50b817a59adb7320afe3d3ee6889b95ae1f93f097b04ad80970e4814cdfd0009

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

529c119d77f942f4b40478de71153b31_JaffaCakes118.exe
Size

6.2MB
MD5

529c119d77f942f4b40478de71153b31
SHA1

7fe9ef6b3697370597a051cfd9e3f1fbd495b6f2
SHA256

50b817a59adb7320afe3d3ee6889b95ae1f93f097b04ad80970e4814cdfd0009
SHA512

c20934a25de5cf118a622f26fe910a4c122493cb1a3fbfed89ab9e7fdda77e006e3acf10c10c41072c43819205bd4fafed86e395c94f1f7b1572b6b65914fb5d
SSDEEP

98304:Bzyhh5OoQGVSreXLqdxygFEJbrTv6qk6d6CgRThIdby7vryufkFTmaSn:BzytBQte58EJb+CQTC47TyufYjSn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1780	langinstall.exe

Loads dropped DLL 4 IoCs

pid	Process
1088	MsiExec.exe
1780	langinstall.exe
1780	langinstall.exe
1780	langinstall.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2508	MSIEXEC.EXE
5	2508	MSIEXEC.EXE
7	2508	MSIEXEC.EXE
14	1652	msiexec.exe
16	1652	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscomct2.ocx	msiexec.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\MailWebService.dll	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\ContextWebService.dll	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\ResultsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\msvcr71.dll	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\TurningUpdater.exe	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\ChilkatDotNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\LangInstall.exe	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\lang_en	msiexec.exe
File created	C:\Program Files (x86)\Turning Technologies\ResultsManager\RMHelp\ResultsManager_en.chm	msiexec.exe
File created	C:\Program Files (x86)\Common Files\System\ole db\vfpoledb.dll	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7794c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\NewShortcut2_8B715E8750104B859B8DD71D0E1CC99C.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\NewShortcut1_BE0652EAB38041C7961216DDB7DAF048.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	msiexec.exe
File created	C:\Windows\Installer\f7794c2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Controls_MSCOMCTLOCX_f0.3207D1B9_80E5_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\NewShortcut2_8B715E8750104B859B8DD71D0E1CC99C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI981D.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{DAF232B7-5749-4F36-A7E5-C7094062778D}\NewShortcut1_BE0652EAB38041C7961216DDB7DAF048.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7794c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_Controls_MSCOMCTLOCX_f0.3207D1B9_80E5_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\7B232FAD947563F47A5E7C90042677D8\1.2.3\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\f7794c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7794c2.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	langinstall.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Version	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.TreeCtrl.2\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer\ = "MSComctlLib.ImageListCtrl.2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6355-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl\CurVer\ = "MSComctlLib.ListViewCtrl.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\MiscStatus\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{232E4565-87C3-11D1-8BE3-0000F8754DA1}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Programmable	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000007800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{B09DE714-87C1-11D1-8BE3-0000F8754DA1}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{20DD1B9B-87C4-11D1-8BE3-0000F8754DA1}\ProxyStubClsid	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00410037006b0029003400730036007400660028004a0052006000710046002d005100390071002e0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000007800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker\CLSID\ = "{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageComboCtl\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6356-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6357-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000007800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ProgCtrl\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\Control	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}\ToolboxBitmap32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\ = "Microsoft Flat Scrollbar Control 6.0 (SP4)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.FlatScrollBar.2\ = "Microsoft Flat Scrollbar Control, version 6.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\FLAGS\ = "2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VFPOLEDB.ErrorLookup	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7B232FAD947563F47A5E7C90042677D8\Version = "16908291"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE387538-44A3-11D1-B5B7-0000C09000C4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000007800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}\InprocServer32\InprocServer32 = 31002500470047006f004e0040007e004e0041002c0032003500300026007b00700064004f0055003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000007800620027004200560035002100210021002100210021002100210021004d004b004b0053006b00500072006f0064007500630074004e006f006e0042006f006f007400460069006c00650073003e00640062004b0078002d006c0062006d006600280047006e002c004c005b005b0051007e0043004e0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{232E4569-87C3-11D1-8BE3-0000F8754DA1}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Vfpoledb.ConnectionPage\CLSID\ = "{50BAEEDB-ED25-11D2-B97B-000000000000}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{586A6354-87C8-11D1-8BE3-0000F8754DA1}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscomct2.ocx"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VFPOLEDB\CLSID	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7B232FAD947563F47A5E7C90042677D8\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE38753A-44A3-11D1-B5B7-0000C09000C4}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	msiexec.exe
1652	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2508	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2508	MSIEXEC.EXE
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	2508	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2508	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2508	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2508	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2508	MSIEXEC.EXE
Token: SeTcbPrivilege	2508	MSIEXEC.EXE
Token: SeSecurityPrivilege	2508	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2508	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2508	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2508	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2508	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2508	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2508	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2508	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2508	MSIEXEC.EXE
Token: SeBackupPrivilege	2508	MSIEXEC.EXE
Token: SeRestorePrivilege	2508	MSIEXEC.EXE
Token: SeShutdownPrivilege	2508	MSIEXEC.EXE
Token: SeDebugPrivilege	2508	MSIEXEC.EXE
Token: SeAuditPrivilege	2508	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2508	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2508	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2508	MSIEXEC.EXE
Token: SeUndockPrivilege	2508	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2508	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2508	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2508	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2508	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2508	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2508	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2508	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2508	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2508	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2508	MSIEXEC.EXE
Token: SeTcbPrivilege	2508	MSIEXEC.EXE
Token: SeSecurityPrivilege	2508	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2508	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2508	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2508	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2508	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2508	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2508	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2508	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2508	MSIEXEC.EXE
Token: SeBackupPrivilege	2508	MSIEXEC.EXE
Token: SeRestorePrivilege	2508	MSIEXEC.EXE
Token: SeShutdownPrivilege	2508	MSIEXEC.EXE
Token: SeDebugPrivilege	2508	MSIEXEC.EXE
Token: SeAuditPrivilege	2508	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2508	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2508	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2508	MSIEXEC.EXE
Token: SeUndockPrivilege	2508	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2508	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2508	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2508	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2508	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2508	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2508	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2508	MSIEXEC.EXE
2508	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2508	2688	529c119d77f942f4b40478de71153b31_JaffaCakes118.exe	30
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1088	1652	msiexec.exe	32
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37
PID 1652 wrote to memory of 1780	1652	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\529c119d77f942f4b40478de71153b31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\529c119d77f942f4b40478de71153b31_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\ProgramData\Turning Technologies\{02A4197B-9014-40F0-B6BB-09102159EED0}\ResultsManager.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="529c119d77f942f4b40478de71153b31_JaffaCakes118.exe"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DBDBE9B2338CA77631EBD43415BB85 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1088
- C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\langinstall.exe
  "C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\langinstall.exe" 1 AllUsers "C:\Program Files (x86)\Turning Technologies\ResultsManager\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1456

