Malware Analysis Report

2025-01-18 22:13

Sample ID 240502-ceagysga65
Target 0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118
SHA256 69c28a6df9bcf6c06c982149efc4aefab79ee030157664f3da77f1dc1082d0a4
Tags
adware persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

69c28a6df9bcf6c06c982149efc4aefab79ee030157664f3da77f1dc1082d0a4

Threat Level: Shows suspicious behavior

The file 0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer upx

Loads dropped DLL

UPX packed file

Modifies system executable filetype association

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 01:58

Reported

2024-05-02 02:01

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sonhelp.htm C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dddesot.dll C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmpwrap.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\desot.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\bennuar.old C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\desot.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmpwrap.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sysnet.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sysnet.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\dddesot.dll C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sysnet.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\desot.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118 C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f095766f349cda01 C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\Registration C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata\scantime = "2.5.2024 1:58:56" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Softimer C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Softimer\systemEth0 = "0" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata\scncnt = "1" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2588 N/A C:\Windows\svchast.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
PID 2492 wrote to memory of 2588 N/A C:\Windows\svchast.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
PID 2492 wrote to memory of 2588 N/A C:\Windows\svchast.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
PID 2492 wrote to memory of 2588 N/A C:\Windows\svchast.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 1948 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
PID 2588 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

C:\Windows\svchast.exe

C:\Windows\svchast.exe

C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"

C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 core2637.racing-wtf.com udp

Files

memory/1948-0-0x0000000000400000-0x0000000000BFB000-memory.dmp

\Windows\SysWOW64\dddesot.dll

MD5 8fc55c7103c6464e032f7cf7a8dcdf0b
SHA1 1c8635200498ed5318d1e6e9f9009cc930dc802e
SHA256 d9d19b0daae9e33a25e59e5b962ce8cbf0379a4c16a3aec947d993d7908bd406
SHA512 081020fed6e41a29f5c9576cfc8e16cc13cab640dae7eced4527052f16f79ffa3cac53c21f34628d6561d37081d715056f793c36a81f4d3e11474f4b0c728174

C:\Windows\svchast.exe

MD5 90a91811c024dcdd991520bb2d5ca737
SHA1 261de7e48fc021566bb7fdf411fb623447fde8d2
SHA256 1c59abe73e3a19d9723b552dada15e21db14dd5929b321f2e3f653fd9daf9df5
SHA512 adb4bfd978b2cca19124b5b8547b20734d2bc4d7c2ce332b4acd7ca790750bfca6558e3a5795722ca84d99f8bf0e49e4c3558085f4a94544f787f2054e6d48d0

C:\Windows\ppp4.dat

MD5 c59a09a1edc7b73a312e2c58d4c22312
SHA1 78ec0f61e0a301c442054cdf4fc0ccecf501201b
SHA256 40149a3f657cfb159d0877186e91efec6a43ca3080e0862410d84ef5ae87b733
SHA512 da60ade8147be9fae09462fef4761b24e5da8edeb3b601c76b4645bfd7785dc1722c72a39659b3a80e5b6bc5e8e8fbe3ffab023d1250b8ea13d372e4c071daab

C:\Windows\ppp3.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Windows\SysWOW64\sysnet.dat

MD5 f14dcc72745a03b34b0635a56bdb57fb
SHA1 7f070e16f06b6513a43e3ec7e752e07978a1c2c9
SHA256 d4fc86aa63e5928c5d5c367a78d296dd47e180af7a2a69b924e49ba8595342c9
SHA512 5776af748bf85e5a9ea2c708948a03a631ea01828bc28481ef9ca51cc21e0b64643f9f7e87e819d9e7e6a98f38c9df86c30b32f36cdc05365a91af5c183a509e

C:\Windows\SysWOW64\desot.exe

MD5 4a40db1ee43171f6aa88ee67ec10f0ae
SHA1 83cd34dcfbd6c1a950ad3a3305e5a75a477353e4
SHA256 3a6a665b5076eab45ffc58006fa52428f5c2d91a21f3533d8a4e997b062e2c70
SHA512 98a5f7d206b1a0f74798e662fdc8d40c64d19352df89480b1bc10770258c07c61ee9d879f1873a2b8a2c8c93f615af104e55dd59e9b1f9a20f5f088c15b4b9de

