30d4940ae984a469b34119d4570ede5283827ed1468f16ebd8b4b3123134d249

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Size

135KB
MD5

eebbdb0969ff448ab6d66fe6ec67356c
SHA1

61e8bd4ec03a3160292572a285bc59fc1efead94
SHA256

30d4940ae984a469b34119d4570ede5283827ed1468f16ebd8b4b3123134d249
SHA512

ee88b03f198ff1a8995ee5613ead35cbf6db024474d5c363983be6699f2e450df8ad317430c4c99fcb2d98fe46d8954eac305853baf226e3705cac7ec5b136f7
SSDEEP

3072:PUHsyO/2TTNIwJQcCZ+5k0oJEF0ilyoCo6kkAwn8Z:sH42TnqcMek05Fb8/k1r

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Client = "{D121AA32-93B2-448B-85DF-754F7E995B0F}"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	odbcrver.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,odbcrver.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\system32\\odbcrver.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
544	odbcrver.exe

Loads dropped DLL 3 IoCs

pid	Process
2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
544	odbcrver.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral1/memory/2316-117-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Terminal = "C:\\Windows\\system32\\odbcrver.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Terminal = "C:\\Windows\\system32\\odbcrver.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client Terminal = "C:\\Windows\\system32\\odbcrver.exe"	odbcrver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Terminal = "C:\\Windows\\system32\\odbcrver.exe"	odbcrver.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msisperf.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\diskoree.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\puiarv32.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\devi2x40.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wuapdsl1.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\scriicpl.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\czkwetut.dll	odbcrver.exe
File created	C:\Windows\SysWOW64\odbcrver.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hgakheg.dll	odbcrver.exe
File created	C:\Windows\SysWOW64\testtest.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\raschttp.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\diskoree.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\compmore.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\brow_875.msc	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\testtest.exe	odbcrver.exe
File opened for modification	C:\Windows\SysWOW64\c_20geng.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\nlsdrlnd.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msisperf.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\czkwetut.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcrver.ocx	odbcrver.exe
File opened for modification	C:\Windows\SysWOW64\hgakheg.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\apisocvw.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kbdtpcfg.nls	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\odbcrver.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\raschttp.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dwwitopl.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\etmeuhxp.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\czkwetut.dll	odbcrver.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	odbcrver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e079df70bd0bdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433040483"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC9370E1-77B0-11EF-A914-FA59FB4FA467} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC842EA1-77B0-11EF-A914-FA59FB4FA467} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D121AA32-93B2-448B-85DF-754F7E995B0F}\InProcServer32\ = "C:\\Windows\\SysWow64\\msisperf.dll"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D121AA32-93B2-448B-85DF-754F7E995B0F}\InProcServer32	odbcrver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D121AA32-93B2-448B-85DF-754F7E995B0F}\InProcServer32\ = "C:\\Windows\\SysWow64\\msisperf.dll"	odbcrver.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D121AA32-93B2-448B-85DF-754F7E995B0F}\InProcServer32	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D121AA32-93B2-448B-85DF-754F7E995B0F}	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Token: SeDebugPrivilege	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2564	IEXPLORE.EXE