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000003D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7794c3.rbs

Filesize
328KB

MD5
d0a6e2d86f6ccad671e4eb7f299931b0

SHA1
da7df2c1a84db1cec505fcebd1f8d8085f2147c0

SHA256
c1c1c1ed518ff5d51331a6be8d29115f3980b16d78110688c6d9b86d4dcf0fa4

SHA512
0dbf560962f92250ec1f34c6de3324378fd9924b76992a8733ff67648e8295f57b7bda405039b650dc368bb5f341fcb5ce7229874374c35dc18e472da1eb8e4c

Download Submit
C:\Program Files (x86)\Turning Technologies\ResultsManager\RMLanguage\langinstall.exe

Filesize
32KB

MD5
779ca48477ecf5ec91db153cc7b11710

SHA1
b974fa7a0de497929efe13fb87ddc55c06c0463b

SHA256
410c7a65524c5923ed492fe26966cd940ad967782e955417e81fe5b2135722c2

SHA512
92c710451e062397fed23fb209fba6ee4aaf8feac7dde2cf85511b67fe6f18c286834be0a1fb94d3792d378c0e2daabf7a029372b8a5589790f0cb35ef665f79

Download Submit
C:\Program Files (x86)\Turning Technologies\ResultsManager\ResultsManager.exe

Filesize
5.7MB

MD5
654cc593b156e041cf060cbf7e3d19bd

SHA1
b7005acb30e92f215aef7a8e6f5d133b281d7def

SHA256
347c85b5b7f77f11012f154eaf1d67aac0e73ba0718ea70deeae2348ac1077cf

SHA512
85821dfcedb06ee2a739b1c0ee908a674cdbd4442e9d2f0ffa497c2468a5b38943bf49697461635cb35a0f2038ef676a26a51c75cc2ac4addf44f02779c11de0

Download Submit
C:\ProgramData\Turning Technologies\{02A4197B-9014-40F0-B6BB-09102159EED0}\ResultsManager.msi

Filesize
6.7MB

MD5
496aa443001133bbf1711aba0d1304bf

SHA1
7d6f5fdbe335460bc7a79764ee4e1d88b7c3da41

SHA256
7152a694ba403656297f52839cff86948f1ff69170e9a84d26b289069c68af71

SHA512
5d462cad818344ee3accbf474bd975656650dae7bec3e1265a4421dd8cf471804b34986ceb04f6dca90a964fa9cacf7136fcf5200d3b056b26a8aaf7dc876f9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1