C:\Windows\SysWOW64\desot.exe

MD5 82403bcecfc71e4d5757381ef5dba108
SHA1 db15d3aa5bb9421b3774c33f93120000cb2c3edb
SHA256 6caa30a35116c861bc50cabbc5fc5625685e1fad0d3c1159792580f65e020db0
SHA512 33316368b145b84e6f8d58c9536fc22254783935aee9e86473e63c2bc8120a402a0c43ab2705021cf93305bc048b09ceefbe5737286c227a13ef86cb31aa895f

C:\Windows\SysWOW64\desot.exe

MD5 92d234f4acde0e8f829d1908e0674b72
SHA1 dfa6cb84994cd87b0611403681bd9ead0d32d917
SHA256 8fbd22e1392972af49e720927a1bcc3c49982010fce9d468864fa99ca20ff877
SHA512 fe5397d4f0c3eb56584246387d2d1c313b319b99e92e23aea65f39c9b054e191df20315e6674ae0d67684b994d7e7d9ac7ce8d30a023ed4980af90053bdaed92

C:\Windows\SysWOW64\desot.exe

MD5 61211419d78cc18247f76f238fe984c8
SHA1 78f05bbd787a08faeab80e1eb1095113c5e397d7
SHA256 f529351c585b7f99e9d274ee721c19d7f8d25e3d409a812342bb5c2c5481890a
SHA512 8950586c7e85f4e68f82f982ad8decdaadc8253e12c22370cf5f1f429deaa78128238a142ddebe03a11f3bcb28e4065b5a35160ab3b51838a79db23a6cda2e47

C:\Windows\ppp3.dat

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Windows\SysWOW64\desot.exe

MD5 a999853b253192a8013dccb64d8d9ba3
SHA1 72393729fe9ce045277bb1367dd5031b7904cc58
SHA256 daa1e02ab68d94ddd3e673a48fa6d8911ba7c05add1e1408dfdde2e90e8bd8b0
SHA512 9fdff0093a0763aedd699d1e934d2bc1644ab77ef1f36aa393facc8dab0265b2b90b6bb709be255639394bb8d19c0444a3f770a9cd98e9756e11660b1ba476f5

C:\Windows\SysWOW64\desot.exe

MD5 1c1db8e9674246e40cb6bf099bb79a72
SHA1 07494294afd71099332863455b1278caed608d32
SHA256 d61fc647f2e29b93413f72ceb4817e9824294b6addb4bf306c282073a87b1f6f
SHA512 66465f9df6ac80c3934fda28ec871967626f675218deb93790538a05b06d66c0f2a434b7f56fc462c00a64f1238c6f13eff00cd940a7905dc9cb0e595b34e0c7

C:\Windows\SysWOW64\desot.exe

MD5 5c7b5eb1003d864a1fb3b48d39bdcece
SHA1 cb767cfb82903894a1befa906d1ef19ef565b6e1
SHA256 ffff09eaa0a4881585ef72455201e94f5af233162e1b3fff95532992d84d0558
SHA512 c0c8575bf002a01d28729acd6a7562f61f488014ada07818080bd9f5dbf66fbe757dfdef31623c88415346ba578ad1de4f9b26e37d2fc1bae6d686d6458a4fbc

C:\Windows\ppp3.dat

MD5 c81e728d9d4c2f636f067f89cc14862c
SHA1 da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA512 40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

C:\Windows\SysWOW64\desot.exe

MD5 29ab9f04be6b47faefadd4fd39f22837
SHA1 0fbf15f5da4d1eb4ce2501423fe014c59e128ef8
SHA256 e3f0e3c8c7edad125b41b3360d60734e63492bac92dc5676b58ae507e4368fc2
SHA512 36cec0834065b6abf32da029df160180fae21aa8e617a26fd608e93b16fb8040aa8939e428c06d48fdea68e96ca719e42bb1d85f1c1c7df427085fb72588ec55

C:\Windows\ppp3.dat

MD5 eccbc87e4b5ce2fe28308fd9f2a7baf3
SHA1 77de68daecd823babbb58edb1c8e14d7106e83bb
SHA256 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
SHA512 3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

