Analysis Overview
SHA256
69c28a6df9bcf6c06c982149efc4aefab79ee030157664f3da77f1dc1082d0a4
Threat Level: Shows suspicious behavior
The file 0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Modifies system executable filetype association
Executes dropped EXE
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 01:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 01:58
Reported
2024-05-02 02:01
Platform
win7-20240221-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ppp4.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\ppp3.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\svchast.exe | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ppp4.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ppp3.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ppp4.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ppp3.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118 | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f095766f349cda01 | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\Registration | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata\scantime = "2.5.2024 1:58:56" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Softimer | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Softimer\systemEth0 = "0" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Windows Antivirus Pro\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118\setdata\scncnt = "1" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"
C:\Windows\svchast.exe
C:\Windows\svchast.exe
C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"
C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | core2637.racing-wtf.com | udp |
Files
memory/1948-0-0x0000000000400000-0x0000000000BFB000-memory.dmp
\Windows\SysWOW64\dddesot.dll
| MD5 | 8fc55c7103c6464e032f7cf7a8dcdf0b |
| SHA1 | 1c8635200498ed5318d1e6e9f9009cc930dc802e |
| SHA256 | d9d19b0daae9e33a25e59e5b962ce8cbf0379a4c16a3aec947d993d7908bd406 |
| SHA512 | 081020fed6e41a29f5c9576cfc8e16cc13cab640dae7eced4527052f16f79ffa3cac53c21f34628d6561d37081d715056f793c36a81f4d3e11474f4b0c728174 |
C:\Windows\svchast.exe
| MD5 | 90a91811c024dcdd991520bb2d5ca737 |
| SHA1 | 261de7e48fc021566bb7fdf411fb623447fde8d2 |
| SHA256 | 1c59abe73e3a19d9723b552dada15e21db14dd5929b321f2e3f653fd9daf9df5 |
| SHA512 | adb4bfd978b2cca19124b5b8547b20734d2bc4d7c2ce332b4acd7ca790750bfca6558e3a5795722ca84d99f8bf0e49e4c3558085f4a94544f787f2054e6d48d0 |
C:\Windows\ppp4.dat
| MD5 | c59a09a1edc7b73a312e2c58d4c22312 |
| SHA1 | 78ec0f61e0a301c442054cdf4fc0ccecf501201b |
| SHA256 | 40149a3f657cfb159d0877186e91efec6a43ca3080e0862410d84ef5ae87b733 |
| SHA512 | da60ade8147be9fae09462fef4761b24e5da8edeb3b601c76b4645bfd7785dc1722c72a39659b3a80e5b6bc5e8e8fbe3ffab023d1250b8ea13d372e4c071daab |
C:\Windows\ppp3.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Windows\SysWOW64\sysnet.dat
| MD5 | f14dcc72745a03b34b0635a56bdb57fb |
| SHA1 | 7f070e16f06b6513a43e3ec7e752e07978a1c2c9 |
| SHA256 | d4fc86aa63e5928c5d5c367a78d296dd47e180af7a2a69b924e49ba8595342c9 |
| SHA512 | 5776af748bf85e5a9ea2c708948a03a631ea01828bc28481ef9ca51cc21e0b64643f9f7e87e819d9e7e6a98f38c9df86c30b32f36cdc05365a91af5c183a509e |
C:\Windows\SysWOW64\desot.exe
| MD5 | 4a40db1ee43171f6aa88ee67ec10f0ae |
| SHA1 | 83cd34dcfbd6c1a950ad3a3305e5a75a477353e4 |
| SHA256 | 3a6a665b5076eab45ffc58006fa52428f5c2d91a21f3533d8a4e997b062e2c70 |
