ac4b37a2facba94ee05030e6ef3a0898b6078a96bbb798ae9c1e6d075827beb2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
Size

398KB
MD5

fbc2c420abf78cac67f0ad1b699d498a
SHA1

6d8b9ca17a5c7ce312108a7a8ea36c5052bc0c05
SHA256

ac4b37a2facba94ee05030e6ef3a0898b6078a96bbb798ae9c1e6d075827beb2
SHA512

8a131e3bc8d86c9a97c7b749eea520561a92d05a2c7fb02f18facf9be246ad508ba1a73b0ea1779573a800c336b3c3a8265e6532fefa473756d2fcb15f25a569
SSDEEP

12288:0BZHH6OfVl9JvtJ5mVicCocaC+jbDEdzknOhzEvboE:8aOdltJ5mVqMlbarhgvsE

Score

8^/10

evasion persistence trojan upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

7bsxzxl.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 7bsxzxl.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	7bsxzxl.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3E4U - Bucks.exe1EuroP.exefbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	3E4U - Bucks.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	1EuroP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe

Executes dropped EXE 8 IoCs

Processes:

cb.exe1EuroP.exe2IC.exe3E4U - Bucks.exe6tbp.exeIR.exe7bsxzxl.exe7bsxzxl.exe

pid process

1016 cb.exe
4872 1EuroP.exe
4556 2IC.exe
1048 3E4U - Bucks.exe
4180 6tbp.exe
1524 IR.exe
4532 7bsxzxl.exe
5004 7bsxzxl.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4628 rundll32.exe
2648 rundll32.exe

pid	process
1016	cb.exe
4872	1EuroP.exe
4556	2IC.exe
1048	3E4U - Bucks.exe
4180	6tbp.exe
1524	IR.exe
4532	7bsxzxl.exe
5004	7bsxzxl.exe

pid	process
4628	rundll32.exe
2648	rundll32.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\IR.exe	upx
behavioral2/memory/1048-71-0x0000000000880000-0x000000000089B000-memory.dmp	upx
behavioral2/memory/1524-77-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1524-102-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4532-110-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5004-111-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/5004-141-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4532-145-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exeIR.exeRundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Czowidac = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\debd140.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\46f2 = "C:\\Users\\Admin\\AppData\\Roaming\\7bsxzxl.exe"	IR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	Rundll32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

IR.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IR.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3880 sc.exe
2684 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2304 4556 WerFault.exe 2IC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IR.exe

pid	process
3880	sc.exe
2684	sc.exe

pid	pid_target	process	target process
2304	4556	WerFault.exe	2IC.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

3E4U - Bucks.exerundll32.exe

pid	process
1048	3E4U - Bucks.exe
1048	3E4U - Bucks.exe
1048	3E4U - Bucks.exe
1048	3E4U - Bucks.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe
4628	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3E4U - Bucks.exe

description pid process

Token: SeIncBasePriorityPrivilege 1048 3E4U - Bucks.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1048	3E4U - Bucks.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

6tbp.exerundll32.exeIR.exe7bsxzxl.exe7bsxzxl.exerundll32.exe

pid	process
4180	6tbp.exe
4628	rundll32.exe
1524	IR.exe
1524	IR.exe
1524	IR.exe
4532	7bsxzxl.exe
4532	7bsxzxl.exe
4532	7bsxzxl.exe
5004	7bsxzxl.exe
5004	7bsxzxl.exe
5004	7bsxzxl.exe
2648	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe6tbp.exe3E4U - Bucks.exe1EuroP.exeIR.exenet.exenet.exeRundll32.exe7bsxzxl.exerunonce.exerundll32.exe