2732	IEXPLORE.EXE
2876	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
752	IEXPLORE.EXE
752	IEXPLORE.EXE
600	IEXPLORE.EXE
600	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
752	IEXPLORE.EXE
752	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2564	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2564	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2564	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	30
PID 2316 wrote to memory of 2564	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	30
PID 2564 wrote to memory of 3004	2564	IEXPLORE.EXE	31
PID 2564 wrote to memory of 3004	2564	IEXPLORE.EXE	31
PID 2564 wrote to memory of 3004	2564	IEXPLORE.EXE	31
PID 2564 wrote to memory of 3004	2564	IEXPLORE.EXE	31
PID 2316 wrote to memory of 2732	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2732	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2732	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2732	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	32
PID 2316 wrote to memory of 2876	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2876	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2876	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	33
PID 2316 wrote to memory of 2876	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	33
PID 2732 wrote to memory of 3048	2732	IEXPLORE.EXE	34
PID 2732 wrote to memory of 3048	2732	IEXPLORE.EXE	34
PID 2732 wrote to memory of 3048	2732	IEXPLORE.EXE	34
PID 2732 wrote to memory of 3048	2732	IEXPLORE.EXE	34
PID 2876 wrote to memory of 2940	2876	IEXPLORE.EXE	35
PID 2876 wrote to memory of 2940	2876	IEXPLORE.EXE	35
PID 2876 wrote to memory of 2940	2876	IEXPLORE.EXE	35
PID 2876 wrote to memory of 2940	2876	IEXPLORE.EXE	35
PID 2316 wrote to memory of 544	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	36
PID 2316 wrote to memory of 544	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	36
PID 2316 wrote to memory of 544	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	36
PID 2316 wrote to memory of 544	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	36
PID 544 wrote to memory of 2436	544	odbcrver.exe	37
PID 544 wrote to memory of 2436	544	odbcrver.exe	37
PID 544 wrote to memory of 2436	544	odbcrver.exe	37
PID 544 wrote to memory of 2436	544	odbcrver.exe	37
PID 544 wrote to memory of 3008	544	odbcrver.exe	38
PID 544 wrote to memory of 3008	544	odbcrver.exe	38
PID 544 wrote to memory of 3008	544	odbcrver.exe	38
PID 544 wrote to memory of 3008	544	odbcrver.exe	38
PID 2564 wrote to memory of 752	2564	IEXPLORE.EXE	39
PID 2564 wrote to memory of 752	2564	IEXPLORE.EXE	39
PID 2564 wrote to memory of 752	2564	IEXPLORE.EXE	39
PID 2564 wrote to memory of 752	2564	IEXPLORE.EXE	39
PID 2564 wrote to memory of 600	2564	IEXPLORE.EXE	40
PID 2564 wrote to memory of 600	2564	IEXPLORE.EXE	40
PID 2564 wrote to memory of 600	2564	IEXPLORE.EXE	40
PID 2564 wrote to memory of 600	2564	IEXPLORE.EXE	40
PID 2316 wrote to memory of 800	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	42
PID 2316 wrote to memory of 800	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	42
PID 2316 wrote to memory of 800	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	42
PID 2316 wrote to memory of 800	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	42
PID 2316 wrote to memory of 880	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	43
PID 2316 wrote to memory of 880	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	43
PID 2316 wrote to memory of 880	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	43
PID 2316 wrote to memory of 880	2316	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	43
PID 544 wrote to memory of 2152	544	odbcrver.exe	45
PID 544 wrote to memory of 2152	544	odbcrver.exe	45
PID 544 wrote to memory of 2152	544	odbcrver.exe	45
PID 544 wrote to memory of 2152	544	odbcrver.exe	45
PID 544 wrote to memory of 2328	544	odbcrver.exe	46
PID 544 wrote to memory of 2328	544	odbcrver.exe	46
PID 544 wrote to memory of 2328	544	odbcrver.exe	46
PID 544 wrote to memory of 2328	544	odbcrver.exe	46
PID 2564 wrote to memory of 1772	2564	IEXPLORE.EXE	47
PID 2564 wrote to memory of 1772	2564	IEXPLORE.EXE	47
PID 2564 wrote to memory of 1772	2564	IEXPLORE.EXE	47
PID 2564 wrote to memory of 1772	2564	IEXPLORE.EXE	47