C:\Windows\ppp3.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1948-394-0x0000000002630000-0x0000000002654000-memory.dmp

memory/2772-395-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2772-397-0x0000000000240000-0x0000000000264000-memory.dmp

memory/2772-396-0x0000000000240000-0x0000000000264000-memory.dmp

memory/2772-452-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

MD5 c56d7e972adfdd33b5edd30e5eaff45e
SHA1 b432f4e48e0d1f219741e6eb94140aa469f5cacc
SHA256 da08d1e739a250eda7fa14ed6f891cc18ca2af86859eaccd614dc2f36e3c7de3
SHA512 08f9dcac07f0dc56a36b36d2ad4f8a4a455bac23f74c52ddfcc77ae1be11a61603d2bda053fc4ce4609a7befc36cf8efceade5336b72436b76914a7c685ecfa4

memory/2588-455-0x00000000025E0000-0x0000000002604000-memory.dmp

memory/2560-457-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2560-510-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1948-619-0x0000000002630000-0x0000000002654000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 01:58

Reported

2024-05-02 02:01

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\bennuar.old C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\desot.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\dddesot.dll C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sysnet.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\sonhelp.htm C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\cmpwrap.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\sysnet.dat C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\desot.exe C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

C:\Windows\svchast.exe

C:\Windows\svchast.exe

C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 core2637.racing-wtf.com udp
US 8.8.8.8:53 29.123.145.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 2.97.163.132.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1912-0-0x0000000000400000-0x0000000000BFB000-memory.dmp

C:\Windows\SysWOW64\dddesot.dll

MD5 8fc55c7103c6464e032f7cf7a8dcdf0b
SHA1 1c8635200498ed5318d1e6e9f9009cc930dc802e
SHA256 d9d19b0daae9e33a25e59e5b962ce8cbf0379a4c16a3aec947d993d7908bd406
SHA512 081020fed6e41a29f5c9576cfc8e16cc13cab640dae7eced4527052f16f79ffa3cac53c21f34628d6561d37081d715056f793c36a81f4d3e11474f4b0c728174

C:\Windows\svchast.exe

MD5 90a91811c024dcdd991520bb2d5ca737
SHA1 261de7e48fc021566bb7fdf411fb623447fde8d2
SHA256 1c59abe73e3a19d9723b552dada15e21db14dd5929b321f2e3f653fd9daf9df5
SHA512 adb4bfd978b2cca19124b5b8547b20734d2bc4d7c2ce332b4acd7ca790750bfca6558e3a5795722ca84d99f8bf0e49e4c3558085f4a94544f787f2054e6d48d0

C:\Windows\ppp4.dat

MD5 c59a09a1edc7b73a312e2c58d4c22312
SHA1 78ec0f61e0a301c442054cdf4fc0ccecf501201b
SHA256 40149a3f657cfb159d0877186e91efec6a43ca3080e0862410d84ef5ae87b733
SHA512 da60ade8147be9fae09462fef4761b24e5da8edeb3b601c76b4645bfd7785dc1722c72a39659b3a80e5b6bc5e8e8fbe3ffab023d1250b8ea13d372e4c071daab

C:\Windows\ppp3.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/3504-17-0x0000000000400000-0x0000000000BFB000-memory.dmp

C:\Windows\SysWOW64\desot.exe

MD5 4a40db1ee43171f6aa88ee67ec10f0ae
SHA1 83cd34dcfbd6c1a950ad3a3305e5a75a477353e4
SHA256 3a6a665b5076eab45ffc58006fa52428f5c2d91a21f3533d8a4e997b062e2c70
SHA512 98a5f7d206b1a0f74798e662fdc8d40c64d19352df89480b1bc10770258c07c61ee9d879f1873a2b8a2c8c93f615af104e55dd59e9b1f9a20f5f088c15b4b9de

C:\Windows\ppp3.dat

MD5 eccbc87e4b5ce2fe28308fd9f2a7baf3
SHA1 77de68daecd823babbb58edb1c8e14d7106e83bb
SHA256 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
SHA512 3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

C:\Windows\ppp3.dat

MD5 1679091c5a880faf6fb5e6087eb1b2dc
SHA1 c1dfd96eea8cc2b62785275bca38ac261256e278
SHA256 e7f6c011776e8db7cd330b54174fd76f7d0216b612387a5ffcfb81e6f0919683
SHA512 3c9ad55147a7144f6067327c3b82ea70e7c5426add9ceea4d07dc2902239bf9e049b88625eb65d014a7718f79354608cab0921782c643f0208983fffa3582e40

