036bbd610890bd033297f9dc402005d1d084b5c

SHA512
c4ace38935564737e657544507479558f020082e1882aa0557c8ca9f5075223e8efc83f7ae0c0124ddac013ec15d1008e466b2ae001d1da458c4ae3b45c04c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ce518027f5aa9def4b4ef7bf96b79b6

SHA1
52a1fe2f4a25ab16f52b7286057a9a6870ee056b

SHA256
192afe4dbe912af5daf5bed1f5a76ae126b3448ce5e73edeb1bd6ff889085d0b

SHA512
38678cce426d889f06849657f903eef70b97b08c3ba5255f5feeb9396e5a3779ab572be1da7db4578131bd800bb0c09e7ca7b8cafebc79f47cb147cf9471209e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a434ec9475713c6a0eb842926bac71ff

SHA1
ff7c25424f6ef9c0be3ada4dbba9c60437538a72

SHA256
917050096852d89850beb77bdafb89993eb3632aafe9c08743aacf4de3f28df9

SHA512
cf232f03493e7a08f3d1bfbbe5c261639bff569da502aae32fcb626631b21e38c9bba26696284864991e60bdb2cd066872ec634a3c7e2f9e3a429468fa90b9a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13b3af008ce7ea2c6becacd80eb3f5bf

SHA1
5c7770513782bd11065570cd50ba214f7f5f1929

SHA256
ae7e9219c02ce15e3c05fde86522d4b4342595d97410e391f5e8e2d86302af81

SHA512
8045f079750e07dda8f8e6055c341f36fcee22d0d5931aefb6c0f907a402e148e6abbe2901af5492f86a0974ef4f87c1d926386206d962b9844e972cc812479c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
893f51c9cf7ba046516c8ceb3d867acc

SHA1
fa8de6ca6b019b24a75a772c6d8c3160b6b6a2f9

SHA256
3c20059b4b64f562fd2f732ba86a9c3c7ff63cfb48acfcfb2a8f3318570ce199

SHA512
35730e46a3e05bfd507cfbb13cb836d2b8ea9d928076e0e2e65dae96d8a553cf34a4520de0997fa94e2d1925b351e7a8507ab732585d794f28cca60eaa84c867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{458AA031-7643-11EF-BD41-DEC97E11E4FF}.dat

Filesize
8KB

MD5
0beed9670858c07da853e494d67a7dcf

SHA1
501eb724f035a6c99a98779510d415f4d2d5cb01

SHA256
794fe187404e552220554de178271085306c6540ae64acdb4a36a7dc2ae4c8e8

SHA512
952247207967d82d55bd455cc6227aee2d9f6a64c735c6be3e6e6c9f69389a1c8c9533d5dcce0a2581b65fad5be9beb3206a4c55b3f0b9a2d1117b5dfa1c70e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5277.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5277.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ze3j.bat

Filesize
214B

MD5
e6328005b7a81c807f9d4dca86188381

SHA1
e700e6e31d22cfac92fbbf694549f76ff031377d

SHA256
1c67591c7e6edc2b385549b23fdc32ae387837073b21b6315e973f3849ecdfa5

SHA512
1850cfc6378e58a16b7830f62b3c804ed64c399478b97a50267856914d3e7a306f46c232d932a24fbe3f03a23e3457ecd473cfa827b23122448d28f09ab7eb71

Download Submit
C:\Windows\SysWOW64\setup.ad

Filesize
44KB

MD5
303cab14e48dd2fd749796b4330f06b9

SHA1
9947f71684c82daa2068c90ba331fbcc44499930

SHA256
f0c158851aa02a1448cf9de0db5eed3bc10519acc19410915c6c0b4901b6687a

SHA512
08f74f47365a54a0deaaf256ff5362f137acad615d033cba8d0324eb7f3a543f67fe32dd50ea449b65a3322cff07909179be785ffd223a680eccdf7ee23f75e7

Download Submit
memory/2432-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2432-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2432-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download