d9c575c88b654513905e0924b68740aa8f8d35804a20ef2521463462f1e7ad27

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Size

57KB
MD5

04fc1edc170e97f32acf3a88851d19bb
SHA1

a7accbf28caa2a5fbb9aeac37272e7e92be41d9e
SHA256

d9c575c88b654513905e0924b68740aa8f8d35804a20ef2521463462f1e7ad27
SHA512

80346417e61db7644d2eb47d36ba3943c916972a119248820afc38138ae146e2656048729748dd4aa86a1180019eac333281faa21a1a4eabca49450875e0cde2
SSDEEP

768:0PC/QVu/fe7NjcUFnf6Oc5QubwY1zX2cyFx4sBEw5SGRL2gVLRrQUboiEsZQT:0K/QofGjViOcGFY1Hy3551qsWUEiEsM

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe:*:Enabled:NVIDIA driver monitor"	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe = "C:\\Windows\\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1752	netsh.exe
2088	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2964	nvsvc32.exe
2644	nvsvc32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\NVIDIA driver monitor = "C:\\Windows\\nvsvc32.exe"	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2932 set thread context of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2964 set thread context of 2644	2964	nvsvc32.exe	41

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nvsvc32.exe	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
File created	C:\Windows\nvsvc32.exe	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
File opened for modification	C:\Windows\mdlu.dl	nvsvc32.exe
File opened for modification	C:\Windows\mtdlh.dl	nvsvc32.exe
File opened for modification	C:\Windows\nvsvc32.exe	nvsvc32.exe
File created	C:\Windows\nvsvc32.exb	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
File opened for modification	C:\Windows\nvsvc32.exb	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2300	sc.exe
2212	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvsvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvsvc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05142421-7FCD-11EF-AE16-46BBF83CD43C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f09fdfded913db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433932270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000767dac96688b67b9750300f1db74e1daf2a92a62b7da21a7d15c853c43f90712000000000e80000000020000200000006d7b7917b1e142ef26ed667bebd173bb0404dedbe3e5676e54818a3d2dba411e20000000c369bbbcffe708611eac4b627ed7cd26530958011458a8c883be8198ce9a8960400000001f98b7823750260eb2c9a0e75e3361722742d42fa020d610870e4a24b85c9c220e2be65a1a30a16cf78f54f112b7e6f888d9c05e323a4a1ee12132aff70a2053	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000348ac8bb9e6f8bad9fdefd28921a0b468b0caf4615f6060ec5abec6f6aa4cd46000000000e8000000002000020000000ea50471834d002f10fa755a5d16b04ccb3c09a49f46b584cdd74abeb789683c690000000d983bfe18e4e0f0f487c09379e2ea65c34885a840652ebb03084e8dd1da24967c629f9872bddf6aa0e285fc3e2ca9f1b8bc5df9ee3e324f6acce342b3931d7322c8aabdb32f11be46603181adabfd3ab74f2597b5a8d3e22ddde419125dd4ab135f0085cd39bcb16c1a8c8c63eb881ebfe95ef930d9f97f407eb17143678013e1c70f39a466236345add5a52eaf17b894000000010d78bf26eda2c20d1f48b90af62eba8df03b3cad6010572ac50c05c5b2f5b28285a213c476d91cbbf0aa4af8f565d9cd285a21f6340fc4e7a47df35e884bf3f	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	nvsvc32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1924	iexplore.exe
1924	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2708	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2708	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2708	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	30
PID 2932 wrote to memory of 2708	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2228	2708	net.exe	32
PID 2708 wrote to memory of 2228	2708	net.exe	32
PID 2708 wrote to memory of 2228	2708	net.exe	32
PID 2708 wrote to memory of 2228	2708	net.exe	32
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2932 wrote to memory of 2756	2932	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	33
PID 2756 wrote to memory of 1752	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1752	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1752	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	34
PID 2756 wrote to memory of 1752	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2964	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	35
PID 2756 wrote to memory of 2964	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	35
PID 2756 wrote to memory of 2964	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	35
PID 2756 wrote to memory of 2964	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	35
PID 2756 wrote to memory of 1084	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	36
PID 2756 wrote to memory of 1084	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	36
PID 2756 wrote to memory of 1084	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	36
PID 2756 wrote to memory of 1084	2756	04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe	36
PID 2964 wrote to memory of 2780	2964	nvsvc32.exe	37
PID 2964 wrote to memory of 2780	2964	nvsvc32.exe	37
PID 2964 wrote to memory of 2780	2964	nvsvc32.exe	37
PID 2964 wrote to memory of 2780	2964	nvsvc32.exe	37
PID 2780 wrote to memory of 2612	2780	net.exe	39
PID 2780 wrote to memory of 2612	2780	net.exe	39
PID 2780 wrote to memory of 2612	2780	net.exe	39
PID 2780 wrote to memory of 2612	2780	net.exe	39
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2964 wrote to memory of 2644	2964	nvsvc32.exe	41
PID 2644 wrote to memory of 2088	2644	nvsvc32.exe	42
PID 2644 wrote to memory of 2088	2644	nvsvc32.exe	42
PID 2644 wrote to memory of 2088	2644	nvsvc32.exe	42
PID 2644 wrote to memory of 2088	2644	nvsvc32.exe	42
PID 2644 wrote to memory of 2592	2644	nvsvc32.exe	43
PID 2644 wrote to memory of 2592	2644	nvsvc32.exe	43
PID 2644 wrote to memory of 2592	2644	nvsvc32.exe	43
PID 2644 wrote to memory of 2592	2644	nvsvc32.exe	43
PID 2644 wrote to memory of 2800	2644	nvsvc32.exe	44
PID 2644 wrote to memory of 2800	2644	nvsvc32.exe	44
PID 2644 wrote to memory of 2800	2644	nvsvc32.exe	44
PID 2644 wrote to memory of 2800	2644	nvsvc32.exe	44
PID 2644 wrote to memory of 2212	2644	nvsvc32.exe	45
PID 2644 wrote to memory of 2212	2644	nvsvc32.exe	45
PID 2644 wrote to memory of 2212	2644	nvsvc32.exe	45
PID 2644 wrote to memory of 2212	2644	nvsvc32.exe	45
PID 2644 wrote to memory of 2300	2644	nvsvc32.exe	46
PID 2644 wrote to memory of 2300	2644	nvsvc32.exe	46