C:\Windows\ppp3.dat

MD5 45c48cce2e2d7fbdea1afc51c7c6ad26
SHA1 0ade7c2cf97f75d009975f4d720d1fa6c19f4897
SHA256 19581e27de7ced00ff1ce50b2047e7a567c76b1cbaebabe5ef03f7c3017bb5b7
SHA512 0dc526d8c4fa04084f4b2a6433f4cd14664b93df9fb8a9e00b77ba890b83704d24944c93caa692b51085bb476f81852c27e793600f137ae3929018cd4c8f1a45

C:\Windows\ppp3.dat

MD5 c51ce410c124a10e0db5e4b97fc2af39
SHA1 bd307a3ec329e10a2cff8fb87480823da114f8f4
SHA256 3fdba35f04dc8c462986c992bcf875546257113072a909c162f7e470e581e278
SHA512 413f2ba78c7ed4ccefbe0cc4f51d3eb5cb15f13fec999de4884be925076746663aa5d34476a3df4a8729fd8eea01defa4f3f66e99bf943f4d84382d64bbbfa9e

C:\Windows\ppp3.dat

MD5 c74d97b01eae257e44aa9d5bade97baf
SHA1 1574bddb75c78a6fd2251d61e2993b5146201319
SHA256 b17ef6d19c7a5b1ee83b907c595526dcb1eb06db8227d650d5dda0a9f4ce8cd9
SHA512 7c73947fa1821233428dd9684e52ce908130a91b903d5179f731c9ded61f06cecca427a7a1a5aabefaa35be5a6dd84efc03f2cb779f339b0766481eabb241e0c

C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe

MD5 c56d7e972adfdd33b5edd30e5eaff45e
SHA1 b432f4e48e0d1f219741e6eb94140aa469f5cacc
SHA256 da08d1e739a250eda7fa14ed6f891cc18ca2af86859eaccd614dc2f36e3c7de3
SHA512 08f9dcac07f0dc56a36b36d2ad4f8a4a455bac23f74c52ddfcc77ae1be11a61603d2bda053fc4ce4609a7befc36cf8efceade5336b72436b76914a7c685ecfa4

memory/3712-182-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Windows\ppp3.dat

MD5 1f0e3dad99908345f7439f8ffabdffc4
SHA1 b3f0c7f6bb763af1be91d9e74eabfeb199dc1f1f
SHA256 9400f1b21cb527d7fa3d3eabba93557a18ebe7a2ca4e471cfe5e4c5b4ca7f767
SHA512 8d89aa701de5a35b24cfadbd2088986ae13311d1a7c63abe5c780c62bc939a0577c3a78cf7ee4951c1b09f6849074c21ca1f7023e89bee683c1dbb2134a984d0

memory/3712-237-0x0000000000400000-0x0000000000424000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp\wispex.html

MD5 2e52292483adbe80180839f1b5fcef01
SHA1 fb0fda21f6201bfa2b2c985bf41aa5055e80f354
SHA256 64c12de6572f09fba2e2296f087e574e529f251c45e6c3a57ae695d04b1b6bfc
SHA512 f06ee569526b1f9f120b17aa2bb3d1aff4002aa6db7afe962c3ff93a73022d12272f79e5a5c5d51ed509afe68c69fbb00b8a447ea709c19b83752fe2dbb54637

C:\Users\Admin\AppData\Local\Temp\tmp\images\up1.gif

MD5 b38868b01af72aed2f144ec5bab8f083
SHA1 5997ad30ca267d0cead151ee141eae6ed8044a7c
SHA256 702adbe7dee9a6e86d9d0bfee652323c0e3e4df0304a02834ba755263a3e74a4
SHA512 d42926688d16e5ca6950090b29af53cf035150c7bf725e66bbecffc4caa1cecb58aabf45e4d53095b5702bf499c074c6293c0026b91a164b4546f7f6b2706419

