4d474f2446a19534f555ddae0e563a4a5f24d8c3792f64402386c2a2d5bdecbf

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd185630944384dd09cdd36183680843_JaffaCakes118.exe
Size

986KB
MD5

fd185630944384dd09cdd36183680843
SHA1

03e0d1d4a83fd7524a1188e4d903c55758b39873
SHA256

4d474f2446a19534f555ddae0e563a4a5f24d8c3792f64402386c2a2d5bdecbf
SHA512

cc0542a65765de2c5259162e06c35d415967840663fcb2f9d0467d9df792b16e79dfae45d9fa1970f10bd60abefa0dd289227056525f96f918eff8e40bb61ac6
SSDEEP

24576:FMYpZTbD+LLwTVujH88kC1xTti9wuyECfKR/kZZ2QOKc9Yuz6hn:ta/uKkC1xmnpTQOK4zzCn

Score

10^/10

adware bootkit evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 11 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

102600.exejava.exejava.exeupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	102600.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\temp\102600.exe = "C:\\temp\\102600.exe:*:Enabled:DM"	102600.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	java.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system\java.exe = "C:\\Windows\\system\\java.exe:*:Enabled:java.exe"	java.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica	102600.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	102600.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	102600.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\	102600.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\pcast\PodcastbarMini\update.exe = "C:\\Program Files (x86)\\pcast\\PodcastbarMini\\update.exe:*:Enabled:Share Streaming"	update.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system\java.exe = "C:\\Windows\\system\\java.exe:*:Enabled:java.exe"	java.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	java.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Windows\SysWOW64\WinSC.dll	acprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

boba_super_update-1.0.0.1_Ete_067.exe10059.exe2049.exenewweb10296.EXEfd185630944384dd09cdd36183680843_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	boba_super_update-1.0.0.1_Ete_067.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	10059.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2049.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	newweb10296.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fd185630944384dd09cdd36183680843_JaffaCakes118.exe

Executes dropped EXE 17 IoCs

Processes:

2049.exe102600.exe10059.exe2049.exewd2_051117_WIS271_mini.exenewweb10296.EXEboba_super_update-1.0.0.1_Ete_067.exespoolsv.exe2049.exeupdate.exeLoadam.exetool.exemssv.exeGLJ1941.tmpjava.exemssv.exejava.exe

pid	process
3316	2049.exe
4436	102600.exe
3664	10059.exe
1972	2049.exe
3920	wd2_051117_WIS271_mini.exe
3216	newweb10296.EXE
2224	boba_super_update-1.0.0.1_Ete_067.exe
4040	spoolsv.exe
4640	2049.exe
2712	update.exe
2524	Loadam.exe
4748	tool.exe
4636	mssv.exe
2460	GLJ1941.tmp
3912	java.exe
4140	mssv.exe
4232	java.exe

Loads dropped DLL 5 IoCs

Processes:

2049.exeboba_super_update-1.0.0.1_Ete_067.exenewweb10296.EXEspoolsv.exeGLJ1941.tmp

pid process

1972 2049.exe
2224 boba_super_update-1.0.0.1_Ete_067.exe
3216 newweb10296.EXE
4040 spoolsv.exe
2460 GLJ1941.tmp

pid	process
1972	2049.exe
2224	boba_super_update-1.0.0.1_Ete_067.exe
3216	newweb10296.EXE
4040	spoolsv.exe
2460	GLJ1941.tmp

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3964-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3964-13-0x0000000000400000-0x0000000000426000-memory.dmp	upx
C:\temp\102600.exe	upx
behavioral2/memory/3964-68-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4436-32-0x0000000000400000-0x000000000043E000-memory.dmp	upx
C:\Windows\SysWOW64\WinSC.dll	upx
behavioral2/memory/2460-168-0x0000000010000000-0x0000000010043000-memory.dmp	upx
behavioral2/memory/4436-176-0x0000000000400000-0x000000000043E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exejava.exewd2_051117_WIS271_mini.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSService_v1.0 = "C:\\Windows\\system\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSService_v1.0 = "C:\\Windows\\system\\java.exe"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spoolsv = "C:\\Windows\\system32\\spoolsv\\spoolsv.exe -printer"	wd2_051117_WIS271_mini.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