description	pid	process	target process
PID 4476 wrote to memory of 1016	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	cb.exe
PID 4476 wrote to memory of 1016	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	cb.exe
PID 4476 wrote to memory of 1016	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	cb.exe
PID 4476 wrote to memory of 4872	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	1EuroP.exe
PID 4476 wrote to memory of 4872	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	1EuroP.exe
PID 4476 wrote to memory of 4872	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	1EuroP.exe
PID 4476 wrote to memory of 4556	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	2IC.exe
PID 4476 wrote to memory of 4556	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	2IC.exe
PID 4476 wrote to memory of 4556	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	2IC.exe
PID 4476 wrote to memory of 1048	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	3E4U - Bucks.exe
PID 4476 wrote to memory of 1048	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	3E4U - Bucks.exe
PID 4476 wrote to memory of 1048	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	3E4U - Bucks.exe
PID 4476 wrote to memory of 4180	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	6tbp.exe
PID 4476 wrote to memory of 4180	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	6tbp.exe
PID 4476 wrote to memory of 4180	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	6tbp.exe
PID 4476 wrote to memory of 1524	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	IR.exe
PID 4476 wrote to memory of 1524	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	IR.exe
PID 4476 wrote to memory of 1524	4476	fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe	IR.exe
PID 4180 wrote to memory of 4628	4180	6tbp.exe	rundll32.exe
PID 4180 wrote to memory of 4628	4180	6tbp.exe	rundll32.exe
PID 4180 wrote to memory of 4628	4180	6tbp.exe	rundll32.exe
PID 1048 wrote to memory of 1468	1048	3E4U - Bucks.exe	cmd.exe
PID 1048 wrote to memory of 1468	1048	3E4U - Bucks.exe	cmd.exe
PID 1048 wrote to memory of 1468	1048	3E4U - Bucks.exe	cmd.exe
PID 4872 wrote to memory of 4040	4872	1EuroP.exe	cmd.exe
PID 4872 wrote to memory of 4040	4872	1EuroP.exe	cmd.exe
PID 4872 wrote to memory of 4040	4872	1EuroP.exe	cmd.exe
PID 1524 wrote to memory of 2856	1524	IR.exe	net.exe
PID 1524 wrote to memory of 2856	1524	IR.exe	net.exe
PID 1524 wrote to memory of 2856	1524	IR.exe	net.exe
PID 1524 wrote to memory of 2684	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 2684	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 2684	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 2236	1524	IR.exe	net.exe
PID 1524 wrote to memory of 2236	1524	IR.exe	net.exe
PID 1524 wrote to memory of 2236	1524	IR.exe	net.exe
PID 1524 wrote to memory of 3880	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 3880	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 3880	1524	IR.exe	sc.exe
PID 1524 wrote to memory of 4532	1524	IR.exe	7bsxzxl.exe
PID 1524 wrote to memory of 4532	1524	IR.exe	7bsxzxl.exe
PID 1524 wrote to memory of 4532	1524	IR.exe	7bsxzxl.exe
PID 1524 wrote to memory of 3124	1524	IR.exe	Rundll32.exe
PID 1524 wrote to memory of 3124	1524	IR.exe	Rundll32.exe
PID 1524 wrote to memory of 3124	1524	IR.exe	Rundll32.exe
PID 2856 wrote to memory of 60	2856	net.exe	net1.exe
PID 2856 wrote to memory of 60	2856	net.exe	net1.exe
PID 2856 wrote to memory of 60	2856	net.exe	net1.exe
PID 2236 wrote to memory of 4888	2236	net.exe	net1.exe
PID 2236 wrote to memory of 4888	2236	net.exe	net1.exe
PID 2236 wrote to memory of 4888	2236	net.exe	net1.exe
PID 3124 wrote to memory of 4464	3124	Rundll32.exe	runonce.exe
PID 3124 wrote to memory of 4464	3124	Rundll32.exe	runonce.exe
PID 3124 wrote to memory of 4464	3124	Rundll32.exe	runonce.exe
PID 1524 wrote to memory of 4084	1524	IR.exe	cmd.exe
PID 1524 wrote to memory of 4084	1524	IR.exe	cmd.exe
PID 1524 wrote to memory of 4084	1524	IR.exe	cmd.exe
PID 4532 wrote to memory of 5004	4532	7bsxzxl.exe	7bsxzxl.exe
PID 4532 wrote to memory of 5004	4532	7bsxzxl.exe	7bsxzxl.exe
PID 4532 wrote to memory of 5004	4532	7bsxzxl.exe	7bsxzxl.exe
PID 4464 wrote to memory of 3640	4464	runonce.exe	grpconv.exe
PID 4464 wrote to memory of 3640	4464	runonce.exe	grpconv.exe
PID 4464 wrote to memory of 3640	4464	runonce.exe	grpconv.exe
PID 4628 wrote to memory of 2648	4628	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbc2c420abf78cac67f0ad1b699d498a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\cb.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\cb.exe"
2⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\1EuroP.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\1EuroP.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Dfb..bat" > nul 2> nul
3⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\2IC.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\2IC.exe"
2⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 476
3⤵
- Program crash
PID:2304