C:\Users\Admin\AppData\Local\Temp\tmp\images\l1.gif

MD5 94ab0618d502daf24bed9450b9bcaa38
SHA1 101af6f573ea588df70ca11b341e2d996da49ae1
SHA256 efdcbb6b6fe95f088b075cebae655d855081073a4a5c2d0b3da0bdf7f4190da4
SHA512 477ad1d04d787e27cff2bab245075b76a6afbc86a64c8331433fa8ff349137c87c3424beaaf53e783f124b5a8c6a1045114ec090461179f4fd2f3ae1a9ae6b6f

C:\Users\Admin\AppData\Local\Temp\tmp\images\pix.gif

MD5 f7eb3f820edd7f05bbae8021b7a7c3de
SHA1 25bd83866c2a9bd7bc61d26ed6fc7bb58dbb43e9
SHA256 c548d4650f7fa991d9b70cde6cbf015eafb3a8308838dd7c6026f792045c61fd
SHA512 3d32b3258fdb45e89ba1eae41870fadeb9c81db64c95b3456a70b9aaeaa9bc6e05e5b95e99f52c67311d79612164bebe75a8e18c12ba936140737154b043ce82

C:\Users\Admin\AppData\Local\Temp\tmp\images\i2.gif

MD5 a4b546ff96e833a78b4668ce192b4cc3
SHA1 94bb99076b4296df34c05b992359dbc40bf89202
SHA256 84f4d33074ae1591eb0cf4abef5324a7b2763a0d27e7f76bf4490d0a40d84c8f
SHA512 b24fd8fe053a34253198e1837cd029e5b4cf8b14d57aede116aea2b09c36fbe866c230400b362703cf77aab33bd53bc24ba68c077a4bd6fae64d98934c6885b1

C:\Users\Admin\AppData\Local\Temp\tmp\images\i3.gif

MD5 8598b9748c737242b50d91fea4dfa9f0
SHA1 c508faa5954117c4cff454a64b00f316b3d63b44
SHA256 fa81b98f812e8be06d9feae6d232a58964ebe838b98d4aaee58803eac0a52e49
SHA512 24e28ef26f99d5b7903647ef71ca4a3cc5069ef6a4121cb336e283e8d2757cae42b3e0878fb07c0f1a0492b44fb703baf369e4b5f7620d66a288119e09847a76

C:\Users\Admin\AppData\Local\Temp\tmp\images\i1.gif

MD5 d76aa095c7bbbb776a7a23265b225a3d
SHA1 b8d5258344350310a51eb9c4711685f05cd0a61d
SHA256 89420e989162a718556b56d0423bb9950e7e072e60adc9e88a0dbbd58f1cd308
SHA512 340455b2c9fa50d05d297875a4fdf5ce8f8fdc91e5604758ebeb17987cf695c7b72e17e047ab513ba3a3c55b6ede1805dea9bbad98fbdaa19b30de4777d2aeff

C:\Users\Admin\AppData\Local\Temp\tmp\images\t2.gif

MD5 4e629e426c553631ed38b4363f41f824
SHA1 417c9395f9e32cf7d573ec1fec2b227ea2e49719
SHA256 8db978ed3b9c4d358be99b67144f85887175c4b1991e9cef236ac7a286a7ccfe
SHA512 f865330a29ce4bab368cfa08b505e064c3e5173e4413184fd6fffe1b0f856d461493f5e3ce6d4ae63ed969c8399ac5f0c4376ed61691e44dcd4e3fc363376bad

C:\Users\Admin\AppData\Local\Temp\tmp\images\jj3.gif

MD5 09c210a0a41489b3a9e1b9117aa5686e
SHA1 ae92400bc35213d54ae2ed98df79aa0f3936e0f9
SHA256 8d1876ff47f644d2168c847ae2c9f065ea4331765254a26225682030085a94a9
SHA512 bd7a03c72b863346cae795e25b027b3345ab14e9fd886ab54f17e7efd59f2aa2d5f3f943d8f8bd96038446c8de09a091d1bb6a3b8cd95962c46be090e7562917

C:\Users\Admin\AppData\Local\Temp\tmp\images\jj1.gif

MD5 6eaf773c60e233e4a27ac99a2491dfe6
SHA1 0f90f6217280912166a887a2acd42ab3bd22f9ba
SHA256 f79c122a83ef1de3386dc1e3286871ad8ee1fa3b4a451a16b9c0302bd6deeddb
SHA512 c56d777f5247c3ef27bcf2c9f68f972feab8e66683443ecd2e400a4c2557dde697e00a0104c77ac78d9ccfb191973ad969843d6566688128f37e14e578a4e15b

