b4679d37e2c07b7e745bc25c4cba0af02e8f792a21afc474fe6d476216e16a87

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
Size

111KB
MD5

0559ef6a3510d9d13e147921403ec9e3
SHA1

4b018ee52b60cfafb8cba72b59ef6d14ca437f91
SHA256

b4679d37e2c07b7e745bc25c4cba0af02e8f792a21afc474fe6d476216e16a87
SHA512

451199654eea93d04323c5a2b0015b793a88ff9c61b563bc77fd2e3d265037eccf7b666b24071879506de363f198e18f60a7a0f182a8e10a46d5b32030740c73
SSDEEP

3072:jZMJnTeM4cJJFpVjvZILa77j2NZmJyt+DDMuzWtVhUxx+:FeTeM/BFILI8ZSyQ/MGWcxg

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433938412"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{52ECAAB1-7FDB-11EF-925C-5EE01BAFE073} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0775f27e813db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{52F16D71-7FDB-11EF-925C-5EE01BAFE073} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433938410"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf60000000002000000000010660000000100002000000085188d105ad2564c4fe3580f3243fc3b5a1afba5bbd23eb0532fb380b787a10c000000000e800000000200002000000011590ada326789a3d41a4488a1f2ebfda701154922182e2412e0bdb99980b353200000002756c4a6da7d0275989f782d227af31c776acc4f22ea1da933952699661cae8a40000000e0a7521b9f7213394b829b8088b6c5a495a19b227b9482692bf168ad3d96ffcef89782e4d026305cb938f82a0be139b9765fe8339bd61734cae07182171f27c2	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000009237928ed58a85a9b7aea31ba6f009d6d4e6826f1b9323f43b7cb4684e80cc3e000000000e80000000020000200000006fb8f6a9cc8b9795e329e3e588087c5af5f70c67ea50b3cf667c0ef13e3cf5e290000000fbc0695c709a9e7cc378e403127a21b38881aba3f4ad2dea1a9c987602a4ec83720dffcd27ed03d7e7d538b5a733344a459df2940d2235bcae6bf3215ac7a40141b269590c5cb9380111a3d3e750f185ddf873334cb437a8ead29393ef0054672b2b939613cd4d2364d6cdb251f72f1f962c43ec09823f72521d8c43ec8c545bd4a587bddfcbfd560fcb1c1bde43219e40000000864340f13efae04dac9e89b8806eeda5ceea76d7f990225bf37fd2bd9180571b3de64063f573ac198fb2353b1ea4a504966b409db0d24623b2e3e6cd666d8016	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2456	IEXPLORE.EXE
1968	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2772	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
624	IEXPLORE.EXE
624	IEXPLORE.EXE
624	IEXPLORE.EXE
624	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
1596	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2736 wrote to memory of 2452	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	28
PID 2452 wrote to memory of 2456	2452	iexplore.exe	29
PID 2452 wrote to memory of 2456	2452	iexplore.exe	29
PID 2452 wrote to memory of 2456	2452	iexplore.exe	29
PID 2452 wrote to memory of 2456	2452	iexplore.exe	29
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2488	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	30
PID 2488 wrote to memory of 1968	2488	iexplore.exe	31
PID 2488 wrote to memory of 1968	2488	iexplore.exe	31
PID 2488 wrote to memory of 1968	2488	iexplore.exe	31
PID 2488 wrote to memory of 1968	2488	iexplore.exe	31
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 2456 wrote to memory of 2996	2456	IEXPLORE.EXE	32
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 1968 wrote to memory of 2772	1968	IEXPLORE.EXE	33
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 2736 wrote to memory of 1496	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	37
PID 1496 wrote to memory of 1628	1496	iexplore.exe	38
PID 1496 wrote to memory of 1628	1496	iexplore.exe	38
PID 1496 wrote to memory of 1628	1496	iexplore.exe	38
PID 1496 wrote to memory of 1628	1496	iexplore.exe	38
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2456 wrote to memory of 624	2456	IEXPLORE.EXE	39
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 2736 wrote to memory of 1676	2736	0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe	41
PID 1676 wrote to memory of 1440	1676	iexplore.exe	42
PID 1676 wrote to memory of 1440	1676	iexplore.exe	42
PID 1676 wrote to memory of 1440	1676	iexplore.exe	42