C:\Users\Admin\AppData\Local\Temp\eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp890D.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:406532 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:472076 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:600
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:472092 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1772
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp898B.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3048
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp89AB.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2940
- C:\Windows\SysWOW64\odbcrver.exe
  "C:\Windows\system32\odbcrver.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp930C.tmp"
    3⤵
    PID:2436
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp93C8.tmp"
    3⤵
    PID:3008
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
    3⤵
    PID:2152
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
    3⤵
    PID:2328
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp9448.tmp"
  2⤵
  PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9468.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82775a300501c05114b25fedf5f7a3aa

SHA1
fde46ef04fcf445c33e4146b7d9a9f8dbc00fec8

SHA256
7517cdf5d4fdacd532c7d0f6d24424945de83b8f3164a4925243906334f680c4

SHA512
ccddd14e78902ebf3eb5d85adf59a6e1e3a7112cc7925a40d232b9673da0df417e10bd4c459670266bb54741041c5671d031d28c331adfedfa8a7db69e7cd83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ea60b2e157d3513cce7e73050a59306

SHA1
cce09a82a9c03f0bba280ec20fc5d0ef9fefa610

SHA256
046cd22d9d47de85348fe47cd7a2a58ecd642957f6636dbd93ffc1a6b66726e6

SHA512
d8f904a99be4cc5f10c47cba1ddbb3d61b0967b6e7068557dde68b12342685259ab3edceab20b34b3c8f8bd8b54496c2ca5cd0703cbc45f561189584de0979eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05206db3aa9a856e4079931aa968e5f1

SHA1
618d895c72ad94e272f5c22e09d00f526734a343

SHA256
f49ad8c406cb8df53422a1855eeb826e2c534ba7f22321347fa211a3f74437fb

SHA512
3e715891e61ab2bd7f41cc9be70c4a41f2ab885888fc990772d6d5bf6fef509fef175c294309065e317126eff487ba60ccb2ca7ddf86cfca318fa79b1cccafeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
074ebede1c8e6ae2d50fdb39e62970fd

SHA1
bb0dfa4a539fe916b858d843ff500738636a2621

SHA256
b86bf5a41fc4bca1d934dc6057ab910561a9d6c540f74f732b50de6df1e6af12

SHA512
0e61aec3ad7254de1f5cabd9825fad0200c0d2e22918f0e53bd2804a698e9b038647cc65275a541ae26142578786a8f6603ac3dd902a9a6487398f140359cece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
feb22a78a8262fde4fc2d4a1c88de94a

SHA1
d798041fcfe55cd2d8c83e4d4dd4d6dc7dd6076c

SHA256
840ce33cf5a53aac0d82c480556b26f6b2062e46c4a576c914df045cd9160a56

SHA512
bcf5ac6864f3005c599b1bc03b2ec3b0aa2bded4fcbe6814f5ee8aa3c15db145feb35eb0d724c9efde9551ae13bb942b3184db39a9800cadc8adf68460e4794a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2a13e60104e99a576c92b22030820c5

SHA1
ac421f420716d7999723b705030537c8a8f702b4

SHA256
d2f1db286d50181094fd8f24908cb54dc32ddfd9eda93591666561ee5b08a45b

SHA512
a2c362c3554dbd759d8af021a09e5fd483cce2a928c9e40aad98e21effb7fa58fdc2e4c47f8985c7a0b33306dbc5f4bb4258a066448286eae963959bad72cea8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52b242561da02e792638526ff6c5d885

SHA1
403fea859681acdf6759069d6c0423e702df106b

SHA256
eac2d8d1e1859122c36747cb121bdab4d979335faaa39bfb3d438a865a4cb470

SHA512
7868511d7e21a9476a5d829177776ee8d61c5cb64d6b8e3244f0403996c35edf264cdbe4de3e9cc4a2a05af837f876b234e0907bb4efe91185b8ffda5466620f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0180f2641ed2c17d1a75ff98db7bb637

SHA1
baee35a181f054e3e1cf43b95f2d0610b54be6df

SHA256
fc440df0ef019b8bb5b86b13d809cf996847d12ba7d4b8e36b5561c9245277f8

SHA512
0ff68bf9560d1192dc7682b69c37ca279a62fb10f6e32967b36da7d888f071998474bf35cd7e80da6bd0ca1062be327193ceec8ea1207fea5a4fbce766cd8f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
175a696d5661aa6ebb489ce0a915722d

SHA1
f95ef6908c28ee38c3eafa5ed5566c4202e20077

SHA256
a86d326708773eed8bef2e831c19cdc480a11d9e48f54e9e49456a8bdd076b40

SHA512
607faac84c022612a61e7ab72f8608d6ae17723660911acaa675327c1a6e198a7eefd6605833630d5202c07bee1a2f3c12bd00eb2df6f8fd6a5ef688922d534d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
052dd26c8b4bec3f4b0a571e8fb46c34

SHA1
af569219a01f43fc368db4ee314cada386225172

SHA256
c36b239d54d14984ab32afb57af364566ea5b17256fae0aa8d2dc0aa6c15b4d4

SHA512
d0846cc23e3b7a243aa6cae1fadb60273873761c99ffd6357d705f5215a4491f3e9fd1a3bede38b46f0092dd98c6f8c317ebea6fa4a39ae17fe473eda80bff7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29e9e5ea6f727e4df37d47fac4fdd514