C:\Users\Admin\AppData\Local\Temp\tmp\images\jj2.gif

MD5 745975524fea29121ed5f4bb9e422ab5
SHA1 351400f4be06a1eae071258cac9a663502193155
SHA256 036bc6dd2556d565a889b248cec035105e9feea45f56e0a896fcde1b611c34f8
SHA512 dbe05040cd39f3db28a3d8196ac7ea75326f371cd575d70520cdedb584af8f3b5d89660899a6dd70cc474501b6913e737efe8316e3d15434bfffc8164c676941

C:\Users\Admin\AppData\Local\Temp\tmp\images\j3.gif

MD5 c0e3c3f95973fbdfc3d7c5b4c16b2988
SHA1 24bc72f11e72529f33c398f671613928ff039f81
SHA256 59886eb62a0a1ee89b47da408c11d73cf3eef8528d24cc924235170d5b4653ce
SHA512 6f1314d7ae7360e9c9b2b9d958c337bbded7569dc620b96e59a9b8ae84a15d6fccb18c872726343c537aff9b1196c71c78f559bd682d49847fd1e246c6b9f40a

C:\Users\Admin\AppData\Local\Temp\tmp\images\j1.gif

MD5 99f9f01323dd47fa2ff9c46164364c9a
SHA1 e8dec6e590b414ca7e7c64c2fe9a9408a928ff87
SHA256 b95448e504dc41cd7e76980d0d520c634cf810aa93fe292d1fe08e8833a411cd
SHA512 faa4f59803b089ec6de2e4617a0968d199e3fa29ef1dbfdbf45b2d6009acde5bf682c06c7b250fba7fb393e623f85cc9020c8eb9c234ebb179e4ae2eab94dfd0

C:\Users\Admin\AppData\Local\Temp\tmp\images\j2.gif

MD5 70902cedfde493658e47e1d60155f5c3
SHA1 0099b30d2b40784640f6dc472d26f43980d1ac0a
SHA256 6832cac666ab2ed365b5cc3a57091e387f7818491de92e1479cdd5e7d0312be8
SHA512 eb521f6b9541762fcf266abc0b243aac3c0de533829fe5f7334364edc1ca228dafe0ede26fa279901ab898113d3ceb2b9335f6951a22d074ec865f1274436eda

C:\Users\Admin\AppData\Local\Temp\tmp\images\w11.gif

MD5 7b2345ebf342efa04d9b005acb354d6c
SHA1 6b4f0669a780c45bb2d278f3bc84a30cb3e061cb
SHA256 c3a5ae624c4fcef9f095c298ae9e9397fb180139e373879d9a1e6d46e8358b18
SHA512 30c2fb0f472d62c654424153ad079af21b73d7ec7a283fa3133e6688620677d2815f2b1a90b4b7debc7d25f71a9515f03b6fd15052bbe736e6822b97d2650c57

C:\Users\Admin\AppData\Local\Temp\tmp\images\wt3.gif

MD5 3946582dd142022bf90bab9190b7fcb2
SHA1 16c9f00145d9ea95e0544bb1cdf9b191bc2714f4
SHA256 f121c0c46d07f63715f31c4419e1a8291c77147592a0fed5da564e561c1ab06c
SHA512 c5ee0c05c41c72597286d8711ea299a0c2eeac45385f25ce46ac9c713702fb8b21f199d1c69bf4c97775e60effb3448868a4b4d421131bcce3bde5b67537a592

C:\Users\Admin\AppData\Local\Temp\tmp\images\wt1.gif

MD5 1c76ce328401d00d96fd495215609d91
SHA1 561d8c1e9960fddfaa55f8e22624fd069731c519
SHA256 f03b60202c531c2e0c135600344d9a2e0f8ea09cc281173b1086480cc44c98ca
SHA512 8e0dc9f51690660793375bbede0784a368a5170f0017d0cb71104020b33505c902521ac602728e62c67efa4508dd53a6d520c65cee1800b14852187e9e964c14