C:\Users\Admin\AppData\Local\Temp\0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0559ef6a3510d9d13e147921403ec9e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://rfvc.thegab.info:251/?i=ie&t=101&e08cfc6beedd120086b529fd35a15db7d6368f5b=e08cfc6beedd120086b529fd35a15db7d6368f5b&uu=JaffaCakes118&e08cfc6beedd120086b529fd35a15db7d6368f5b
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://rfvc.thegab.info:251/?i=ie&t=101&e08cfc6beedd120086b529fd35a15db7d6368f5b=e08cfc6beedd120086b529fd35a15db7d6368f5b&uu=JaffaCakes118&e08cfc6beedd120086b529fd35a15db7d6368f5b
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:340993 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:472082 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:624
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275489 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1596
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:3814421 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:944
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hnbgv.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=suying&t=101&uu=JaffaCakes118&ssc3c22e08cfc6beedd120086b529fd35a15db7d6368f5b3a
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hnbgv.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=suying&t=101&uu=JaffaCakes118&ssc3c22e08cfc6beedd120086b529fd35a15db7d6368f5b3a
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2772
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://hdcxs.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b=e08cfc6beedd120086b529fd35a15db7d6368f5b&i=qianming&t=101&uu=JaffaCakes118&e08cfc6beedd120086b529fd35a15db7d6368f5b
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://hdcxs.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b=e08cfc6beedd120086b529fd35a15db7d6368f5b&i=qianming&t=101&uu=JaffaCakes118&e08cfc6beedd120086b529fd35a15db7d6368f5b
    3⤵
    PID:1628
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://lkjnv.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=4&t=101&uu=JaffaCakes118&wwww=a3aaae08cfc6beedd120086b529fd35a15db7d6368f5b
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://lkjnv.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=4&t=101&uu=JaffaCakes118&wwww=a3aaae08cfc6beedd120086b529fd35a15db7d6368f5b
    3⤵
    PID:1440
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://cosj.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=ooo&t=101&uu=JaffaCakes118&sd=ad2e08cfc6beedd120086b529fd35a15db7d6368f5basod
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://cosj.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=ooo&t=101&uu=JaffaCakes118&sd=ad2e08cfc6beedd120086b529fd35a15db7d6368f5basod
    3⤵
    PID:2116
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://okjhvc.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=oooo&t=101&uu=JaffaCakes118&dsc=1ccc332e08cfc6beedd120086b529fd35a15db7d6368f5b23
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://okjhvc.thegab.info:251/?e08cfc6beedd120086b529fd35a15db7d6368f5b&i=oooo&t=101&uu=JaffaCakes118&dsc=1ccc332e08cfc6beedd120086b529fd35a15db7d6368f5b23
    3⤵
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd9c61b47c34ceea0dca91d5e48235d

SHA1
48cfc259bddf4d3d4ab23a1db55540cc23e66815

SHA256
b3de0f6bae91822c636e0f9ef63fbf19c02ff499bc5bfd07b1decc5f9ce63a47

SHA512
b9bb9403a943c9654bf849251bd4b4bdba828a753e8bbb29c69f2bd61712949378cd796efe7e8614fd236e8b801c5f4ccbe056313a01fe1abdde88af79b06e5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
144e419986309fbd2a912ead3cba5c20

SHA1
6fd022d765eebef1d16085b94370fe2269118742

SHA256
1931d1b8fdba7344388892a88bf8a98ae1f2c46c76d6fbaca129be0b509b97b8

SHA512
10c1e7d380951380cad6573a50d6f7f1ac82fae31139ca09af0eb1993778325fadb93e44635a79269e4b036c86fc447493afbe7f6434172ac5e657001b194936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3887425499836d11be5b278337c548b8

SHA1
8a9bed81b16a332bcf78d0a9d8610515171d4ae8

SHA256
14e8e7a268d36089ae3fb33a79e847927313ef2c8ef1886669d706f756862d57

SHA512
8886effd460be719015698369047df3562be683c46c947c24e7df7df5b645bf71763dcc342a324329d37ca960a31e092698ea63d2b73321e0d40f9d8c4bd6205

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ed02defa350c218a6656e6fbaf0f234

SHA1
d9df0ba589a54404c76c040e063583c07990c7a3

SHA256
4f672c2b724a7a0b9f968cda26abf89ef7b3c3fe04ac84b0a1c7698d9e8423df

SHA512
d2affd64350a93553cb1437b08bc088e2e5ad94570fb27e8c66637d3bf2ef5da18c58d98c0e5032669a7d49b090db3d3898ca1bf6aff23af9270f16602687434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53326703836f9c35059f3bf91c99d9fc