C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\net.exe
  net stop
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\04fc1edc170e97f32acf3a88851d19bb_JaffaCakes118.exe
  2⤵
  - Modifies firewall policy service
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram 1.exe 1 ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\nvsvc32.exe
    "C:\Windows\nvsvc32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\net.exe
      net stop
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
  - - C:\Windows\nvsvc32.exe
      C:\Windows\nvsvc32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram 1.exe 1 ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2088
    - - C:\Windows\SysWOW64\net.exe
        
        net stop wuauserv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop wuauserv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
    - - C:\Windows\SysWOW64\net.exe
        
        net stop MsMpSvc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop MsMpSvc
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config wuauserv start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2212
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config MsMpSvc start= disabled
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2300
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://browseusers.myspace.com/Browse/Browse.aspx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
72cda13e7542a0b55bad35cef7e59989

SHA1
9613629143eae10c721e668cb011deef3f3fb3bb

SHA256
011a3ba5319cee6319bbd83aeb9a4126488b163f360bab9b9368021f6d2f9cc2

SHA512
5988404589863841a244bece364ea7b36e04f5cb651838c8a5b755b8837d58ccdf6f72e2acc9bfcd2e43d9d666d7d4e35bb8f479f7bded578660dbb0e7826ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5710f857c635dcea3b6eb5dbda16df73

SHA1
1469419b5d14abbaaae9ffd2b853bbd07c1062de

SHA256
c66e0fddf11441846b626083d67d2379b4de6c27b65d7f1ac530d73a14884dcc

SHA512
324ca681cb35a391d9524b9c2c6e702b75d926fa861d8f136dbb1985538714903e9f1eb55db51462df005aec517caf3fd0c646e68f8c069e581b707b8484d8c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7368f030aa4ea522c6b5ff6ea06037d9

SHA1
a71ab347ea3b6c4df255caea029b0ef4d9a52896

SHA256
5156d24d7d400b917fc3c4860f3b93ec2d5015ff36ada3d6dfccafcf19d36022

SHA512
6b30276bfb46ce1fa3b0ecd861441fd0e4b65b459441e2f89039605f77bf00a48f539cb172b2efa72906e2cfd91f8fbf2b54b7393539e263f42462db9cb16718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cba03650a0120aec7debec31f473f900