Filesize
306B

MD5
7ff11e99671f6f44dcf19f098a8e07d3

SHA1
10a36cb46f4923731166484c440402d4525a36f1

SHA256
58a67ff3b5d2c7436faa796b1aaa355bb2f6fa1ea15514103f53199e69f6b65e

SHA512
92796b3c433c5be886598bddb6f6024c65cd09149f8464697e2b4e8933a1a74bbd6bcc5d4fc4e874baa77bcfdab0b6c7a2ef60a8b8cb06c59593d16cdc684cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019

Filesize
466B

MD5
7be3a290648de1cbc263285b1fcca644

SHA1
da4dfbc6d47a07090f48f60879d0168291ebfff2

SHA256
3a12922397153c58dd7e4ae96251b006b4dcbc84163e23a2cd8b6a111d6c3723

SHA512
4464b303a95ecc35188cd10f6eb89e696d1288c152a51eac1832a5dbdc5d6c8f8ab7e5ae82948233515d53a5fe04887fbb11fd897a5165541250c473848a5b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E7B158B31D45761A93C56C441E33DD68_75199AA9D5EF05805982F56A43B8D77D

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1

Filesize
208B

MD5
26713b5a9047b1c1cd70a53955f4109a

SHA1
0849fed6c3cb76d329a8b9c45f2f15847fc71c50

SHA256
fdd1d058706c6158f699625f0993544bd019a5be4ad0f4199032d102b90b7637

SHA512
f2f84f11dc5f6c569d301602002812f063d713dd7767ebdc17f5206981c8832171d63f8308fb3677e2ab089c2ff1d6146bbf80dc7c4d9e6528b0ca49dc48e2b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019

Filesize
242B

MD5
6acd0957b5080721d8f9183f0274ed8f

SHA1
32a6afbf52ccb54ee7890e3ffa45c513fe86393a

SHA256
222e228c1b06db57960c5a7a53f804032e1ed85962d5ee4171ddde21f5b08398

SHA512
10a892b0a9e8771ebf6787b423aa04fb2fe4420626e0827ed76ee058861f74b0d916a4b40e19eeef6acfa1aed1691d8fb5ff97e0f5b4bf0b923613157c721ade

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5429054fb71973f52c47ab090ba99a5c

SHA1
7da6289cd573f35266424a381fe687eb43016c7d

SHA256
13677f503bcd0a383a5a6f271a0c1c76a773d4f62f00f9a77f7f0e22480ccbee

SHA512
33b0c55e4ced0bd577b14cd1c8b30367ca70f1076a277c05fb4425733637b15ae81dea6c3989cc009a1d843dd906062842cfefbcbad989275f7ed8d5312b9241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E7B158B31D45761A93C56C441E33DD68_75199AA9D5EF05805982F56A43B8D77D

Filesize
408B

MD5
751c17a3098d528ad164016d9cac1ed0

SHA1
3aac2de0cf9debe7345427c87eae551284935962

SHA256
91e920a2ddcb889770e189dff739c9259a6a5c7de60f10f2433bf2fab580c8cc

SHA512
51552eef29f53a3c100a612cd4b0988251dd70b261751cfcc60a41f4ee3fb78ff58b568cdd0184a09f1962288d93e97e68a5c1583bed892c5d2276c85f5dbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDC8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI103C.tmp

Filesize
122KB

MD5
2c65cc2f1516e8eed2f01ee5efa60c93

SHA1
fa8ace92bdf6cb522357384b352389d08b0464de

SHA256
1af4d7548834c516d02c04e13f446dfb528e01f3352eabe8a6c7528e4caffeca

SHA512
f5a55023883795a0c27020ffcf6b4a33c37faefa808e45afbeea1f1b8eb07c4b6a82ef4dfc729d66d8cf93f8f7ffaf3f36e0c7c1cd7cddd76934b23380567f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF61.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isF7DB.tmp

Filesize
1KB

MD5
05a53902617b8389ebe59526b29c4727

SHA1
5f3601007600400114e123e6921ba17d42bd4458

SHA256
510965c3acfc11d5544377fc014e6a45125daf21c0b215f1ec190d04116bcce5

SHA512
377b6a275fc5f3a2d49dea98421388ec4989d9529ae51d1778def1467e2cc600f8f28bdbde755e2a12b31b60fb80c972ebec15a78539f4aa53e7d166311ead6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60ACE07D-6FC9-483D-8ED3-B254D3889D97}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{60ACE07D-6FC9-483D-8ED3-B254D3889D97}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~F7D8.tmp

Filesize
5KB

MD5
417ca8c81188b97bae37f583ff96204e

SHA1
9a0224380f6c4b2b93ab3a9b53b3497ddc2071da

SHA256
70ed121b453afb372a84fb141ddb63795cd3a3738e46dd4300e4d2554adf597d

SHA512
87aea8084c0fce3184a833ecc0b26af7548aa98f7241d7eb84f6d799f782321d9efbdbb614eeccbf8c4a015a0105bd4f3bd4228efb7d507deab104cf228c4aa7

Download Submit