SHA1
25de6dfb287ca4f860df1cfa9bf975fd830db875

SHA256
8cfcbec82512fab5176275cb3456e77db85a26a58687866238aad68b9959d6ec

SHA512
0b7c296cab6d7bf02e6b781814929a09688f7ad6bced9da2b89b7ea8b16961ca88040cc2e790ef6c92e07aa47264c764ea6bbd63672d6514a9bfd4ca8cdc776d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daad298733b017c5a24df2a4e2cf124f

SHA1
a24785e41dc78cabadbb5e98a04d0cdd1a9a7865

SHA256
86ba37cfc1e6c4cf7f2eb640b55693398b546a146fbfb004ee33520917226793

SHA512
b3e03a382de25bc42d3a8abc4801a3e460b14122a4e1a3e1fc5ad7108f0e710318a5ea6c58823f10e76f875e47a999e097f60c0dfd68c2bd2247d1d04090afb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c0ae44dc9dd0eddc5ee27e0b469e3f3

SHA1
b89c85247b4790d81da113e6e28d09e7c259ee8e

SHA256
5fa64ce6ab4ff2cf15c8fa0f4161562ac75e837648d1ed8ee3d87392b938531f

SHA512
015397a94a117d9016185a6625d888dbc5e8356c86b1ae491b351d2b435bd5a2ab9d32eac0425f6c09d5f7f90179bc24caf0d67ab859b133b2f95d03679f222f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0f18615d2a694ed8f1349a575c0a18

SHA1
eee35bb2eb990f867cc2d7e86725db598e293eef

SHA256
2fb38db34c0bf0f9dd265ed1b270b8d2b18733d607331ce920f17b97ceba1937

SHA512
b3595f01424b088f8db494e53fc0acf1f3c604a1e4daa191195d91734761ed800b1bb5397c110838dccd3193917ad82d3f738ce7d4ce2f018aee4ba7c7cbd182

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b3e78b7aacaebd8e6cd0e56704a99a

SHA1
008c338222db3a562741ed50e91d6c355ae3f3ca

SHA256
e7d34cf3044a5e94d3e616740af73ff23fad63eebeb244285756031f8d752cb0

SHA512
276d0cd5b911af3e21893dc27e5ac77b5ab4f33f32f30b71be1ca4901e64fa09ade458f1bf8a18a9265d4fbacf078055a99e3796166356dc205b6fd3e2bd459f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7632fc2e10644ac786fded3d892be39

SHA1
2fde67a9612b7c79b4af4a4263d68a92ef5b36bc

SHA256
e8f8cdb49be6e00ff81f0185806fcedfb0ba23078f4a68f9171d99d951e8f8ca

SHA512
edf895b20b129c3e70ca5c2be8897eb30e1d4e8738cef5c6085d452d1b0a7482c7b3ad22a27839f6f249457a34f63c4ff357df8e1cf8493a2aa308a8ffe994c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6594388566ad6f5ac3a2e3adcb6abc3e

SHA1
198920372015b94ed3ee68f310925ca4605324b0

SHA256
0a9fcbca65fed46341944c03a223589b94a92e89e267f68b7c797a90feeee366

SHA512
1708117b776afa0eaf38a538b0baa977a896e3e44df2cc5db78449ee60b1aed355378229ada933ec0a88566721cae9d1be61bb57632c898755b6b7c604d485cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ff03362aa65705f61cb5ba6940c2de3

SHA1
b4413da08b78ab549a6e3e50df778469d6b8c681

SHA256
cf5c3f4267287f830fa6c02d2f02ca221af04c8e42f45b4f2d53536b1b34d4a6

SHA512
6d8b2b5b17acdcf28a24c67118d21dbc1d9a6cfdd106455e36ad709334102992f9acfcd649627dd150c3ef53789ae082a1fbfa113bb063cfeb24770c4896b32c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29dc1df03b5638f8ee72ad6df684e096

SHA1
324356cff3d5d458cf944cbdc87cffb8e81890e2

SHA256
8b1ff3a12791dd3eba72f5b740c45b6142db19f690360bd97b04e4ed79f24f5e

SHA512
93a196f9569c9cb63840558be6a023753b15d52973c95efc33a194a5a8fdc28ee7b5047bf26db5df6e48e263da1a591e75a00dd1ae990d98a9c8d4981e01c910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06e38ac0a025499a5e0b77e91f0c5d67