SHA1
a51927e57b5c2fcaeb39139f0cc6f4e4687fc93b

SHA256
e6ec71ee80427c580875d25f48a8ccf56524039e082a320817b890225a511ac3

SHA512
c5cc27d57ae0a3c76e44868a1ccf0e14840295e0fd8a89560836e4817e34bb004821263db562ff9d24be6be9e21d5c06a2d15251db105f41d102388899900b7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18913795c3ba9f9570cba038e7022775

SHA1
31caf911db01cd24e238fea444b27e20e5676f34

SHA256
01dfc1b2ce5fde89977c855b1bbc516409929faaf9bd77bf618f6e249066cc28

SHA512
9e2d660be9e51eb36edc1e039c82ac8e845b30ba49abc86be2c31bda8f7480f62007ac8ea8cc9f6a5365f80b035dd099b7b36ebba3fb8f1d320f8150436f0afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb075c7b3b478220db7759e26061206a

SHA1
512f6bbe01119704a0bd19cf4aeae092445a0433

SHA256
ee53bbac39fba9b0bc2df5702718f6ff60173b4a189166bd01e5bd70a987f6fd

SHA512
3bbb33a2627b1f62f1b52af3efb643e670b12d6ce4fce35702e09fa92ee3c0fad12ce71ff213a87948c8e5fec7b328afef79c60494c028b96e2d9064e80b4725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
852839c88beb1cef47439a825d6f1940

SHA1
a2ef3758b0438be83ef52ad9870cdeacc29337b1

SHA256
b92a83e0e1b57b9ead94be09e8628ece63e7de46ec7b056a743d09724c4b4453

SHA512
64f561184daab329e4596d3cc4866f39f786446a321c85c5307a9c9522bd536825259a12b74c76d3c33d64c35b368334a614edccb0bebbbc7c8ff0e16e627f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b8149a7c643288ca5a69d78ed69fb4c

SHA1
22b6dc35265443f851b9dab66eec4a0ecdc1c75c

SHA256
0529f0fa6c9f1fbbc83f72eac918f3fbf334fe21bb0ea40a995142d9119493e5

SHA512
fe2c2ba4d89818f442b8098910d086a56b849794522004777382a6a962f6243332abcbaf5152a1d0a9c0a90b25b52a689e2e4e6829aab73a6bb8da55dc39baa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef47a4157f6377a4e93e573f2447388

SHA1
6c3f15ab011ec584ebc3ce685012d6668bd6123f

SHA256
af4547f599cb13f7838e2f34dd8ea2ff1c0374c8ed3c0beaf1a2dbbafdb1c4f5

SHA512
bb502f917c9f37b01bf5db8c179c6efcc036440e798b1c0ea52d0e0ded64194de9c5078dcf68b406c407634e934bab97248d5319d0cbfa6524843cf9d9f5ff59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9a442cda27cda65a6282199b5ea2f58

SHA1
6fc7aef2b6a967ea31841cdf5f05938f834ddb9b

SHA256
3f41a5c9980815245c5a07cab970dd202239720bc5256535a78b1a1042f62feb

SHA512
5b13b0832822de6283bc6d1e7fea706942960c8dd97f5de7fbb8826633e9b9e6614354e726865b96592f91c8f967da14a7a3517046f4ab31030a4efd8e1c9fde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3974d9cdc54ed0419c85f804bf2264c2

SHA1
558d60f01ddb2abef6f93a491c1db716b63f3899

SHA256
480b814daeda3e46d5d28ea37ba0381931154d81efc83c2fe29fb287f1ba888c

SHA512
1f3447fedb2528b274ae5697cbe8dc9d7965e2146106ab45d20d5d4e6fd3b1658172edcc87fb9002c2243119a9c33c1e6f3a1107619432e54dfb1decb393174d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
334db45468a9918f751dd2516e928944

SHA1
add7a39343e8e3e45cbec6dacbbfd5febce1f10c

SHA256
6eda844a3a58c160c9e820f244e0d60e9342a635d9a88f459d33da4fb94f45cf

SHA512
df5e86e9dd6e39aa222173f4a15f5b5f724ed98c12a02997be2463a0445419c20dec5246efe22ee7758bafa4c85f69979fcfd8f213caabb8fc8ff91520ffb0fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eae09d85a48bbbe52a38f1dd3fdbd9d