C:\Users\Admin\AppData\Local\Temp\tmp\images\wt2.gif

MD5 78c728ccf262a6c7fddd35b138dc1381
SHA1 5f51dae174cf14c20c1112111f52f3867041d4e8
SHA256 980bd155cd14037a7de2e50829dd917270b2e24ff136adf76940e495f8f1957d
SHA512 c65a7b3d637ac9c81baaea80ee39a61eb669b4f0a8b1f2a66f4c6e4dcde4d0fe10128d2cb382a8404a11628fa14117153bb42329c4858cff064378b65437fcb0

C:\Users\Admin\AppData\Local\Temp\tmp\images\w3.jpg

MD5 71f0fae3427d661c2b5dd27148a2112e
SHA1 e886e18bf7516fd59b66339f6c73d8be817d85d6
SHA256 a2724b34aae2fbb98a50bcd7252e0888b4abc4587eb90dc78b496d78988e5851
SHA512 528b06b680d02a2cd38e6d16c7180fc4875625194ac3ffea1b66280f4c146671f10894875fffddedca34cd48743d410feba16c8307e511adfe772b4e16a1b761

C:\Users\Admin\AppData\Local\Temp\tmp\images\w2.gif

MD5 54c6502b2880e2c28cabfce05bc054d6
SHA1 7d3e49a8e223e5a0aea814df7d2ce9920574c2e5
SHA256 5e10d83cd2e7ada3a96c8f9eedb9b8ca16da825182e23cbdc94b3d596d6b58a9
SHA512 3a98bd28962baf67864e132a130fd2524797ca4b29875c3ff10daa1cd71349133df0e24c7b6f9ee450aa945a24746fbc57d4441a683f1979b22655b1b0ccde9b

C:\Users\Admin\AppData\Local\Temp\tmp\images\t1.gif

MD5 11b91a9a65ad3bb030ec3d9ce07b3862
SHA1 1f5a36bec18aa94ed1139f68f35ded63746d6b88
SHA256 806e9704f421262b00b610849fc2e4e3ec556a0d2a8f32024c510f590068f3df
SHA512 7a61765ecfe0b18a46776ced2b3ab001d088dadc3c15e262a53d7ddc850cc4a6ce8db0f734af569a7d1ffdf9deae87c13b82bba4fba4b187ab80fa691dbaacef

C:\Users\Admin\AppData\Local\Temp\tmp\images\l3.gif

MD5 015d02e2256ebf1de10df7391f208480
SHA1 7aaa65837f50d3b148bc06088dd09c866d26b33b
SHA256 d234dbeb1d0e7b418f4bcbb154b51c380b7bd013003615edfe066c43c1e6e994
SHA512 d3d627f859d9c7191eb7ad30e4438c5db5e94d8d2be9939ec070aa978f9240c0ba9133d2eec9ab83bf76cf5531c76fd3b38781acfa242ad0a20722a5be849a42

C:\Users\Admin\AppData\Local\Temp\tmp\images\w1.gif

MD5 e67bb1ddc5b8991f9f45fefe787424af
SHA1 48b2f386a7f8e0bbf766fd08aaebefa412cee4bf
SHA256 7fa89afbb9adbf47062c65e90c018490b22731cf9ddc6aa1d9af2cc578ead4b0
SHA512 47c9d3afba93fa11616ad1fad711fad70c0f56fe8647ef10a6802b8d90fb9bd21913b34a1e193fccfb60e338b6f3af67d9703eb3c38f659f6ea5eaf49bed8a7a

C:\Users\Admin\AppData\Local\Temp\tmp\images\l2.gif

MD5 77fe12e4807d1abfe9e998629615f1b0
SHA1 620e56e7ed10315a121e3d99adb1209962741d57
SHA256 9375fa5942f3161884b876e6a3629b8df61192cb5884e41b5174554881fc9be2
SHA512 7bf27be1cc99165daaa2dc6dcd27642b0985974da5f075cc3829fc94ac763d980340abcf91f8f071189891e6433d16b4975a606ecbf7224894d4fa2cbaa9763a

