latentbot | f09cf7cb375f58f221f25f1f537d512466d38541190e0b52e86bddaf8f3e0745

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
Size

168KB
MD5

2c926e15ab45183004d7e77a54dc9525
SHA1

9aa66e4479b57a5d00ab78db378720defb84281d
SHA256

f09cf7cb375f58f221f25f1f537d512466d38541190e0b52e86bddaf8f3e0745
SHA512

b6f13f52d22b69fbca254b39a624b0e9ebb227a35f49c90451622862d4e916e3d81342a45461763b8b79a90d1ed83ae95cbc3aba9835748416aa688858ba0a04
SSDEEP

3072:CQFvHWYPM6jKn/+QC8iL/aLTll9ZP8Lcg+LUoFjnwt5jeZUHmHb:CyPM6jU/+TL/aLTl7ZP+cgFoFjn+QqHw

Score

10^/10

latentbot discovery persistence trojan upx

Malware Config

Extracted

Family

latentbot

butterfly43452.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001620e-46.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2160	1.exe
2544	GNan2o.bat

Loads dropped DLL 8 IoCs

pid	Process
2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
2160	1.exe
2160	1.exe
2544	GNan2o.bat
2036	regsvr32.exe
2544	GNan2o.bat

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sAWk48 = "\"C:\\Users\\Admin\\AppData\\Roaming\\GNan2o.bat\""	GNan2o.bat
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lW9e5w = "\"C:\\Users\\Admin\\AppData\\Roaming\\GNan2o.bat\""	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\xsUQ4R = "\"C:\\Users\\Admin\\AppData\\Roaming\\GNan2o.bat\""	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lW9e5w = "\"C:\\Users\\Admin\\AppData\\Roaming\\GNan2o.bat\""	GNan2o.bat

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mswinsck.ocx	GNan2o.bat
File opened for modification	C:\Windows\SysWOW64\win.com	1.exe
File opened for modification	C:\Windows\SysWOW64\zlib.dll	GNan2o.bat

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/files/0x0008000000015f41-19.dat	upx
behavioral1/memory/2688-14-0x0000000000280000-0x00000000002D8000-memory.dmp	upx
behavioral1/memory/2688-25-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2160-37-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-48-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/files/0x000700000001620e-46.dat	upx
behavioral1/memory/2544-39-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-544-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-545-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-546-0x0000000010000000-0x0000000010014000-memory.dmp	upx
behavioral1/memory/2544-547-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-549-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-551-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-553-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-555-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1101-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1103-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1105-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1107-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1109-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1111-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1113-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2544-1115-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GNan2o.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6139BC41-8664-11EF-A51B-E61828AB23DD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000dcdfef4cc43afdc1755b603e167272f06e1a9ddbdd50245eb59d3231dd5a11c8000000000e800000000200002000000003011eef050918dfc7f5b6bc8f5d56f4922060a27d4137716afbd89443a7fbd49000000091fb598f6ece20277b1fed2d49c083b8639025d34764d89e4d5c45b0a96d798b506395730a294da9f6118acbd29441b31d9a3d784a07ecfc082968b5425a15ce71a0bf8a228c48f6ef18e73f7abcdf356342b559be48006b46950ec57a54bb34574ec0b2df035e4b21d4c826c2035f0d7fd236185bcec81c04dcad7150c5c2376d095c5857c72c6a650bc6d8393368f4400000006204ce6c069698b9d786bc65f4b27db960f2da97338101c6acc063371233d9079b8cde664ae53cd0d449edc2193a1d1802091f5700d7e065145996703aad69b9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 003b9936711adb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434656983"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000001853b8df996790ed5cd8eb99f72f8e5cd65099cc1890c38ecf61debc1c673191000000000e8000000002000020000000fd632d9ef3281adb6de9bafb214d9930e8ea22658ad958249718859cc563225120000000f2ea40cb20e621e3494946cf33df582638d66c7d79f6e20b4128e39772c3b19540000000892b7ed2ad23f797b0580c2209b5745193772aab09088b37259ece309c8ef8e52ee35d3b43715d34ab00f78754351eb5d2e5ff246127811237d85cc1bfe86e69	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\mswinsck.ocx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2160	1.exe
2160	1.exe
2160	1.exe
2160	1.exe
2160	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
2160	1.exe
2544	GNan2o.bat
2712	iexplore.exe
2712	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
2544	GNan2o.bat
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2696	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2696	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2160	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2160	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2160	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	32
PID 2688 wrote to memory of 2160	2688	2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe	32
PID 2160 wrote to memory of 2712	2160	1.exe	34
PID 2160 wrote to memory of 2712	2160	1.exe	34
PID 2160 wrote to memory of 2712	2160	1.exe	34
PID 2160 wrote to memory of 2712	2160	1.exe	34
PID 2160 wrote to memory of 2544	2160	1.exe	35
PID 2160 wrote to memory of 2544	2160	1.exe	35
PID 2160 wrote to memory of 2544	2160	1.exe	35
PID 2160 wrote to memory of 2544	2160	1.exe	35
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2544 wrote to memory of 2036	2544	GNan2o.bat	36
PID 2712 wrote to memory of 1640	2712	iexplore.exe	37
PID 2712 wrote to memory of 1640	2712	iexplore.exe	37
PID 2712 wrote to memory of 1640	2712	iexplore.exe	37
PID 2712 wrote to memory of 1640	2712	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\2c926e15ab45183004d7e77a54dc9525_JaffaCakes118.exe"
  2⤵
  PID:2696
- C:\Users\Admin\AppData\Roaming\1.exe
  C:\Users\Admin\AppData\Roaming\1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.de/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1640
- - C:\Users\Admin\AppData\Roaming\GNan2o.bat
    C:\Users\Admin\AppData\Roaming\GNan2o.bat
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\system32\mswinsck.ocx"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9609f98d055816afbdd7f2d7e22ec463