GLJ1941.tmpboba_super_update-1.0.0.1_Ete_067.exe2049.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ACEEE31-1440-471B-AA46-72B061FE7D61}	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ACEEE31-1440-471B-AA46-72B061FE7D61}\ = "NewWeb Controller"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}	boba_super_update-1.0.0.1_Ete_067.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16A770A0-0E87-4278-B748-2460D64A8386}	2049.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

GLJ1941.tmp

description ioc process

File opened for modification \??\PhysicalDrive0 GLJ1941.tmp

description	ioc	process
File opened for modification	\??\PhysicalDrive0	GLJ1941.tmp

Drops file in System32 directory 15 IoCs

Processes:

wd2_051117_WIS271_mini.exenewweb10296.EXEboba_super_update-1.0.0.1_Ete_067.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\32F77AC0.094	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\msicn\msibm.dll	wd2_051117_WIS271_mini.exe
File opened for modification	C:\Windows\SysWOW64\msicn\fin.vxd	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\spoolsv\spoolsv.exe	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\msicn\plugins\bse.dll	wd2_051117_WIS271_mini.exe
File opened for modification	C:\Windows\SysWOW64\mssv.exe	newweb10296.EXE
File created	C:\Windows\SysWOW64\guid.vxd	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\GLBSINST.%$D	newweb10296.EXE
File created	C:\Windows\SysWOW64\32F77AC0.094	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\msicn\fin.vxd	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\~GLH0001.TMP	newweb10296.EXE
File created	C:\Windows\SysWOW64\sysreal32.dll	boba_super_update-1.0.0.1_Ete_067.exe
File opened for modification	C:\Windows\SysWOW64\guid.vxd	wd2_051117_WIS271_mini.exe
File created	C:\Windows\SysWOW64\~GLH0000.TMP	newweb10296.EXE
File opened for modification	C:\Windows\SysWOW64\WinSC.dll	newweb10296.EXE

Drops file in Program Files directory 2 IoCs

Processes:

boba_super_update-1.0.0.1_Ete_067.exe

description	ioc	process
File created	C:\Program Files (x86)\pcast\PodcastbarMini\update.exe	boba_super_update-1.0.0.1_Ete_067.exe
File created	C:\Program Files (x86)\pcast\PodcastbarMini\download.ini	boba_super_update-1.0.0.1_Ete_067.exe

Drops file in Windows directory 7 IoCs

Processes:

mssv.exejava.exemssv.exejava.exe102600.exe

description	ioc	process
File opened for modification	C:\Windows\system\java.exe	mssv.exe
File created	C:\Windows\system\java.exe	mssv.exe
File opened for modification	C:\Windows\system\DVL~1	java.exe
File opened for modification	C:\Windows\system\java.exe	mssv.exe
File created	C:\Windows\system\java.exe	mssv.exe
File opened for modification	C:\Windows\system\DVL~1	java.exe
File created	C:\Windows\Tasks\DM_Install_Program.job	102600.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\temp\boba_super_update-1.0.0.1_Ete_067.exe	nsis_installer_1

Modifies registry class 64 IoCs

Processes:

