cfab9202f6c69017347df2ecada1d7fd0263ff1ee9e1231a41a46ca59341cd83

Analysis

max time kernel
33s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
Size

470KB
MD5

e27981b6ba846490f620de1b6b540920
SHA1

b15830df5c001fe04f6c7a22d813c91fb6a3e342
SHA256

cfab9202f6c69017347df2ecada1d7fd0263ff1ee9e1231a41a46ca59341cd83
SHA512

8eb92fb7c219bf316284ff51d54f5bfbcca2a68edf0833b0959d0919d2fab89ec83d9ec08a67cdc529a48f5d52685c19683c27d9f8c05716ccd392b7956b36be
SSDEEP

6144:2bN2F3ioCqE5QqBIziip6J3nXkILczaGoEoF03yv2NLo39gu+6nESE2s5IfWAsxt:PF3QjO+XJnJLJEoF0226EbIOA0NN4cR

Score

7^/10

bootkit evasion persistence trojan upx

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
860	e4u.exe
2252	1EuroP.exe
2540	2IC.exe
2680	3E4U - Bucks.exe
2440	6tbp.exe
1816	IR.exe
1516	zf2c.exe
2088	zf2c.exe

Loads dropped DLL 56 IoCs

pid	Process
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
860	e4u.exe
860	e4u.exe
860	e4u.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
2252	1EuroP.exe
2252	1EuroP.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
2540	2IC.exe
2540	2IC.exe
2540	2IC.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
2680	3E4U - Bucks.exe
2680	3E4U - Bucks.exe
2680	3E4U - Bucks.exe
2440	6tbp.exe
2440	6tbp.exe
2440	6tbp.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
2428	rundll32.exe
1816	IR.exe
1816	IR.exe
1816	IR.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
1816	IR.exe
1816	IR.exe
1516	zf2c.exe
1516	zf2c.exe
1516	zf2c.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
1632	rundll32.exe
2132	WerFault.exe
1516	zf2c.exe
2088	zf2c.exe
2088	zf2c.exe
2088	zf2c.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015c78-66.dat	upx
behavioral1/memory/1816-98-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2680-97-0x00000000003C0000-0x00000000003DD000-memory.dmp	upx
behavioral1/memory/1816-129-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1516-139-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1816-150-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/1816-156-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral1/memory/2088-161-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uzizumiruxecab = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\witap32.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ws7s = "C:\\Users\\Admin\\AppData\\Roaming\\zf2c.exe"	IR.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	2IC.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1612	sc.exe
2160	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2464	2680	WerFault.exe	31
2132	2252	WerFault.exe	29

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IR.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	zf2c.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	zf2c.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	rundll32.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeRestorePrivilege	1328	Rundll32.exe
Token: SeShutdownPrivilege	2540	2IC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2440	6tbp.exe
2428	rundll32.exe
1816	IR.exe
1816	IR.exe
1816	IR.exe
1516	zf2c.exe
1516	zf2c.exe
1516	zf2c.exe
1632	rundll32.exe
2088	zf2c.exe
2088	zf2c.exe
2088	zf2c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 860	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2252	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2540	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2680	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 3048 wrote to memory of 2440	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	32
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 2440 wrote to memory of 2428	2440	6tbp.exe	34
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 3048 wrote to memory of 1816	3048	e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe	33
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 2680 wrote to memory of 2464	2680	3E4U - Bucks.exe	35
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 936	1816	IR.exe	37
PID 1816 wrote to memory of 1612	1816	IR.exe	38

C:\Users\Admin\AppData\Local\Temp\e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e27981b6ba846490f620de1b6b540920_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\e4u.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\e4u.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:860
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\1EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\1EuroP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 304
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2132
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\2IC.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\2IC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\3E4U - Bucks.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\3E4U - Bucks.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 292
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2464
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\6tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\6tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\witap32.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2428
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\witap32.dll",iep
      4⤵
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1632
- C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\IR.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\IR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    PID:936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:1536
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    PID:1612
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
    3⤵
    PID:1664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    PID:2160
- - C:\Users\Admin\AppData\Roaming\zf2c.exe
    C:\Users\Admin\AppData\Roaming\zf2c.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1516
  - - C:\Users\Admin\AppData\Roaming\zf2c.exe
      C:\Users\Admin\AppData\Roaming\zf2c.exe -d5E4D7C96A46312CDCA3B8CABBEFA2D287DE8A5D5177575BCF09CB2C401D7C3AB235FFFE2A9D55E00D6A29B34EFD17951FC3F01E975DEFDA16D54F884F68989FBDB92B817DAD2B75B07464E0907FCA2A83403420EF948A5A5DC6E761E15E164E2A3F451433A2411A1894F1D4A9A59E8BD63DEAE9DC893FCCB8CAE450B116E3681D8CEB31A10529B5CC9F8C2917DB9CD4E06EBD0D046BCD5940893BDE2E1001FC117720875E086C6D97522346EC65812B0D9B271C2193B3F8A1E1378F7B880815B3D42B7A56F2344B97909AE34C958B8FED96799DC256B8D1DDB384FDF0CCAFB2C67DB6A66C27006B70203A8391BD10043447191B890E34FFB8C3C5AD29269701BF21C0AA01E963C887D9ADBE792DB6BAD9636E3DABF9056CDBD8AF3BB3F92013B7B37C0370942586598A6403F425CB9558D5B57ED56D4B3823C0FB3C448310E7CDF91F48E46A20BB43F2E115C8140EC0B262DF7B73CB9B74B16BF731922C638403B5E514CDCC245EE9F4DC599E33545229D320B6393C0F3C098634B5F810160DBECC3BF770F7F37C3255617843ED245C96F611D26C3F039434EFD95E55C46A8BD90F767CE64C6541D7FFC006AA57EAD675BF9F5166E2398730722E953E6927063029FB18CA02D4A509932B73570CF7E025BB3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2088
- - C:\Windows\SysWOW64\Rundll32.exe
    Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Roaming\80e71bi6.bat
    3⤵
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy191E.tmp\6tbp.exe