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\3E4U - Bucks.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\3E4U - Bucks.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\3E4U-B~1.EXE > nul
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\6tbp.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\6tbp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\debd140.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\debd140.dll",iep
4⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\IR.exe
"C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\IR.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\net.exe
net.exe stop "Security Center"
3⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
4⤵
PID:60

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= DISABLED
3⤵
- Launches sc.exe
PID:2684

C:\Windows\SysWOW64\net.exe
net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
3⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"
4⤵
PID:4888

C:\Windows\SysWOW64\sc.exe
sc config SharedAccess start= DISABLED
3⤵
- Launches sc.exe
PID:3880

C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Roaming\7bsxzxl.exe
C:\Users\Admin\AppData\Roaming\7bsxzxl.exe -d1300719BFA3D24FB4DBC0A2D9ADE484D158055250A683EF796FAE59366B04A225A262835324E6937B2C63C93E2DCCFE7579404ECA00B94C851687C004936ABD9185149E6B9B113FFFABB94D348B3515BBC8B195594251D1D84367B1381755CDAF6A1DBC97F614EFE9E58A8FF0CCF095C8E33B98A79222611486A99D7F08EBA0BDEC8228BB6F4875557664D1EAE6A740B55B848481FE53B04F56EC996B65762BFF792A2DFCFBB6C771F4896CCF06E50CEDAB16CDF96B32A93252841CE350D31D7ABD422307A37E9142D5DDB41D34299DF2799094C317F0091B15277E70CCA4493A31FA7ABA81A2B9AFCFDAE3F98528DCE85B0456C80F30ABEB1011E961EE5F893C82674DE8C049F2B44A3E6DABFF6A96F7BDB85BC547BD44F7F482C648C21EAD0430F0FF895DEF3CEFFC197E80B15A945D5036ED4BE3C2C1DB487D5A2B6CFF7857D333E44749013AC6475175A7BBA8A6D9992E4A40F8A1FE3288190FA3DD93C441E7B05181B052C87EE3CFAA651878AED13BC0C64D88BFAC9F60D1105028216AD113EA961BBCBAB5F552615860EE226AAC9C74D76EAD9493375C64C3C273D23367E19AF06C4663E7792117E1473A81AD086244AA9571ADA313E1B78CA0C603E35CEA0DCE9E86DD13ADE7D893180F964E753B6E897
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\Rundll32.exe
Rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Roaming\mdinstall.inf
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:3640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\1t81u4bzz.bat
3⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 4556
1⤵
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dfb..bat
Filesize
182B

MD5
faed44628015085176de7c494aac4f9c

SHA1
f0e178d40f0cd0ecceb198f251c5a55c814a3f8a

SHA256
9c88a32285778a499c48fcb241dc5de915e44e3752d11e2f92eab1d26fbaab89

SHA512
9e188350566e46ce5900927f44d26e43862ca80ed6790040b36703db63c013e012821e28d67941407f5cfa6d85299ee3bf1f55ac0dc341e673efbd8b85e27d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\1EuroP.exe
Filesize
75KB

MD5
87fb5442c7843acf787ea54f50d27ef3

SHA1
e2c0bc89abdf1cc14f030633b8520fa488c2ee7c

SHA256
40abf4fe2142f94b0a9b6ebf933423b47a975b4b6a67332545e9dc7afcfbd1e2

SHA512
09307d21725976717bd162c019ffccd3f7667eee0506de009df99ce52d220b56452530df51275638a5298ac11ca6ab3b11ce29270e5f8b66c8547f34c407488c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\2IC.exe
Filesize
168KB

MD5
84d7956209c39cde3b9b02d1b6c64113

SHA1
9feb8cb82f178be3180d033d9b1715b0d5114c58

SHA256
28e120376e926940dc45f8cc2f9193457bf8b89671901453d30e996ca617a29a

SHA512
03a55ad0b5ec4913b3a53b6cb67afbf661c0321a6e059a6e01272c9e7fc10935c2f9297640d905eeb3d00a1b5154269052be4b6bf74627c3577722ea7c91ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\3E4U - Bucks.exe
Filesize
29KB