SHA1
32a5f4989df3b2305f9c5d8d8c00728957dbc1a9

SHA256
51040e48b2d1d97ea2a50b3c887023686ddccf1fed02271a5d9e0890b355674a

SHA512
62ce795ad5dcebcfd73d1650c09216f6e1c92095dd62592d0dbe160a4e2ccfc392e4abd556b866c2368fbf1438193a36092d1dbc3d605b8ad2c05f358f6ff6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8ed411dcd1071ac3ced698a2afcad15

SHA1
b31c879f66492a14b0b20ab3d1b4a284dbfbf623

SHA256
c6f65f15a002250e083048889ecac5b602ec26b3a4635fda4ef0d321392bc62f

SHA512
ee1a3c76a61d79d44433f415e1ae9063a283eade1aa113be6067a50936e0e35fc02e865a85eda933c573b73ba41655ad26bd5c517e409bef25da89c702eb4fd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad7d5ef4fd3ea6fd527298456bdf6e07

SHA1
df9b5a79d1a48c63e9d44939ffa06a2124c29d7a

SHA256
4dab37f984264a1f4a99bd5e96e03e97fc0e405089211200f00b30ba3b5952b0

SHA512
b8915c14aac02b117857216a06e92f4d7f777acdca401a55f5c21c248cdd491f0a47b273e9b6349ba33be914694521d0ede42a4ff2bee3fe64e3403ca9e2f7ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23049e1d75282c1f6fd1828e9b24b28c

SHA1
a8166d169813de925d0d80ddd314d278819b1807

SHA256
b2837f1d7c3f0d200c0a14525ffc4f95613ba1ab5deef69d018f50e75b1f5c17

SHA512
0d1182b6c8f0c7d9e7abe5d09da0ace017a07e7a270bde155901ab1c8c9dc9137c1aea882a4de556d16e9b4a77ee3f0b7f6f60cf2bb048cd347b775abfa0e3c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e02864cb42bcaa43d5b27861b7ff2f5

SHA1
0bf4f797514e86c01f5a46aca110f63fab0d9d14

SHA256
62818f664bc9e94fcc20dd5abc96c6efaed472e47eca94eb97dab533e510cb94

SHA512
b875c4bb871308844b7688532553feec6d820020e87ba5823439914db60e64925b351a18b0fa136b4d87abd866c81f9a98c9f324402804b5c9840faad4c03f6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4671638c983c86cdf370092c0b9e6d42

SHA1
ecd724859de845ddcc9b7c1107af82213d718ddd

SHA256
19e435f97baa04704d0fd2f747319e78e66df96daba67073c0bc537ac2645858

SHA512
0524972be16f20e00260b22fff9837d048d36e06758dd7e9b323c24cb5146466e3fff6a0e618726e0e8b811703428ad909cc1584fe8ad17eb2070285eb2810e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a48c27a6c896d742a0028f6260d7be91

SHA1
ea0d26972752c3a6dbdd0c69a555e1814f2bef94

SHA256
94f44694488360a366f45698981df9cbac9e2ff76c5a8ad8c3168e7f86139d65

SHA512
831109b525effd0bc8c181486272efe47a036c06c1b2ddb9d52a4dacf1ce6fe624556bf6e21d7f6b017509abee2a7a4329637b58ab73d4218c5a5c69e4a83eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac6076fcbc4aa8c527533d05f95514f5

SHA1
052af8f5324f2958b543e438536cde12c81290c3

SHA256
0989c7649426b205ccc8adff2b8571d4a04e7e6fb85af45356b8bbe3a629f637

SHA512
155f10b1ec915111f7167a8489c154cd668755182886552666f2f3f6861d41c4ad638affedf92fd72e7701e610204343aab789b82e137131e961e8c7e793381c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC842EA1-77B0-11EF-A914-FA59FB4FA467}.dat

Filesize
5KB

MD5
b168baf446a168ac3baa2e0bff427f4b

SHA1
78ef3c171dadc624234a758ee1a4f4720dc9af95

SHA256
46be2af78c035ba944025c9aa02f56e1d3bdea9d97f6d4cd296229f8c0f10018

SHA512
95c98ccba033bd125c245795b93b2a7c500c201d5acb52ff723defb9ace8744123078e9a040a96d55a05169184abd93c6e698bb47a15f28bf1c500c320c95b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC9370E1-77B0-11EF-A914-FA59FB4FA467}.dat