Filesize
124KB

MD5
83fa67b099345f917f1f98861d3518b3

SHA1
097761f15897dace4320f8531cf5cc8c7decd7d4

SHA256
5e685c479a1902a4e389b9c066613af490ef95be803f1d61bec443edd8fbb36d

SHA512
473f30ac31cda24cd325c3cc66cb2c30e943586c943d2ebffff0c3865f4c36dfb0bc5b14d7e508ad8338492d5b961a4149b5a3ee178df39aa91136ed19d195cf

Download Submit
C:\Users\Admin\AppData\Roaming\80e71bi6.bat

Filesize
154B

MD5
94364773b95a14b13a329161981015f3

SHA1
1033cfdf0d58471acb84fdb233b5b921b77e876a

SHA256
a2d2da46b578780ca057e82f71b4fd330143d8baded7aac04e5cf4f2738cf2e1

SHA512
4ad99704de3f931674d2ff6e0513cf1fbe06fd88a1443f75e4dd8f023af8c290816933ff08df02929d82355833f63fb719ede5884c537c29aa23c6e6b1b8ab98

Download Submit
\Users\Admin\AppData\Local\Temp\nsy191E.tmp\1EuroP.exe

Filesize
112KB

MD5
f38c26fecf55152525a26514fff69d55

SHA1
bc07fdd2b280298c6c6e55ab14d6a65d9a86670d

SHA256
a12265b08e82666656c6d32b19884e524ebc17fb64ad1fa500f52538df284731

SHA512
d28e631698e9c05b8853c532dbb2a7f18508789416f72ff45dc705363890fd325f64ccdffdd3b6d3823cec207e3bccbf5efeeb4953f2c063e238642abda127d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy191E.tmp\2IC.exe

Filesize
189KB

MD5
da4b235fd9911417a371bbc31d9efe31

SHA1
3fee692aa49299e5f350ea35b1306e821498b298

SHA256
128f9985aaf014ea50a7385009f661b631ef4fbb336ec4c0639cc1c2b2a857a2

SHA512
f00ace75590ecb16a33254d0ffefc503ee373698c68f984463a83af634881a700982b079c1fc7760e2e5f46d12ab86b0768da39c81b17b4324e6fb95d067ef2f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy191E.tmp\3E4U - Bucks.exe

Filesize
25KB

MD5
c2843e6d91b543622030f50878a5a73d

SHA1
a1594ac083039ba3365cb6fe486e6e69d098229b

SHA256
d6959e93c6fed6115e733bcdebd8b831e79a0f01488ade309f87135346cc61f5

SHA512
72260c6d2664347c38279a20bee7c8f3c1ede0576ee60a7ccd63fced9c4589279b4c7cd062f376dcca645aa5c00554c3aedc832b72a6912eaf776ea1badf1581

Download Submit
\Users\Admin\AppData\Local\Temp\nsy191E.tmp\IR.exe

Filesize
61KB

MD5
03019043f2fb9601a4e6b5aca7f200fc

SHA1
e496986cf539b906b519afd282623619da515386

SHA256
e63371b06dcbfc7cfc4bc4d5112606a743f5f6b88475ed54c69a61273ccfa9e1

SHA512
d920d9e588801aaa31802e208dd28ed524155e4c634ba1068ea39512da45872fd80057a4ca05e9acbeaeb6f7360878afab9275efdd96eab6be55d77b2e021ffa

Download Submit
\Users\Admin\AppData\Local\Temp\nsy191E.tmp\e4u.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
\Users\Admin\AppData\Local\witap32.dll

Filesize
124KB

MD5
5d1db53c47d779cae3e2bb67d47801dc

SHA1
7a97c8f334564d63545a80892c0557af7efa5bae

SHA256
cf48ed37d159920d6232fe45094d22f07243bbc1e04cc7ab9e0bc827bbb0e187

SHA512
e818219aee3d51bf027f003cd4ff30cf23f6f55137a92ee0ad02ca0b2c46f943ce15f8ab5405acd6ee565c960bfe673a5c19a4e2a5f690c3515916833e096bc3

Download Submit
memory/1516-121-0x0000000003800000-0x0000000004862000-memory.dmp

Filesize
16.4MB

Download
memory/1516-160-0x0000000002CC0000-0x0000000002CF0000-memory.dmp

Filesize
192KB

Download
memory/1516-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1632-159-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/1816-156-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1816-150-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1816-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1816-98-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1816-114-0x0000000002E10000-0x0000000002E40000-memory.dmp

Filesize
192KB

Download
memory/1816-105-0x00000000036D0000-0x0000000004732000-memory.dmp

Filesize
16.4MB

Download
memory/1816-99-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/2088-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-163-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2088-166-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2088-167-0x0000000003700000-0x0000000004762000-memory.dmp

Filesize
16.4MB

Download
memory/2088-165-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2252-100-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2252-125-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2428-82-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2428-133-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2428-151-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2428-102-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2440-128-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2440-101-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2440-65-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2540-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2540-58-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2540-60-0x0000000000250000-0x0000000000295000-memory.dmp

Filesize
276KB

Download
memory/2680-89-0x0000000002760000-0x0000000002AA0000-memory.dmp

Filesize
3.2MB

Download
memory/2680-97-0x00000000003C0000-0x00000000003DD000-memory.dmp

Filesize
116KB

Download
memory/3048-76-0x0000000002F10000-0x0000000002F40000-memory.dmp

Filesize
192KB

Download