SHA1
02187f9f0f3666961c3d41d18f807da038fb9d4d

SHA256
2ebd9bdca514a75cddf9c38668c6102418a3afecc29a5621e83d110fdc62f382

SHA512
d7a60d4ec8e2744cf9b1aa3bed4ffc805df51c25275789c8e629df392afcdba172e378c837e71f2a19d46de52f6600867993f9070d84d2f4ffc06f87a3c64756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1518ffbd8c91b5dc06d8a4f13313c3b2

SHA1
965c203bffffad074adbd9a489a25b8677e56bbf

SHA256
d80c28b11bd220e16503c263de90e69bc9bb3a0e3ada3a36a23800bf3610ea4c

SHA512
6f3d90ae1b360ba0126f70b0466d49470053bd61bf6d184191a9e2e16c5a449eba1d225890ae28e84bd01aeb15dddf73fb9d9911e0097c59367463e2c3b1727d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76b3003e338ebf6eef34a09807296e45

SHA1
721ff501c8a2b4fd6f53e5be79c1b91c55128701

SHA256
e796af07ba89d4ad2c989d01bdaecf68df855a157f93c2170759a321d9e516e2

SHA512
c54edb86650b6fc437f6adc218ff7101446de604e7fc31c9c80bf89c2780d0ece1a64b4762bb2e3e7224cb806634b6350c0ac0c043a994b71099af7d27d3d27f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea9f2a2ee1b381ec540c94b8226954e0

SHA1
6a7e17806a4bf809c0c555d6f31e41a40028449b

SHA256
aab05cd0a850c5b26a9f67ed46d925f4a3e6eebffb60b2468e85af3370343f4e

SHA512
7d13ec36297366e246b21b7bc77676fe083aa07c1eba6fa8dfdf1c1ca329cc98399c0c1d7e1eb7902d771066e03375544f35f7de84d16b6b85a772bab70d89ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b6a2c4f60e4e37cd70daec84515b349

SHA1
6300f4f11982a44e8bde765b76a4e5424f5b78d9

SHA256
33d993638b760ed2bfaa59321d4819206bd85c056127be587d3c7773915608b6

SHA512
4a32a26afdb24724648302cb098b6e89f6a69901532b5d02187b9d18ad1418f5f989b8aa99f5cbac6c1a554f1ded68b9be0db0860e2b8ae6ed83fd8f4d2af128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af84e00ac6ede424c5319b27e01eb3ab

SHA1
7dc525a2bf8e7b7cee2b5f966a1207c182cf4527

SHA256
a23fc56fa9a97f3b802541e27f4fc60459144bc33bd63b26b47742632ced13d8

SHA512
a1c80406a36e35938af1a3f07f31748cb3254d17818a3e51951c6547e0626184a1d375166cfaec187deb922fa93a81a4460f0bcdfcbbea170f84fc02e0c8e2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f5318830cf3a497a371b195ff6860c0

SHA1
9309d4fb86976e76d223b7d52882c8e263045f12

SHA256
0f9a2b2f3df5f73ac42d1a114390613c0c33de009d6088e85953df76e27bd056

SHA512
6dd0ef65c3212ffc882b6eb001f683b1edd2bd3b8fe7ff2555df647fb2e3dbe630246063f3c7f615a295bd2b54d8df28ae61ebe875cb1871297993a08a5ac186

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b087ca317323d98076e026deaf971c06

SHA1
c2ff68824044bcd0b9b67c8eb72004237d345cef

SHA256
e86bae2a196c6289ecc30770740c6a566ff20f0bff876a6d9e633e921b3552c2

SHA512
78ee33d0a7455e521c7eb4e7f15805c9d4c2d2cf996ded8d4c4ca8e75bbe17acb8ca78259781d794987255bdd557af0fc3b25ae00f136b5a071b5d0697bf3411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5eed14eff6fe6aad4c8bf812a9e9304