SHA1
b60f0eb9a8f3bcf983c8bc42c377c81f92cceb17

SHA256
0b342ce4d1f889c4069bd0b372a9bd6f89df88d95077ad3a09e899c5a6471b4c

SHA512
8261b607d1e2c87a3a5f08e7b740ee5b9e21d9ad438454389b3e3e71f10381b9fd3edd35394176d48a1f83a03e4e029eacc9041fb5856d0967e38d594d2357e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ebe5aed5e47daebac19cd7226ddea66

SHA1
5875f03679b477554c9d4e69cf7e02208c96d391

SHA256
eb20baf3b5b6eb87305adee0ba75b3402c1fa48c4f6f114688c98f88c24ad49b

SHA512
3d3e56ca3cf3f1f3147a912199311ac5788f6d7d751e93be0dea16553701a4c47ec9b54b86af350703633dfdad46f4d69cb14057154893a01a6659bef035b256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0a4c40941b12d611011de012b6134d7

SHA1
3466e669f14734a5851932cd6a9a9dd6e9ad6009

SHA256
61472bf9cf928b3eaaf94374bfb86513e7707ef30b1c81b819e2ac16c2793ac3

SHA512
8589163aa2816ddccf16743a1eb714d4b01696afd89bc096c12a2797f5ffbd0a6fd061fbc862f00f06cc03fb6d80a4ae37df010bdfc4e2602d72a2a9441879ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3678c14827ee4e65d1d689cf05ae2d3b

SHA1
f10ce35ef16516db1f08479216c9711791414253

SHA256
a22fa9aed32d421594b23bbcd73b06a1df117c04337ad3485aa62808cfd09ab3

SHA512
3d57e33c7ee276be6e5799e1d00c571164d361207e085710e67067ead4302f54cd3c32351f37f0dac8a53d0d812d3a681faadf8dc38398db0d1484804cd0fc95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38c630840d173898f0819171c08bda34

SHA1
ff3d19847eaba2cf8c252ab9ef9c75582bac5461

SHA256
532cbe6a967655151f8cb95754aab3f703e4646a8464e5eeaa8d593b82e6efb0

SHA512
5c54f91e3ac8b3139cc53976825dac0665f93e1aff1c0edcaec4fc1413149a9979ed0df985eca09b98eb290f4decf358652db860af1425e1318793d6acd7bfd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8601c3f4c264b8dfbed2b884ab6114bf

SHA1
95308333c4b628a9a522de0448bd0d8b42c16e13

SHA256
a424fd3e3912ef4f7f6bce21eda036211b2f43a21e94a991b1282361d0367846

SHA512
4ac7bce3554e524d915e4ef5caf3cdea5fb3508ca8ce2dd22b57dfb70daef5acbc6986fc7f539c8ebbef196985e89bb78bbf0885c9d381df5600af20782c312e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c03da635c485c0b92d46837bb581a2ca

SHA1
ebe11247261c58824910192bb1f9e7688618152d

SHA256
781745227f7144145f6d88bc2e484ba320ecd2e6cb2eeb1edd97da6f1e10a1fd

SHA512
af7f2703edabc7cc183d2eeed2c6205f4eb2249791cac26a7afcf6e6b57f908faeb3baec2a7e5bb20c3a81cc28e7ace69cb4f054f8b1b273fa0100fcef444565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80a6e7d14541c81cba0aedb370546ed6

SHA1
e1db62cc7bcf7199abdcc5a251382b6e2385c421

SHA256
14f005dc6e45b63b75d7e2071cbb5891506261f469caf22ebbb8471137a9d9c8

SHA512
c7623d8069f111fb8c40af6c1369d9d58d60e5c0b187661937dcffe2c97d9f6e093d588a3778f6c37fd008e3fea5d5ae4a1c1e8dec4a87ca52dedb4b657da6df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc7ddffc03314f35ea7c03c5d969ecbf

SHA1
e873ead0cdb1b222c6b5cc1846d1ea2a10219e8d

SHA256
92a14d2017d3263b6e2ba6ec8aeed10c83489f50d12dfa429ec0f5a13eaab536

SHA512
70ea409c57d3f917e0c6b5a5f3a51a09164f1be65910a65833b68752bbde02b548f8d4511ef7c9bee0c647a183a040531f75ba0e9d3f9a4e97cbdfa31ba75125

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5ad43e8c2b76569d30436885f3d729e