GLJ1941.tmp2049.exeboba_super_update-1.0.0.1_Ete_067.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Settings\CurVer	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\ = "IWindowEventsHandler"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\ProgID	2049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	boba_super_update-1.0.0.1_Ete_067.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{35A69597-0E2A-4100-A394-C6F6FC2535B9}\ = "NewWeb Controller"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}	2049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib\ = "{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}"	2049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86DC8694-AACC-4CE6-B8EC-A75DEEDA698D}\ = "Settings Class"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D8CA513-282F-4E40-8971-F5EE879AF7FD}\InprocServer32\ThreadingModel = "Apartment"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCC53A8D-67A8-4E8F-B972-D4668D1A7424}\TypeLib	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\TypeLib	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CLSID\ = "{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\sysreal32.dll"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.DocumentEventsHandler.1\CLSID\ = "{DED96F80-2B97-407C-8E09-D7233448753F}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\TypeLib	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder.1\CLSID\ = "{9ACEEE31-1440-471B-AA46-72B061FE7D61}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CD75223-E010-4BE9-9027-7A53533EA4F6}\1.0\0\win32	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ProgID	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ProgID\ = "SCIntruder.DocumentEventsHandler.1"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Magazines\ = "Magazines Class"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder\CLSID	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36F305AA-4452-4FE0-9275-28F21E2A2F15}\ = "IService"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CurVer	2049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\TypeLib\Version = "1.0"	2049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SCIntruder.Settings.1\ = "Settings Class"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\TypeLib	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B513A7FC-BC53-4077-ABE3-5BD321AF651D}\TypeLib\ = "{5CD75223-E010-4BE9-9027-7A53533EA4F6}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Chajian.ChajianHelper\CurVer	boba_super_update-1.0.0.1_Ete_067.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	boba_super_update-1.0.0.1_Ete_067.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\InprocServer32	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5CD75223-E010-4BE9-9027-7A53533EA4F6}\1.0\FLAGS\ = "0"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B513A7FC-BC53-4077-ABE3-5BD321AF651D}\TypeLib	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}\ProgID\ = "Chajian.ChajianHelper.1"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5668031-4BDE-43D4-8766-8E9AAC16C56E}\InprocServer32\ThreadingModel = "Apartment"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder\CurVer	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\TypeLib	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B631EFA-EBD5-4829-ABB3-1AFB96E2EA4F}\ = "ISettings"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C5668031-4BDE-43D4-8766-8E9AAC16C56E}\AppID = "{35A69597-0E2A-4100-A394-C6F6FC2535B9}"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36F305AA-4452-4FE0-9275-28F21E2A2F15}\TypeLib	GLJ1941.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NewWebController.Intruder.1\CLSID	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D1F6E94D-8EA2-4EC9-914D-138BC55AE105}\TypeLib\Version = "1.0"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172754B6-06EA-49D5-B1E1-7D821E23C5E9}\TypeLib\Version = "1.0"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16A770A0-0E87-4278-B748-2460D64A8386}\TypeLib\ = "{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}"	2049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2511DE40-34A3-4C6A-B1B2-C5C92A2F00BE}\1.0\HELPDIR	2049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A4BC2506-C00C-4D2E-B47F-0BB4C2C74CCF}\ProxyStubClsid32	2049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	boba_super_update-1.0.0.1_Ete_067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DED96F80-2B97-407C-8E09-D7233448753F}\ = "DocumentEventsHandler Class"	GLJ1941.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.MyIEHelper\CLSID\ = "{16A770A0-0E87-4278-B748-2460D64A8386}"	2049.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\VersionIndependentProgID	GLJ1941.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{566CB5F7-D9FA-4B01-8A1A-168F706CBE41}\ProgID	GLJ1941.tmp

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

spoolsv.exe

pid	process
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

spoolsv.exetool.exe

pid process

4040 spoolsv.exe
4748 tool.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

fd185630944384dd09cdd36183680843_JaffaCakes118.exe2049.exewd2_051117_WIS271_mini.exe2049.exeboba_super_update-1.0.0.1_Ete_067.exe10059.exe2049.exenewweb10296.EXELoadam.exemssv.exemssv.exe