SHA1
ecfbfeb6d9797085525bcf3de0a44d6f1f4275ce

SHA256
e6dcd889cb4f1966a4efcf021b98a74caf0199e2409db91d235e5e9fc73a4b40

SHA512
3c7a74f33581c56960f36d9aeeff9fa7777f75adde983cf4d5feff5679eb1e7e969b098ba5dc71498c48f72c78a7f26cac6460e9891373fb903fc1d5d7d4ede4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
083b8ef150fe2335e54fd674428ee240

SHA1
5c327c8faa3d02cb91e646b5347ce844987562dc

SHA256
3510cdbf50baf621789dc81e15e31e4d8b148965ee71a32fb1f758db84babec8

SHA512
97c4aff9ea846c3ba0fff4f80357ba20432e1653826966db15a271b771ce2db1e8541bac9d93d36a591f01ec5545a9a2be54e864fb27e3c6fa342ec1a39360a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
882ca6f69b28c173a4f288c0a8cca08a

SHA1
e308c7cc9f4b7f57dd38b6117e3a7b8da492d966

SHA256
303ec437647f603989c5297a6ab57bd80192bf41d3fcf353d01c8382aefb8655

SHA512
07aa53a67047e21e02f5a59c1ae224dad3178cfbbc118a010194b0a933272e4dd2cf82981168bc25df276f1245869e02173034cb15c022cd6703f875b3dfbbf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65cb3a85c6b2b8e17ed0f898232cc5fc

SHA1
2070b65791da531067236d92fd31e7a2b180707b

SHA256
8a4065ba6e5c70188e500050329f1e3edc8fc215039e410afb9268583d06a8a7

SHA512
507800a1560de04d70dd8e549a00962bcbb6e67f38db22ffef572074abd2975358dcf8384d8f7c150053bec51b1d2470f688c89304076a88a59bb529a14ada8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7fd96db81658669f08f3f2c5489f2ec

SHA1
60151aeb9e3c74056c36389b69e4b9770e54506d

SHA256
52c9eb43f27354ec827e5682e25801975048b0d516218795f3335de390a7b167

SHA512
46255f7dc27d1a4be82b3028c6a648cc5fe5cb5b5eb2d6a10e79e2ceb83a8e49596ae0d2c975e24d2c7f96c47f2af9e1f5e5be09467ef2813d774715d16098ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2654ea00641bc701932552145c32c00c

SHA1
5854c114932a5697d46c44e694fb9c6f6079cd6a

SHA256
811250bdc08d905652e51a5d324f59d67d3e4db51b66a4dae4f25d409aecea50

SHA512
379b8103bcc69124637cdedf6eb09b96e0a4b87d2b5df0101b21befdb7a8eb999dd7edce08dfb0b78c7b0fe276794298355c4f588674fb5efb91782b90001d69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0b70681102846a6149047a82b2f3e84

SHA1
cb873560cd503f7e3efd03d9d7474296ee0adfaf

SHA256
84e4945db0e6776b8ffbc3ebe3975889d673bd9b53e12b71336595c75b6a5350

SHA512
f2bde73b6e61b58608f23454c4ff7e4308782b83bf64c145b5d4481ec928b432a603ec0ee220bcb1805eabe9cb1ead98124ea820aa05561c4135394d714f4de7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ff594b3e1890d8c3e38d8096dbb8778

SHA1
7d21daf353b86c3d33778546f324e65a132b45dd

SHA256
2ff747f5e8091120df7e331014ee4037d4b6278d5279a61462336c8cba1d540c

SHA512
c2965b3fcc85f8fcc487d8a3cffeb0b936ce54d76a3041fc7a3e2a0a7d4a6b850c4e6aacc25d7839519aeb3de19fe774b3c575cd3536c4b392a5bcd7e3081c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f7aa420d514b12db08ef72cdc6ea599

SHA1
f3fd94f68a8858574f87ca7339d4c55aec96aa34

SHA256
3383c916b78208585eb006a1a4c90a4a02a2025113521ed39dcd87358823badd

SHA512
ed668d3e4ea4719ed9a634aeae886fa98fad1da10ee71a46fe69ff6ca3bc4551f07d03bc02d745fa1481a4cc2d1f519aa3332cacf811eeeba113dc70b4c76d85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec82a54d2958aa3af668f8b0255fc9c1

SHA1
258b5c09b7abdde6787d3b20a16e14e8c056299d

SHA256
5bf9b77b2a3bd7239fd55f0e9239a7877888866b1b1a344ad82c7025c88257e8

SHA512
1ab07574b0385164ef2e4929f7269e4357dc0800fa69ebef3066b250a7f5d7e6b9b5d61db35d411e588fe233d041bae547d6b564314cb0bf25c088ab09782674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfc0ccbb33a236ab140ead5b19aead64