SHA1
c88c66546f18f0c43f9660be5e5a93bd9131c699

SHA256
04eeb0beeb5985ea6bc0215ee91bfb2b1a87a39696e2904a561dc86a09bd5e88

SHA512
31519063ad20da809edea78b6247b954a2f80290f7c4934d2ceceee0743584987ad64fe89ad7bf74354a66d7bd50ce7c04c567dbf28581f72fa88b9f3ddf7b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bab762ec09ea394b2a3566d970d25ca7

SHA1
7ae25d2e9553234f2c8a688470e18ca32b5f26cf

SHA256
0b4f42baf66c5d87f54e0e933c42038398e13db822eeec2cb82a8d779a202596

SHA512
86efeda32471c92853d13d73c7c129c081e001e3f4e586c200202f5e170ef615d3d7d7405df9c38ba5721a195fc88f3cf74e424728b121777c862b056992021b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81f7f3a0d491f800e7095cafeaa6c905

SHA1
0feb39d051697ff53933af0560a2ab0060dc142a

SHA256
36729bb0c532a2cda4c5523c3a16a220e9d24afd3aaa2ac1bea1ec00b594812d

SHA512
187e0ac4742ce952a4924ff6f0cd39de83b9d17c8147a1f3a566a8460c4b20b2f15cfc945cf670d0ac5cf3fd1de23363599c7dc67c180fb4b814b2949922a733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7190031e52add144aa0137f5b4b4de11

SHA1
3cf46aace7c7020d30c89e59b14fd6a527b18620

SHA256
e65246a4abcf6c28e816b22637ad9a03b63c1960e1157f0c250204c490f24e5f

SHA512
671ae0b115e6412312a35d04981f685ed6e69857d1fef8e976bb26fe1697b1c24b47204a487521a9454579424d991194b5bd5cce325cab0fb59b310bf236a2cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bade0c5c2e32f1bd1c959a59f4a1308d

SHA1
3861ebed7d69132ca013e3c139fa47ce7c760cca

SHA256
e3a87b0f65b8448d303adbfc9654e0b5526576d1939ecbfe390fc3ff3789716d

SHA512
ba79c9cb77619c432cf6298242516a85f6eb3eef0be3e1cb01c4d6c7e1347ad409cc0fa4c0813735fd7478d78c48697983bd2c0096cdbfc5db0628f0db08396c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b4d85bf871d40b35d5b85f4e42ff68

SHA1
5b269f87d922b4a25a13b229bf91bd0d02f6730b

SHA256
6a4bc7863b84fd2e1766a42f8eccd6dd800f424ff7f89c24c4681cec38457249

SHA512
01779f6afc731bd4fba31d86544561ebf7b3104a95677d57cb4913d9a4acadefda5318247d7de3b3598235b74bbeedef2b1d3224c4d1e4bc8a586a009a24213a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18a688bea25736d0a1162e6a96592e9e

SHA1
8ba5643f0ddab1f600003532a2e80f38950911af

SHA256
7b0bbc945a8415be2ad30bb4d76c1536ffcde546bd1bb5029e4ad974bd7ae234

SHA512
4a56987afa386fec4b30e14a63c0a9f819ff621f6a0e3c2d081676444083c93a696e8483acc8bd7c5e647dad934d9df9d062d68b3e7304288b7b9c25777f4d86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16c73be794f0e92962914479ee8aac3b

SHA1
a2adf0ac58067c4116ecb4b58e98baa7dbb75c4f

SHA256
a36ddbf876e43fb7b578c2d62c299e3848b109e222e893548d72a3a5aec86ca9

SHA512
417eef2d67d3c64f39ca0037ef2324d127c168cd0a4e4b99ca5dceafe65d04e435e2e124db26a6991e33e3693d927493863591ab6013fcc7fe0233c67df9991a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e51e7e840771c71f169344fbd8d994ee

SHA1
9cfafd965ee0119d57daea6f30e25e1b560bbf61

SHA256
d0e10811658509e56f92485c6436d3dabf5627147c304ffb972930c2db7289f3

SHA512
8c1f0c36ac74b231fc6a6644cf734cc25e181c7e60227d8655ff137c0bb700a754d2ed535ded6fc47215755fe18d93b0192925d8c04417791b5d7c6f3712b49c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb6e85146389a8e564baa5fba2aa857f