description	pid	process	target process
PID 3964 wrote to memory of 3316	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	2049.exe
PID 3964 wrote to memory of 3316	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	2049.exe
PID 3964 wrote to memory of 3316	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	2049.exe
PID 3964 wrote to memory of 4436	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	102600.exe
PID 3964 wrote to memory of 4436	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	102600.exe
PID 3964 wrote to memory of 4436	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	102600.exe
PID 3964 wrote to memory of 3664	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	10059.exe
PID 3964 wrote to memory of 3664	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	10059.exe
PID 3964 wrote to memory of 3664	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	10059.exe
PID 3316 wrote to memory of 1972	3316	2049.exe	2049.exe
PID 3316 wrote to memory of 1972	3316	2049.exe	2049.exe
PID 3316 wrote to memory of 1972	3316	2049.exe	2049.exe
PID 3964 wrote to memory of 3920	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	wd2_051117_WIS271_mini.exe
PID 3964 wrote to memory of 3920	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	wd2_051117_WIS271_mini.exe
PID 3964 wrote to memory of 3920	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	wd2_051117_WIS271_mini.exe
PID 3964 wrote to memory of 3216	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	newweb10296.EXE
PID 3964 wrote to memory of 3216	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	newweb10296.EXE
PID 3964 wrote to memory of 3216	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	newweb10296.EXE
PID 3964 wrote to memory of 2224	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	boba_super_update-1.0.0.1_Ete_067.exe
PID 3964 wrote to memory of 2224	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	boba_super_update-1.0.0.1_Ete_067.exe
PID 3964 wrote to memory of 2224	3964	fd185630944384dd09cdd36183680843_JaffaCakes118.exe	boba_super_update-1.0.0.1_Ete_067.exe
PID 3920 wrote to memory of 4040	3920	wd2_051117_WIS271_mini.exe	spoolsv.exe
PID 3920 wrote to memory of 4040	3920	wd2_051117_WIS271_mini.exe	spoolsv.exe
PID 3920 wrote to memory of 4040	3920	wd2_051117_WIS271_mini.exe	spoolsv.exe
PID 1972 wrote to memory of 4640	1972	2049.exe	2049.exe
PID 1972 wrote to memory of 4640	1972	2049.exe	2049.exe
PID 1972 wrote to memory of 4640	1972	2049.exe	2049.exe
PID 2224 wrote to memory of 2712	2224	boba_super_update-1.0.0.1_Ete_067.exe	update.exe
PID 2224 wrote to memory of 2712	2224	boba_super_update-1.0.0.1_Ete_067.exe	update.exe
PID 2224 wrote to memory of 2712	2224	boba_super_update-1.0.0.1_Ete_067.exe	update.exe
PID 3664 wrote to memory of 2524	3664	10059.exe	Loadam.exe
PID 3664 wrote to memory of 2524	3664	10059.exe	Loadam.exe
PID 3664 wrote to memory of 2524	3664	10059.exe	Loadam.exe
PID 4640 wrote to memory of 4748	4640	2049.exe	tool.exe
PID 4640 wrote to memory of 4748	4640	2049.exe	tool.exe
PID 4640 wrote to memory of 4748	4640	2049.exe	tool.exe
PID 3216 wrote to memory of 4636	3216	newweb10296.EXE	mssv.exe
PID 3216 wrote to memory of 4636	3216	newweb10296.EXE	mssv.exe
PID 3216 wrote to memory of 4636	3216	newweb10296.EXE	mssv.exe
PID 3216 wrote to memory of 2460	3216	newweb10296.EXE	GLJ1941.tmp
PID 3216 wrote to memory of 2460	3216	newweb10296.EXE	GLJ1941.tmp
PID 3216 wrote to memory of 2460	3216	newweb10296.EXE	GLJ1941.tmp
PID 2524 wrote to memory of 552	2524	Loadam.exe	cmd.exe
PID 2524 wrote to memory of 552	2524	Loadam.exe	cmd.exe
PID 2524 wrote to memory of 552	2524	Loadam.exe	cmd.exe
PID 4636 wrote to memory of 3912	4636	mssv.exe	java.exe
PID 4636 wrote to memory of 3912	4636	mssv.exe	java.exe
PID 4636 wrote to memory of 3912	4636	mssv.exe	java.exe
PID 3216 wrote to memory of 4140	3216	newweb10296.EXE	mssv.exe
PID 3216 wrote to memory of 4140	3216	newweb10296.EXE	mssv.exe
PID 3216 wrote to memory of 4140	3216	newweb10296.EXE	mssv.exe
PID 4140 wrote to memory of 4232	4140	mssv.exe	java.exe
PID 4140 wrote to memory of 4232	4140	mssv.exe	java.exe
PID 4140 wrote to memory of 4232	4140	mssv.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\fd185630944384dd09cdd36183680843_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd185630944384dd09cdd36183680843_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3964

C:\temp\2049.exe
"C:\temp\2049.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\2049.exe
C:\Users\Admin\AppData\Local\Temp\2049.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972

C:\ProgramData\Application Data\Microsoft\IEHelper\2049.exe
"C:\ProgramData\Application Data\Microsoft\IEHelper\2049.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640

C:\temp\tool.exe
"C:\temp\tool.exe" 2049
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4748

C:\temp\102600.exe
"C:\temp\102600.exe"
2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
PID:4436

C:\temp\10059.exe
"C:\temp\10059.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664

C:\temp\Loadam.exe
"C:\temp\Loadam.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\temp\_deleteme.bat
4⤵
PID:552

C:\temp\wd2_051117_WIS271_mini.exe
"C:\temp\wd2_051117_WIS271_mini.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SysWOW64\spoolsv\spoolsv.exe
C:\Windows\system32\spoolsv\spoolsv.exe -printer
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4040