Filesize
5KB

MD5
e15d01bd2ab911facb232192200e1f20

SHA1
27e56c209995212675cca915e1ab5358716a9d9e

SHA256
ad996848e85e78cc39ee0cb7fd1d5d481e9019de825c612d0ebf244f9b77e609

SHA512
08cc3117964a8d0c8e39b9bbb053df8cf5cb9bc0a8f981e0e944ada0274c921db57cd36e72677f6336b1800bc89b6a2b6d2e924c43d1a1a85ebc4625c0fcde9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA085.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA0E8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp890D.tmp

Filesize
329B

MD5
0d7531acdaf7f5577b118bbbd6a82e2f

SHA1
48a8881aec7b35981a00f1951e1ec387a6eefb17

SHA256
758589404b2d55f4640b617816dedb613decceba92cf9e4ce38cfeb117be354f

SHA512
b390609796d28b402d9bb8e0f02174cee9862169602139392aafe82c8c5f968fa359af525dd538c676381ac2b6b2023d2ab72b30c715a37c22775f940f581595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp898B.tmp

Filesize
569B

MD5
fde5eba975257d29e369f367965c4791

SHA1
6e5e6d2d2d5d24a76c0d97c3d2d1bfa5dc179523

SHA256
ac6257376ae3a0459908c9dd1a5274d2f4c957fc1993216be87c623c6ac391b2

SHA512
d0d68100bfafdfcc2f25137fd68aab04cc483fb92495bb46d435986329367213ac7bc81c984b6a6cfb4fa6a466f7fffd50be0d66b6865c06243ea77e26cc97b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89AB.tmp

Filesize
493B

MD5
50ed26fd7698e06e9b8ce83ca3ad2fe8

SHA1
3f1010c00e108face4dce380744e0756494426ef

SHA256
16ad34732f7bcba7265910fabc217483bbe204217e4f6246bec84f76bf46bd0e

SHA512
273a464dae413c43095d8d4db1c6349bc0e4616cd97a10319813d94629bae828e83de6bdfd595f865486780471142a7a0838037cdcefd7f9a4c0b48bfaf76599

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp930C.tmp

Filesize
442B

MD5
11919d4be6573fa86778220f8c235f5f

SHA1
9fd4fe1088d23bf7bff1c6209fccdba7ff5150b1

SHA256
b3fca75b6f1744455839fec36788873ba6d4700ee79b0beecae902214d98829e

SHA512
ed1d993402778a941f24009877bfdc470398fb9fc7fe4889d0b56a194cb019da094915fa10b9349f922f5af41dc0274d7b1dc9854b5b105fe5a59821ce2843bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93C8.tmp

Filesize
466B

MD5
ab9bf535b85650bedd40fd87b6cac611

SHA1
2217b502d69f71d1e362e621638e6ab17f4884a7

SHA256
27637d3fe2b614bb18768d26d331beb1931e59d70499f76a41e15351a922bb98

SHA512
bd5dff99a1fb61f0f7b37fd5813521e0efbe26a4da1c5a7b6ee401491a01132bc6c2ace3b9e6431fb8d53939f7dfda4df8b493e02da130e65bdcf62b04b96323

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9448.tmp

Filesize
433B

MD5
18d87d5596e8d3db05571b9f08b752cb

SHA1
9d72ef181e99dc62d0d8b8482bd5800529875e28

SHA256
07a1c05a4fd73a9fa71d8b8bad43f2efd8235c53526c365cc47c94baea1a78ad

SHA512
ccda5825b4c2f7b1623c9847cbed753f9067b912f0f25d9b66155bcbbbd51f51232a4ed677b3a208b6acd5f89905305e074c68eb099e878d0aaae383a6253b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9468.bat

Filesize
257B

MD5
e696cc28cb6842ab3a8a9d7787e693af

SHA1
b5080030f44913acc367dbee152609283c98e2b5

SHA256
72e724786ff3f0ef3c7f2236ea2b340dbf9d3753ab4af4319364baee84e122a3

SHA512
a1db76bb1b47083bba796d0705f8470ab9fc321b200f5e58cc3f91325749a1e8a32a104c5daaaea065fc2d88da1b2494660fb5b227b12eff3214ca8c2cb6c166