SHA1
129d4efbd08968167a5c3abd144bba9b734dddd8

SHA256
7dfb5b240d5c4fe28fb4ba2baba4891e32e251d68c8affe316ddb037c0695650

SHA512
33bdeb82b652c2a561bb3d26ace3f09b02dd22615cfac2d70b976f1e2b67aed4c89c53439f3a456d102fb1cf2f8a9ad8aa7b607241d8b9bbce159bc81e5d005a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5068ae04c462738421617c0b6dfe1f3

SHA1
08d623c905b86351474d420f94e7d57401eaa4a6

SHA256
b97fb25270298d21ca9d0463a51d49e059bbc1b9fd79c8d59f1f7cae4d2bf204

SHA512
170ffb6a453a6ef9df774e72022e919986a7bb1df653f61e466853dc57f06f3154cf681a61bd104cc992eb7208aa0078fd79e910709b433a51a4725d7fb9978d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
785e62f73e15a0fc640cac0322decee0

SHA1
f9cff2e7b1e6f934f131184930fa835591dc9edf

SHA256
54b4c85099645c73195d4d41f4bfb669996494f3643721b2206cee77582498c2

SHA512
540e8ee4c0116829f6a001dbf6b8d1c9a3e973be3cb1c1c35f5903e3691c5f9e519e88a32b6a0f2d223cdfacd6e7c8d04fc5e2c1dc3648dc272202895ed560db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae87f16fa750027f7d4c02fda30ab667

SHA1
cde279cb7862344e6f6a21be3f9cb045b0c62d4c

SHA256
242caf08e8cce673276f5a7f7ecea2e55136bccb8eaf4e87a0af9bc8419a4c4f

SHA512
671650c04a357f9ecb844b704eb3df31b12d5c077a138722508bc78400b7a310fbced64e001e0b2e488113eb80e3dc6b38ab056a2f2b4f03fd0b0598852c1cc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee6061801445c492d340b4a43595d617

SHA1
926e5173d6d1dcb32c9a01d114a922fc2016af34

SHA256
1e3e8bdebad8837bd53fd00c1f5a748402ec22baa42a6a5d2fff3c24c92737f0

SHA512
be3baea26c0bb058b819b00d577cb049436b1d07d44cfdf669424eb4feace52741f174f8d195198e934996c87f53f64601d0664fcb86d32245205c7ab02a0302

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20f3ed5005580332caab764a2bbe235d

SHA1
0172fb66dd1fa7e662029e1d9f0d7043b147c6ac

SHA256
4fb4008f23f818b3213cf7709afb589f2d179f13ab9113a321bc4f54161d64a0

SHA512
f91926facd560c2bed75b9736c24c4c9311b0606786b6a589dffe748b6758b8ad2d6b4f511560b052bed6d23bf64ba3d1d9668a119feb54273e7a8014772bd5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2e85ebdb3228f701b376097e00797ec

SHA1
13d6b63be828bb4af7aea746ca2505a2e9e0aa79

SHA256
bbb7d473adfbee911a2abcad5dc3b01929cf1d9e4e1c34b30c89c5fb9ca8cd7f

SHA512
8a86d3a6af1cd0890e82d86bc9e92dd7c28bbf7ce4e2d6823964727a9cab8ce56bcd1577eba51fe8abb810ce1c2e3a7813c0e4e92921b8b7128540d62d4ffc85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c9382c1c279c4561359a4319599559d

SHA1
30e25c5e2f7e1e84098c0d2da2b094756587e354

SHA256
06b6f377991279e6639159907e6214235aa9780e444179b3fd33212d2d44151e

SHA512
39ab0599a72482e809860f50ccadebc982cfcc4844b0fe7113ee89e1c11ae6690f13cb1fbc3f3bee5cb263a32bcc143e2fcd45d8ef430c367b3f58aa16e15813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2eaf38e1e97a7fc0def1c404b1c1f35

SHA1
ce7f4c71bc15416fc3111852e64b616f64ada764

SHA256
eb3989df795125115ce135d44e99b75a0bd876a1b9dbe969962440cd40d7b949

SHA512
1cb024f29597fea099ba8766e174f804f63be7d743b17fe15fd8c97d02bf4f946bfd2d94a3c76d1c86ad320f3b686b82ccdb387c38abb965439aa7a69fa14269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
937358c69d0ff603f821fc31658ac40e