C:\temp\newweb10296.EXE
"C:\temp\newweb10296.EXE"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\mssv.exe
"C:\Windows\System32\mssv.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\system\java.exe
"C:\Windows\system\java.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:3912

C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmp" C:\Windows\System32\WinSC.dll
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Modifies registry class
PID:2460

C:\Windows\SysWOW64\mssv.exe
C:\Windows\System32\mssv.exe /REGSERVER
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\system\java.exe
"C:\Windows\system\java.exe"
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:4232

C:\temp\boba_super_update-1.0.0.1_Ete_067.exe
"C:\temp\boba_super_update-1.0.0.1_Ete_067.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2224

C:\Program Files (x86)\pcast\PodcastbarMini\update.exe
"C:\Program Files (x86)\pcast\PodcastbarMini\update.exe"
3⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:5116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pcast\PodcastbarMini\download.ini
Filesize
122B

MD5
f9847a8309cbf62d971e0691061cae05

SHA1
8de816026941933cab5036a28bf8e82031a2f3de

SHA256
974fd60265deb6a7ebc968f9db0b124cabfec1a6eaef781bd480d464c5d57126

SHA512
1a1e1af624c9676a9c2ceaade376032630cd0174b9247b33452b811bd35aa004a4fba39d357ee037e6cc90a81cb9f55d22ba922f22520346af0d89f58b626795

Download Submit
C:\Program Files (x86)\pcast\PodcastbarMini\update.exe
Filesize
68KB

MD5
242434c239b0d75e4b5d51b6d76004b7

SHA1
c42a6a8fad18b5bd1698bb54da18fd1f7b1d076a

SHA256
c82847393bf66781d7690ea9ff3f82d46e0e387fe52af132df2f2ead15164651

SHA512
66878aa1bb8413b07b11f15c3592200267763fee62806103d002b03fc2eb9e70e7dfc4d629d824982029f65042e94593b68376c87c6ce4a8368b14468c9b375f

Download Submit
C:\ProgramData\Microsoft\IEHelper\2049.exe
Filesize
241KB

MD5
cb24df5cf2818f8eca7deab6b975ce60

SHA1
23c4d476fb62f2396af34f03af0ad3ec2abe7e10

SHA256
f13fa77ec679e8d14424eabf76384175f8abe1838f1b4b4def1ff8b7f29e26a0

SHA512
dfb47bc35d7e2b361e8aac899b778b1c0277a58aa8b2228405c1f2c6d6bb6d938f31b4f831eab1fc359d7b519f156d5efbc7431528c6a6ee2e54541885bf59ea

Download Submit
C:\ProgramData\Microsoft\IEHelper\IEHelper_4769.dll
Filesize
108KB

MD5
06f3eb60f97b7285996e8c7682f0d7dc

SHA1
6598e7df5afb8cabb228bd0cfad8643466fc5b57

SHA256
d4ce102c0395a226438a579a4d9136f49594464569b08c6d98e87d2496878a2b

SHA512
3b13215d49b790bcd50e9ca64df46c9006e09533452f87cd809b304f814a9de13b135d95bf33f93df7412e37ff69cff66910c64f2893a5217cdcfab65f595b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2049.exe
Filesize
400KB

MD5
c950e0f69f9aeb954397d6e5f0abd9e5

SHA1
71fc73100d6fe26a8c982a501c6a69186bad779f

SHA256
d96561eb92dbfd4707aa7e3f962de7d34bf40462b7c5ee135e699e29bb2a52f5

SHA512
fe8dd8180e57f6a2bc6b067d489c89dea2782dc158886d3860ed2a2d2bb86f6bbbee8f6d2d8411e20996f664295ab4b54355fa451dda67e82df1491e8d4f488e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC1836.tmp
Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1941.tmp
Filesize
2KB

MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Windows\SysWOW64\WinSC.dll
Filesize
103KB

MD5
d5c5427ab977f0383c865d1b97544207

SHA1
136c24bf7663caf5d2cc36658f4565d3dab8968a

SHA256
0ad4829c6f109e7ad4ef747d071978139100aa7efaf1c014f8edd2f95bbad56e

SHA512
b80c7af184cd97cbd34b629c54cc254ba844ca895b9bbd456e101740f7189e09f09f5d05ffb1e832578c60f36cbcd29054af9980cc7149e053dd741f663bf7cd