SHA1
d94bd98b270f92b7502e35f680eecc7e63fa2e94

SHA256
3aab924cba48ecf50713fc1130667c2e53f783ad0793e54c30dad18622b5e11f

SHA512
7999feb0366c961c9e05cd1c159a85ea951d1c9d15b58679254e8f70b0590d56f68f89f1dce6e6b1c197a1a0bf827fd371572e9c97038e8b72b8aa65b5a02d66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3115cb7764b5b6ffc237d9a94a5f130c

SHA1
b724fe86c49d18ec26bcf3a2f3d9a606eacf35e3

SHA256
2eb315f2d9925e85390f5748a254593ff604f931592312f9e59502952d233147

SHA512
47ab94728da76b613d48aea4164d70a13bb86ea40f78c583fef03da7599e898e743fc6f30f43c83460c82ddfd5eef48192079ee47efaec70d4b66d5c5c42d88d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41e71d6e3f42e0d92d3eeb1529e169af

SHA1
c4ff7eeba5f359c5980878a99dbe0cca62c67559

SHA256
86a8f3bbe63be3becc8e727a5ab18566ecb57d358aa33de3f3931fd35f9d6039

SHA512
edcf32a536287fdc20beed017fe448aa3f9e1bdf6cc7eb483afd6e3b1444094cad3c1eb66ca757bf8d733b006911f5d117ae8f3584838e4a11517c073c769bb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c881184ac55e5e6337951017767daaa1

SHA1
09b80fc1b267fb1bf3d1f19a35c88c048ebb9d89

SHA256
23e8719a93c9dfb4a7e3e7e420912b38d9358d1750e602c57d0a17ef184cc87e

SHA512
78490fc7d1ea0087b0f215ee00cff7ea67e5dcc8d9f2a672da4ea69e04229d8cc7f5a6f24f6a64dd172b3cce3c4ce26d0785f92fd37337efcd4309b3f490a937

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d047daf545ff239f21893961af090356

SHA1
8874c72382fc35271ba9b5eee545e6478fd8b74e

SHA256
32c93b8834e498972446157e8cccd4df43f143fc8540729e686086373dc7c30b

SHA512
ee19597c65589f6826614c7bc477d6385ca465e7b7bff7ab026effed373659047f974cb8e76a17ef5b33a1940e9ccbee2c571c918def2de5ef3051a2ff12a0df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73447f28ef2f352103336b7406c0fa98

SHA1
3502669c338715b8f8f4c48b9a83f252b5ca97f0

SHA256
b697da7ed9554e9882e36838b7482b4cc97ea5256c8259d8663e85339d90f6a0

SHA512
14a5f6c90da983cfe011668b598db3b257eae3730a2b41d157634b750e1691ffbc2e1422534ac97252041cd73a8cfe631acf7fae938635131f880f4dec66e9e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
658d4defff11fa345944aebb946b89fe

SHA1
dd6f4f14774421a44dc8b8da14d1b47f157b5e58

SHA256
dd3ffad591916454ccce666983135f3aa64bc983b408eb22d30a400a9dad3ef8

SHA512
eeb806289b16a09a94ed14ca4ef3bfd7379f205b376e1f64d9d3a084e808738d3b76cc7f1b467f42fd33dae38c5575b34803e4f1c4e301950f0568d6b414bcfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e27ea3380893bd1078ecd4353bda25

SHA1
f436dae58d340d1fb06699cd64f65ab4247ea8fd

SHA256
7e392922ebffd672455b8a7b2bb38597175addf5572b1806cb0ed2fbc3a5cdb7

SHA512
4ec55690e8ec1b0a0dca55a72c708f75436f6dd760ab1eeed7fcabfa25fe69a00a562604265d3860e7fc80bf82c5e89782023733a155e549c2dc21ac86b3d869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2297ad9ef2fa1c5e0f072df8ef123006

SHA1
bc83fb4fa2de138355ef7a82b72e943a212d288f

SHA256
7580abaf3f304458698b5a82671e77b8b62efa068da7a81b83c6de8a92f9942c

SHA512
86971a05451bfcc477d11acff1d0febee0118232d9c1ff596056342f351025281395afceac1deebff6c062da0ee14df936f90571049a2300db75dabe94add497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a64fa5d93ab1abc69b5e7129cac5208a