MD5
bc1e9eefab202aa96ca36e2de9e0d167

SHA1
2a7f254e2ede629db228f95075eaa9c74f5f7586

SHA256
e5775cc832c611d33bae42484d318e62b374fcf8786f11d5ae8087e5fb6d011f

SHA512
8e8c00acae442246de1aaf821d7f0a5a3d77c64f3946ad48caebdf841b790472be2f4bdc6027103ca695f10101869382e5a43aec023164d0fac136bb8528a773

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\6tbp.exe
Filesize
112KB

MD5
e9f63abc82ffabfaa4c325da1554af7c

SHA1
9bd51f5695225f7a13a44a03d0eac2b1339dab5f

SHA256
7ff56015fd3fe7ccec00eb198318d8647c0c3386974f1889abc632a55ceafa80

SHA512
2721a5cdae7c0a066defe65b7e9e4f15bab7b0ffbffe0eb72e2c3d21c0f2fe547def37df3ec1c7ccdae7a89383d9514d44f386e0c0ab8f14b69c666f9c8b8ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\IR.exe
Filesize
61KB

MD5
b4060ce0c8f8a3bad7a63b9fa95c1464

SHA1
f77bb4306747258219f2b97693d62eedc438ccae

SHA256
cd964af4e62c9007c4aaedd9ccab5cf84a78b51e11332ded2b591c81b23872d6

SHA512
35eb45b85f3166a5f007465911e04669e8182df1cf23815ab109868507c95479561950faf918afe8d3664a6f0f04492d6742b74369d7e85f1090f964ecb9544e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw320E.tmp\cb.exe
Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\debd140.dll
Filesize
112KB

MD5
7131c18f90b51938fbe7f4e5744a82b6

SHA1
3c69d3e7b45bd4a6d2aaf8096a6448b93fd4f550

SHA256
0fff9ca615a9371402721e8b3a4c99ef846bff7e5e663b764660edae138f5fa7

SHA512
dc982b471b0bc27e5358bb5ca3fa948a76d407251f66c040e8499a07e104f41d53a85db398b6bf2e709347dda55dee062005adfd2bc19263051a05ef0382135b

Download Submit
C:\Users\Admin\AppData\Roaming\1t81u4bzz.bat
Filesize
154B

MD5
9a2c00e9992230ba51b706fd1904507f

SHA1
85457d22b2f73770f4c5d4595b581a978114b89a

SHA256
c67be55b949b9133e35150a729d9b6515145d1db872ebb2a22f8e6fa18e0d4d0

SHA512
1a9ede97557916b84954584561186bc7c0612ed0a0f44c2b279d9687f78a3461654852c467f5d41bcfb64e9939ae7c8de684c9a0ddcdb6509eed2f6779f8640c

Download Submit
C:\Users\Admin\AppData\Roaming\mdinstall.inf
Filesize
410B

MD5
3ccb3b743b0d79505a75476800c90737

SHA1
b5670f123572972883655ef91c69ecc2be987a63

SHA256
5d96bec9bc06fd8d7abc11efbb3cb263844ee0416910f63581dd7848b4e1d8dd

SHA512
09b1cdd4393f515f7569fbccc3f63051823ed7292b6e572bc9a34e4389b727b2914b22118e874864ccb32ef63016b2abd6d84510fd46fdee712fd84be59c114e

Download Submit
memory/1048-63-0x0000000002930000-0x00000000032D0000-memory.dmp

Filesize
9.6MB

Download
memory/1048-71-0x0000000000880000-0x000000000089B000-memory.dmp

Filesize
108KB

Download
memory/1524-102-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1524-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2648-130-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/2648-124-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2648-123-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2648-135-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2648-136-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/4180-64-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/4180-62-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4180-112-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/4180-75-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/4180-108-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4532-110-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4532-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4628-113-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4628-81-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4628-79-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4628-82-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4628-109-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4628-114-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/4628-122-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4628-127-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4872-85-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4872-84-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/4872-88-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4872-40-0x0000000001F60000-0x0000000001F85000-memory.dmp

Filesize
148KB

Download
memory/4872-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5004-111-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5004-141-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download