Download Submit
C:\Windows\SysWOW64\msicn\msibm.dll
Filesize
244KB

MD5
ce7b6e0fed62052f6690bc8ae620081f

SHA1
cd8f10864cc113ff459a8150c6e2f6cc14b5ea52

SHA256
d761e1d2fb377edb44eb791a402dcb89ffebce185d5ff127bec9128bb023d496

SHA512
65e45866d9d0f27209a328aa2463c144c3c593a79954dfaf5662c53cb14f925dc6fc297a73e8e0fc353f9bf5439cacdd523fc768324d96a5836a8d8fb8a65477

Download Submit
C:\Windows\SysWOW64\mssv.exe
Filesize
50KB

MD5
58c31ef011ea353ec924c8f91a34b981

SHA1
b917431def52a690069dadc13375a441d17ce06e

SHA256
8c297d226b830d158a280d7e74b47e0d209725bc6a005947e4170c33335bf63c

SHA512
e2a0469454fcfa80f7bbcf0ba1ff4e9314976adcfb201b05bad572042c21ef63a104d3f031bc38d70431c4edab8c803357a9358611d6f4c95c87303de3feee6c

Download Submit
C:\Windows\SysWOW64\spoolsv\spoolsv.exe
Filesize
44KB

MD5
ca0e9f2948604660bd94d012d65d24a8

SHA1
1ee4af187b318ec7b22209438888dba1e6dafa21

SHA256
31134e2b466db1ce8241221e3c6b9ac3055dc2a26e8838d10444c75e5fa7b2b3

SHA512
8cf669980e942f5b98a5d580df1eb927fb093c3cb6ed4271b5f6850c1631d860986cc0c6968b3468c5265b7e67e65ced31763c9baf10e1d807ba1b4673872cbb

Download Submit
C:\Windows\SysWOW64\sysreal32.dll
Filesize
68KB

MD5
03c68a64818522069dd56aa362184adb

SHA1
1f70d299051f70989d83054a4177108d4d371b71

SHA256
f82c5969d02117bb94373f36c5c25bebdfb9af9eb014ae233bf14d4b6cd49aa5

SHA512
c5c6d985ebbf80480191e9b063847bd41edad21dea684c009d023256bd5e9f150e6246519f52abc9e20bf1f6d2d1c0417232a0babd0477ca1038a23f6b9fc64a

Download Submit
C:\Windows\system\java.exe
Filesize
18KB

MD5
36a095c8f8c7ffddd39be5d43f62e596

SHA1
c923a9cf3d48d1d50eba0b9517faa5141cca2656

SHA256
6254b2b677c0816b70d4e90df7cf8ab7b3ed1b7126de21872b285cc4a36dfa5b

SHA512
e0ce714fbc921ceaf542920e2c493aa58b745359d89b768eaedeb1133f2daea4338ea13f1909a1e7977dca85c2b3467191436a36f96d8385c3d2b55cef4112da

Download Submit
C:\temp\10059.exe
Filesize
133KB

MD5
7c3c75cf5418ed7b1c3710c7a7741bc5

SHA1
b934eaab7626a3c9eac0d205eb008fe43d4fdf93

SHA256
04c12ccc87fd1b6dbc0906fc1c6cc039747c232bcc507d0a72da32a66279c02d

SHA512
90bcd2c3a6be99b4f033d53b473a64c53c6dd33efcb2664bec71844646e266696e827f4d1d7dd6ad7f3d5fc6cca2397b287121444b8d5e192f1be88a4a997de8

Download Submit
C:\temp\102600.exe
Filesize
56KB

MD5
ad4b5a89f671f284b43ea2a7cb4a42c1

SHA1
c45197f33eb11dda04d5c4fe5fa56eb57f51f651

SHA256
ad2fd6de49c88884aa690445e80d20822147c6510e3664a6b419b10e0259a1a9

SHA512
8176483f516da5c1ffa97817fd6ce3bac1180116de3d44b2f245b65c5b2969c4e1ef00b88a9fa868ef317e0f5f7b9b458348ea9efea5b9a3072f28b843cfc71c