SHA1
cc87a2f0579b95e9e6ddc87f9b6786381d7e4e72

SHA256
2d8c96b4695792b76fa9ea290adb44138844ecc330826fb17faba12b23123648

SHA512
61b1687d6f031b9908ad664a31465096c2f21ea0afeb5f6f59f500d1f905acd71ffa52db3c81afa09eb7a8b1aba0a7a48ce3beaded67363c66976016ba3868ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2dc27c7e427ad5c8384bfc062fd828b

SHA1
2727e69ec49fdb7b3d81f18d2a33e530b64206c0

SHA256
7cc1288a2b380426b3a7ff61f080759c8635d2ef006bf507b7c557f8f3fe6818

SHA512
a45b706d0d33a18eebd40b11f528ba95704f5b6e066eb33d2618bf5237043d8fe2bbd4f4a0c14e2c7fb9fdc7e4277253c9a3c9634452c6210251e2081b3aff58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f1c788c1c5a2668d4051a5ee74613ac

SHA1
0516a8ca5b908b360c514178075c1348cb96e38c

SHA256
cfa61bf0f8143452e3cd017db2791f77262c8555788c16a5fefa7bacaa70252d

SHA512
a5ae72c3fcae1c64e4add12dcb35db1ec3d07b93fe57df1c65014ade8932e5355f8e4947d23dd21538172d9d39fbb2377055e4acdd71226d49153885c4130bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8824ff124390e3f83e31acb2a9d250a5

SHA1
c773b5aa37e0fc59ba39b5362d5f111d00fda4d4

SHA256
4bcca0aa1144ea43a03cffa56596e4d6889f36a753787d773dab27e11ddb43c7

SHA512
f464ae8e82577188ad3e333bfad3c9c0c4c81fdf3edd4f5d96b96741f70319d47e17acada09e91f4f94f01cbdb3903258779e8a258115519e4401440e557ef37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c86fbdda2d66f5d9d2d3826ffa013f1a

SHA1
78a65706def521d90e460dacc19528eb77203a8c

SHA256
d32a1a43a7397cff3b24fa86c297747f9b45e3fad47efbfc9456a634c72a5722

SHA512
b8f191a5fc8b8bfa19b43b597d19d3c09c8d6a48470cb98197e754b54f3f6c2f3cb905c68214ed173e1d3ca39ffe75611b717a6e16864326554a19f6c54289b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6051e4bd3cc501ed21375295dbf2103c

SHA1
212869fb917a3474966c42bc9c643abac7c8c705

SHA256
d9d3fd0e2beb91cc40e3643cceba749a0e4c13d3209c04ff31da5cc15a8d5df8

SHA512
7d38bb5546b53a717e05276423eadbde1cded61fbfa4329f9a8aefd73501bd3c886f93929e2da7a51b76ca87422d70df7320d15727ece8060e216c3dad3bbae7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca09405ec94d1a41aab7479b8d324f01

SHA1
b716a3c7c92c40a9ce34818ce0b905acec16b63c

SHA256
8b90413ac4b2c381dcf899402d5b2b0fe5dc9c33971f5785c760812758fbe177

SHA512
22a02a9dac9234e316938fd3d5f753416947ab7b8231a5110d98616e7d8c9a30111cd762d595b5d69c9ee11213efa31b847f763f9493ffc80205c7912430ba32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52ECAAB1-7FDB-11EF-925C-5EE01BAFE073}.dat

Filesize
5KB

MD5
d21e849c4189ea33f31e956953f3744d

SHA1
28752f315caa6ccc1ec3e2a5dfdb03f894ce2f8a

SHA256
bed25d4f84baf6cb6f9639e3efdfd9c26cef0c39d5275cc6133d45db13b8acf5

SHA512
891d667bb94e32bb4875de95ccb676b124036fb9f57c5e7dcf25539d0132acd32aa8efbdb6da21969c7fa55c9ff007968c0009ade7000af6679e8ffca2ec2a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1LNUKNV0\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8452S9S3\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71C9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar721A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5986.tmp\Math.dll

Filesize
66KB

MD5
9eb6cecdd0df9fe32027fcdb51c625af

SHA1
52b5b054ff6e7325c3087822901ea2f2c4f9572a

SHA256
54cf1572ed47f614b0ffb886c99fc5725f454ef7ff919fbb2fd13d1cbe270560

SHA512
864742ec6f74f94057b54cd9b09707c0125ac8db4844fa80af201e8b72a811bb68276c993e75bce67e5ece4f83644572edbdee5e963634c5a37839615faea97a

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5986.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5986.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd5986.tmp\time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
memory/2736-9-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download