C:\Users\Admin\AppData\Local\Temp\tmp\images\up2.gif

MD5 e04d135d8f5074e1767274fb19140ba3
SHA1 3eaf2ba8a6d76ff72b88a57044a7ca1367d3a0d8
SHA256 d2c95221d5350e9705846d81e8b5f9ab9ba1b836e6b9ed5ce9a8af4902030289
SHA512 98e70205e94e9edb6ef14d898f2754ec3bbff85b5457bef19d1e36b9189bb6751ddcaec9793fd1b7a19965be480639957bb5d74443433fd87b122756ffc87287

C:\Windows\ppp3.dat

MD5 37693cfc748049e45d87b8c7d8b9aacd
SHA1 d435a6cdd786300dff204ee7c2ef942d3e9034e2
SHA256 535fa30d7e25dd8a49f1536779734ec8286108d115da5045d77f3b4185d8f790
SHA512 6ff334e1051a09e90127ba4e309e026bb830163a2ce3a355af2ce2310ff6e7e9830d20196a3472bfc8632fd3b60cb56102a84fae70ab1a32942055eb40022225

C:\Windows\ppp3.dat

MD5 4e732ced3463d06de0ca9a15b6153677
SHA1 887309d048beef83ad3eabf2a79a64a389ab1c9f
SHA256 5f9c4ab08cac7457e9111a30e4664920607ea2c115a1433d7be98e97e64244ca
SHA512 e053886e1b797bc5a80f932302f0201265a599d82e2502d41941d6e652614ef88fa058e009094d26655f880200df12c2100f690254fd1e5bae75d7441763cd33

C:\Windows\ppp3.dat

MD5 6ea9ab1baa0efb9e19094440c317e21b
SHA1 7719a1c782a1ba91c031a682a0a2f8658209adbf
SHA256 35135aaa6cc23891b40cb3f378c53a17a1127210ce60e125ccf03efcfdaec458
SHA512 a64c0e99969683e7224137b2726353ffd630fc15cceda1c75169daef65c9802a54dfebffa3902943044fe3273ccce95d0ddfff08fdbae388357a79ce891cfe38

C:\Windows\ppp3.dat

MD5 182be0c5cdcd5072bb1864cdee4d3d6e
SHA1 b6692ea5df920cad691c20319a6fffd7a4a766b8
SHA256 c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894
SHA512 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395

C:\Windows\ppp3.dat

MD5 19ca14e7ea6328a42e0eb13d585e4c22
SHA1 fc074d501302eb2b93e2554793fcaf50b3bf7291
SHA256 76a50887d8f1c2e9301755428990ad81479ee21c25b43215cf524541e0503269
SHA512 22d862f2af40c95f5f6ee6e6b7883e3fdbe98b2a86ad1af794228371e806f7f3a7900140dc6f70961e87b297d6b49c3b9b7c3d511fa5ed8f23180cd4dce2bb89

C:\Windows\ppp3.dat

MD5 d67d8ab4f4c10bf22aa353e27879133c
SHA1 ca3512f4dfa95a03169c5a670a4c91a19b3077b4
SHA256 0b918943df0962bc7a1824c0555a389347b4febdc7cf9d1254406d80ce44e3f9
SHA512 3eb88e150a4d2a351c7cdcbbe6dbe0e549339dc651dedaba39ee5f53f95e614fadd959c69402cefbbd88e50efa1c5811528e9b4c9dda137ffa4c8daab5a1fb11

C:\Windows\ppp3.dat

MD5 17e62166fc8586dfa4d1bc0e1742c08b
SHA1 0286dd552c9bea9a69ecb3759e7b94777635514b
SHA256 44cb730c420480a0477b505ae68af508fb90f96cf0ec54c6ad16949dd427f13a
SHA512 d94a45acd81f8e3107d237dbc0d5d195f6a52a0d188bc0284c0763ece1eac9f9496fb6a531a296074c87b3540398dace1222b42e150e67c9301383fde3d66ae5

C:\Windows\ppp3.dat

MD5 d9d4f495e875a2e075a1a4a6e1b9770f
SHA1 fe2ef495a1152561572949784c16bf23abb28057
SHA256 25fc0e7096fc653718202dc30b0c580b8ab87eac11a700cba03a7c021bc35b0c
SHA512 9c3211509a9eee80f881f6b6666ab82df6bec222c84ba583c5bb636a0a0d811d850524e9adba61950e09fcd06ffacdd0ee164220ac09a2319b2f35db219fc8c9