Download Submit
C:\temp\2049.exe
Filesize
280KB

MD5
29e6687bb514f1397033b085d18fe240

SHA1
5f503609bb3ddcdfbf852ea3cbd5aa540700e88c

SHA256
79e31119bf7adf533b0c45482df7ec8519a9a4ec9f01d1dc25a87c2dae4455fc

SHA512
7bddc4493956fa33eee877ef1c73289d977341489ea2b049b96582d3c1f8fbd6918d07076b039a98fef71486b78e6944073bd5e44ce12877d52c2bcefbaffd6c

Download Submit
C:\temp\Loadam.exe
Filesize
18KB

MD5
fbf214cc6f86b2ba6f87c7c6c6cf5f90

SHA1
18e7b59d4758720c5f1dfe983a6bd3d40c7cfc27

SHA256
c871aabbbdc4a8b9b6970ed2b8bd75bb39df57a2a81510223137c9e6a9701bac

SHA512
c58df78a0547f845dd1387c3ec9afd467615d7427c63a9b97b82b39976de9faf8be0459176299ec129fbacf23e80efca52250c1d77f78226f5c77b909f5c5c29

Download Submit
C:\temp\_deleteme.bat
Filesize
80B

MD5
6c856dbd1ce1fffa9e5ac768bd5978ee

SHA1
6afe6336441923db24ff1e2d044eb4f5b2501a27

SHA256
c2b12d0da599982e1a8b6c2e6759e0310b982689a0ca2326da6632bdce4ecc99

SHA512
78fa4a16d36483046bd796c177ab552d0271f7094b6067eebdcf318bb659bdd9fb461de428c489ba06aa03ae51f84dbd278d67a09c267b24cda52a6a25aba74e

Download Submit
C:\temp\boba_super_update-1.0.0.1_Ete_067.exe
Filesize
116KB

MD5
21e50a12f2ecce19405cfc90ff79c811

SHA1
ade2b1b95843016f0661890683e82e20a45b6c35

SHA256
bdbbcea503538e65772dcb66b55025281619bddfe20fc2faab73036dff5fc1fc

SHA512
c1191ce1350fbcaf9640e1d6cf9611926f834e18663d598c5748fa779dcf2c44e5c83e697bdc314f99224f4002c615f187b73b8df8ee551f7d733cdc85867907

Download Submit
C:\temp\newweb10296.EXE
Filesize
244KB

MD5
f7331eb6c0d009dd7afb48a93a212166

SHA1
9bcfed872960b4f19500d5fb4fe02fcd1c2e5ffa

SHA256
0efa60dea2558717c5a1a29e85f9e63dfb0127dbf52bd4b9176917a23edcc5a1

SHA512
69a3888504819d19c81490b2ad8b5dd1dfb450ebd39016131ed87c4f549d2dfc10c2bb1e98b0206affed1759da814e82c8d9470f9ebfcffaca89b5a9541265e2

Download Submit
C:\temp\tool.exe
Filesize
328KB

MD5
84bc69fd23dd51b304ae9aaa8d67aed0

SHA1
a6b3d198e0204ae8b2aba3a6d6d9eb5c11b84730

SHA256
09619b393ef1fd850f7c108baf0303910b20465ef7ff8298c050dc138f059c40

SHA512
019bb109fa45a00593ce4d0cc28cb812cedf016b3bae33c077820913692e1e7da52d8341def987e2184c9da93738aa4b63d8385dd54d94fdaf081de786d885e3

Download Submit
C:\temp\wd2_051117_WIS271_mini.exe
Filesize
196KB

MD5
31313ee73d01379633db3470c72c7e79

SHA1
e091e1a5292d82f7939c6d8e2cf914541eff6f1c

SHA256
8fefa20fd0ebf82a7541baf0f82aa65e0687cb6bb2be68c322341309c8cac4c9

SHA512
e99d5132da10eab4bf7abc31a55f753980e6e6e38ea8d748f20ad334568ae1e4b405dddd22854b0a2b0e0b5b4cfac235e28282d859b6c295a98b8e65df886721

Download Submit
memory/2224-67-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2224-110-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2460-168-0x0000000010000000-0x0000000010043000-memory.dmp

Filesize
268KB

Download
memory/2524-159-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3316-175-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3316-40-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/3316-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3664-127-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3912-165-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3912-177-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3964-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3964-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3964-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4232-172-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4232-178-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4436-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4640-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download