SHA1
c6b3faaad8e0943d004a06453da76f5234c5d4f6

SHA256
fd8c07a3d89c26bc2422d442bed07682db7c294e4a9f0dcb637c8555d82c8e75

SHA512
016bcff2a5bb72da39cef93df9ae844e9aafb40c98876d83adb4390fcefc346f407653a893fc8a56bca7d1c0810fcf54a581009e07160a393fb11d649c73737f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
938d700130bcba7964c23c4ce2f42da6

SHA1
eb126d1ac67d00fa3a8667ac1f9a31a50a8effe2

SHA256
f5bd4d4d7db2d31cdf4c1072d77e465f91b67bf3aa99d9bf5c00548729b9b07a

SHA512
984456ee8de132845255063d61a5f73e30270f4aac0f2aa2c5b8437185c14d38a8951c2361c00ee34ec4119fdc0a9ff5a245c73f9b6f4da159ae0384b993deff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
591b191770603668d9b4a633b75a4bbd

SHA1
ed939eff062e2977ae89b19b6046a03ef94a1403

SHA256
9c0c9966aa45b138421234e790401590acd63dc464545752327d55839e2584fb

SHA512
5e8842340f7c6307628be7077db425f7c30b4227f61759b6d813d46eb2a24868b24639b5e5ab6ed1cffb6dd3e1480983251e29b74bc6249a2143001c013354b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43b8d8ee6e029ca908a646128769fd3c

SHA1
469faa885b310ea6434e0ad1345cf622f47f872d

SHA256
237245559b71854e027289e4d6e006ff38a11324a16934bec791ef2bc1918261

SHA512
9fc9461074acf85cd2223aee68a2b34cefe8615fa1f15e155c51104ec5aea617b8284140f7b91dd87e93166636a0e5c12ccbcd5203fdc8f380bbc63c15c96882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90d88aa684a59feb7d5fdc673eae64c8

SHA1
429b80f06eeef4869fba70775adb012dc631c44f

SHA256
cdbfbc18d7ba33d148d15d20a5d8de6c8f0532f05467eadfa951c7dc1b536e5d

SHA512
0f6c8e7558a72f3cb3c93cd53ebb5b6a82404a0910a362301ea3c109dc3cf3384f41998b130525fdcae344ed6a4446c1c58fe6fa7b0e3fed4de332cb47b1d5db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
149b43a79395a71b72f294a2cd928640

SHA1
9b17c79d856c845820b6fc7ceda5ed73926ec3eb

SHA256
4816999295d6e0723bcf8581fa9320a06ae8b02ddbe094d531d44ed94d5cec9f

SHA512
54d265d3dfe517b2bd95802063629e7364856372c123029b27d22789cc6ca78184d228e2b6f00b2d595182ff1fa7f91e8950a1b34ac5d84fb259bb97f8308265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73c26f11067f51332aebbcd3f37a5e4d

SHA1
274be854108705d691c07698ded39687fcb0abf7

SHA256
3eff3c769bf6e840240ba26ef7e46be06ae9410f90efdc371fc5dacda5324e4a

SHA512
37e59818485208268acf50f454122163568cbf1d1fc2d5329327602baf87308fbf03a5a67c832a24a6f4e590171abfe90572ec1316553e2dd21047a3a9a58120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
28b1642b95477d43488f0022aac25ee8

SHA1
b2cc706b650690ba838b42a63e63dab58828e923

SHA256
40fd8ee9e04222853b217690966384a9c37c68395867c64e44b9d9bbacbf7973

SHA512
6be71971247c6aed0355b2a71701d3ae5d91ea17e954f0cdc9e756d9201a0e0848231c03e011cbddd0d800273c2fbbe077f59e11814b8d6a014182ced41ad075

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C2E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\nvsvc32.exb

Filesize
57KB

MD5
04fc1edc170e97f32acf3a88851d19bb

SHA1
a7accbf28caa2a5fbb9aeac37272e7e92be41d9e

SHA256
d9c575c88b654513905e0924b68740aa8f8d35804a20ef2521463462f1e7ad27

SHA512
80346417e61db7644d2eb47d36ba3943c916972a119248820afc38138ae146e2656048729748dd4aa86a1180019eac333281faa21a1a4eabca49450875e0cde2

Download Submit
memory/2644-41-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2644-2721-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2644-3269-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2644-2287-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-15-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-0-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-46-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-4-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-10-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-7-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-2-0x0000000000400000-0x00000000006FC000-memory.dmp

Filesize
3.0MB

Download
memory/2756-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2964-40-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download