SHA1
acd8fc21c73c18abdfbc2a57576069cc310a00e5

SHA256
438333d7c9cf690e95d301620c4455d51ce92fcdd2b526396dc98bdbc7340a10

SHA512
efa1e1672684f4ebd6c19cc374fe7297084317053433b0f18b5f8e8de57f927461d986398799ac96e70b225651126075a5237d0ecc2322e3b325f5e3906b27a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
942810b8b0072d1d81dc012acde9c3e0

SHA1
84e9d893a63519f891ec6dedac34c8bbb3f53cff

SHA256
ce099a680b0b3c9ec2414e89300330d8c5f109718329b174ff324887bf2c9e51

SHA512
ee65169dcf5163b054b64886013192ceaed5e3fa46dfd3a0aa1613be1269f30c975e71d85eea8a7a20b60d3c5c036a16710e4ce3d9e15ec3d7cb339a9913b50c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b900a866fa42432c704be4b39d3580ec

SHA1
3d5bbbd72bfc7ec5160dc5d288f0a7b498c65132

SHA256
ddc1554011e70aa94bbd57d1ebabfc2dd18e34536202a0e398a1e8a23a8bbb08

SHA512
1662176213874ba532bf3b2fad86e05d91eb210d8dfcff19640ccb575a529215b6f989eb768685f3caed1bbbb3ba2d8afd0b616b3a38162bfb80a92a71bd8bda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4469db5ef7a24205bbc02032934a86cb

SHA1
4de15bbc761ee3bb9a54786865b931453c19090f

SHA256
8cbb06845e6edd504458d263c2227e808bb76d5481fb6b07ede0d6b6ba6be32a

SHA512
030a75e47e7f04d50bbbb253cddf4d77e24ae661f7ba237f24b284adb3422c7b3210f7d23843178ddbed1ab02950e0349c597f88272456dab4dcd0f98a378a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
5KB

MD5
1ac3dfa2a967fbeb21db105725130e5c

SHA1
88e8ce8e3995271fbc33745f027aff117099d735

SHA256
e8aa5559ab3119ca8ab5832afb85652bb50f0137d7b4e700c43e2f33bfce47b0

SHA512
0422a2aec7f0390ca45db142c097b109592cfef3ecb7c796c06c928f23edf6d0f8044756b23a303fc9feba7182feaa9fc2ee8409ae04e0a1d9d3f10debbf1c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab455.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar458.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
150KB

MD5
564211c8776acb25d576cbec38ffa8a8

SHA1
d508c77bf7e439ff442244552e1d6a3267c3c7fb

SHA256
87d3a3562b355146f3dd1c5c76272fa156853b80f4df4564d25c1e6959562e24

SHA512
0bcb1738ab8f759e2fd4b5b12b57a42e5ea0ae7f628a79f668758721870fbb3c07ddd57506a9267d106a0322609787728408d01b5121123e4f9d0473a6ff310f

Download Submit
C:\Users\Admin\AppData\Roaming\kernel33.dll

Filesize
1.1MB

MD5
e14ba6a9464bed1127c50214acaf0c1a

SHA1
3eeda63ac8209ffa2e1beeefdde6531e61f8dc4d

SHA256
fd250c2054019c58dd71ac4469ee821b67dfa36a439091ad17969f6d4090da38

SHA512
55a7ad5ea8617e8066b2854556e54e1688c70d80b6921eab3020a1bb6cc741320f5f0d63cf067864505877e010d69caa2a7bff890dd037da7efbc3e679ab9c26

Download Submit
C:\Windows\SysWOW64\mswinsck.ocx

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\zlib.dll

Filesize
27KB

MD5
200d52d81e9b4b05fa58ce5fbe511dba

SHA1
c0d809ee93816d87388ed4e7fd6fca93d70294d2

SHA256
d4fe89dc2e7775f4ef0dfc70ed6999b8f09635326e05e08a274d464d1814c617

SHA512
7b1df70d76855d65cf246051e7b9f7119720a695d41ace1eb00e45e93e6de80d083b953269166bdee7137dbd9f3e5681e36bb036f151cea383c10d82957f39c5

Download Submit
memory/2160-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1101-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-546-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2544-1115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-549-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-547-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-39-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-544-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-48-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2544-553-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1113-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-551-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1111-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1109-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-545-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-555-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1103-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2544-1107-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2688-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-14-0x0000000000280000-0x00000000002D8000-memory.dmp

Filesize
352KB

Download
memory/2688-20-0x0000000000280000-0x00000000002D8000-memory.dmp

Filesize
352KB

Download
memory/2688-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download