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
3KB

MD5
19afbf2184e7a69c2e41ec702b2a6923

SHA1
afbf544b1b38a5e7e2e11a5952207c69822d7a90

SHA256
a07b2e9e00b0ba3fa776a1f516f3b5297fd8a1bc6d3b0feeacfb4215fa54b07b

SHA512
83b187a133f62e41c6af9543c049b1b53ea58012109e88a7f797df725a3a739506e84f91bcf61d5e8536c5cbc1c2cacf029f6cd644f7f55ecebca0d0d539f124

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
3KB

MD5
c07edf58d42f8f8ee53bbe42edb982d3

SHA1
0086b02d7269164bbc745d7f513497d047143431

SHA256
e2a8d17bf8ad3769ebd162d66f7099638f7fe7d513790b97ff5dc452a4aa81e1

SHA512
e32f1b1996a15252a7794416df501a74fa60a794d1101308177090fb3511b871c39e9c6d252e45af77c38c7b8e517893748fc9e47fc4b263da6684daca660c67

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
4KB

MD5
8b55b6b2b2dccd6e3507ac0192d12dc5

SHA1
70a345b1a4c58deacb05c43073bc018daa48a496

SHA256
1f0a85feaca15025ee6084036968444563139da9f48265dc1e14d3a747e74e61

SHA512
d5e81a400390ad961e483c5f69402f57df62197565793d0d51061c6f0ca406cb3e4e593748a0ff820936ec0c1927b63e895bdad91acf2b46ab15b9ecef7b11e8

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
1KB

MD5
be654eb16cab1450992e06f66e87696c

SHA1
b11ff08dd04f8aa6cbd2e16548b996b69d8559bd

SHA256
14b2ed4aedd9e959cc130e1b35825e758d0037ccb6525591ad8c30e7da5d83cc

SHA512
a7733e731a24f4ee2cf0e0d71a96a979e85d4936b8697f4c6655ef00a6cde4a3f0cb6eb6cbf444c3c48e6e4dab084bd0e814475fd14bf5e4b77e3b9c2a87f4ad

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
1KB

MD5
789e569ede1fe5f6ea05c589a5c259ac

SHA1
37c520c7b360ca3ffe30558e986eae710d71a83b

SHA256
bfe8f0d653f852d9a3e5987f01eb260ca942c7c066f1e2a89290be7ec4d3c41a

SHA512
96c9b83836d6bf0d82d1c83e6bffe9ee46a07409d090a7dd5cf30bd4492f40f899b77827c956915c6bae926cb1bf22248e14659e2f93d413772cde9eca66791f

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
2KB

MD5
eea745c37fb16e92811d1a9b8df5952d

SHA1
f5a50aac935d8d74698a64849e20bf57e7c19231

SHA256
eaec77977b508afcea5e86ddad88dcb6d7f91973c826b9849cf94f027e4c7196

SHA512
c3cc86ac38edf1e86edc46435daacb880b662e1809f7decfe905758c8bb3d8cf41a552e70bc1389bb1d0ba40679e5d480fcd5cea687e9d5a5b6dacba19a4d5e8

Download Submit
\Windows\SysWOW64\diskoree.dll

Filesize
28KB

MD5
e4e9d5dbdeaf37515554ed4baf3d9f09

SHA1
624c2980496462028baec6f74bfeebc03d50e3f2

SHA256
44fc32157a0dcdfed536061b1c52ce357edf7c0c015a5b29a42961d2c0e2164a

SHA512
1e2ebc6180f0226d04c3e0b3fa14993c358664b9911ecd277400bb205372fac96a35c6d63cf161d55c663f8d43d808c62eb5afbabb77a6cc2d1185b622379a70

Download Submit
\Windows\SysWOW64\odbcrver.exe

Filesize
150KB

MD5
77f72b89396bcc48f278a277d85f5b45

SHA1
90613770dcb0aa8cc7fba6d3928b22939095aa51

SHA256
557b5194cb6abbee24028f9709413f64bbdf527adb23dcb7bca872cfe537603d

SHA512
bb0d762d21c40a40ecdac91670cb6dfbfbc48709f6be9777b7cc64cc81d0af22679e156d4e9ebc11a4f53653cd0a821bad4df7c13b97d1877c1ebfe5fa95facd

Download Submit
memory/544-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/544-90-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/544-1032-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/544-1033-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2316-68-0x0000000001FC0000-0x0000000001FEC000-memory.dmp

Filesize
176KB

Download
memory/2316-117-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2316-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download