| SHA512 | 98a5f7d206b1a0f74798e662fdc8d40c64d19352df89480b1bc10770258c07c61ee9d879f1873a2b8a2c8c93f615af104e55dd59e9b1f9a20f5f088c15b4b9de |
C:\Windows\SysWOW64\desot.exe
| MD5 | 82403bcecfc71e4d5757381ef5dba108 |
| SHA1 | db15d3aa5bb9421b3774c33f93120000cb2c3edb |
| SHA256 | 6caa30a35116c861bc50cabbc5fc5625685e1fad0d3c1159792580f65e020db0 |
| SHA512 | 33316368b145b84e6f8d58c9536fc22254783935aee9e86473e63c2bc8120a402a0c43ab2705021cf93305bc048b09ceefbe5737286c227a13ef86cb31aa895f |
C:\Windows\SysWOW64\desot.exe
| MD5 | 92d234f4acde0e8f829d1908e0674b72 |
| SHA1 | dfa6cb84994cd87b0611403681bd9ead0d32d917 |
| SHA256 | 8fbd22e1392972af49e720927a1bcc3c49982010fce9d468864fa99ca20ff877 |
| SHA512 | fe5397d4f0c3eb56584246387d2d1c313b319b99e92e23aea65f39c9b054e191df20315e6674ae0d67684b994d7e7d9ac7ce8d30a023ed4980af90053bdaed92 |
C:\Windows\SysWOW64\desot.exe
| MD5 | 61211419d78cc18247f76f238fe984c8 |
| SHA1 | 78f05bbd787a08faeab80e1eb1095113c5e397d7 |
| SHA256 | f529351c585b7f99e9d274ee721c19d7f8d25e3d409a812342bb5c2c5481890a |
| SHA512 | 8950586c7e85f4e68f82f982ad8decdaadc8253e12c22370cf5f1f429deaa78128238a142ddebe03a11f3bcb28e4065b5a35160ab3b51838a79db23a6cda2e47 |
C:\Windows\ppp3.dat
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Windows\SysWOW64\desot.exe
| MD5 | a999853b253192a8013dccb64d8d9ba3 |
| SHA1 | 72393729fe9ce045277bb1367dd5031b7904cc58 |
| SHA256 | daa1e02ab68d94ddd3e673a48fa6d8911ba7c05add1e1408dfdde2e90e8bd8b0 |
| SHA512 | 9fdff0093a0763aedd699d1e934d2bc1644ab77ef1f36aa393facc8dab0265b2b90b6bb709be255639394bb8d19c0444a3f770a9cd98e9756e11660b1ba476f5 |
C:\Windows\SysWOW64\desot.exe
| MD5 | 1c1db8e9674246e40cb6bf099bb79a72 |
| SHA1 | 07494294afd71099332863455b1278caed608d32 |
| SHA256 | d61fc647f2e29b93413f72ceb4817e9824294b6addb4bf306c282073a87b1f6f |
| SHA512 | 66465f9df6ac80c3934fda28ec871967626f675218deb93790538a05b06d66c0f2a434b7f56fc462c00a64f1238c6f13eff00cd940a7905dc9cb0e595b34e0c7 |
C:\Windows\SysWOW64\desot.exe
| MD5 | 5c7b5eb1003d864a1fb3b48d39bdcece |
| SHA1 | cb767cfb82903894a1befa906d1ef19ef565b6e1 |
| SHA256 | ffff09eaa0a4881585ef72455201e94f5af233162e1b3fff95532992d84d0558 |
| SHA512 | c0c8575bf002a01d28729acd6a7562f61f488014ada07818080bd9f5dbf66fbe757dfdef31623c88415346ba578ad1de4f9b26e37d2fc1bae6d686d6458a4fbc |
C:\Windows\ppp3.dat
| MD5 | c81e728d9d4c2f636f067f89cc14862c |
| SHA1 | da4b9237bacccdf19c0760cab7aec4a8359010b0 |
| SHA256 | d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35 |
| SHA512 | 40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114 |
C:\Windows\SysWOW64\desot.exe
| MD5 | 29ab9f04be6b47faefadd4fd39f22837 |
| SHA1 | 0fbf15f5da4d1eb4ce2501423fe014c59e128ef8 |
| SHA256 | e3f0e3c8c7edad125b41b3360d60734e63492bac92dc5676b58ae507e4368fc2 |
| SHA512 | 36cec0834065b6abf32da029df160180fae21aa8e617a26fd608e93b16fb8040aa8939e428c06d48fdea68e96ca719e42bb1d85f1c1c7df427085fb72588ec55 |
C:\Windows\ppp3.dat
| MD5 | eccbc87e4b5ce2fe28308fd9f2a7baf3 |
| SHA1 | 77de68daecd823babbb58edb1c8e14d7106e83bb |
| SHA256 | 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce |
| SHA512 | 3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb |
C:\Windows\ppp3.dat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1948-394-0x0000000002630000-0x0000000002654000-memory.dmp
memory/2772-395-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2772-397-0x0000000000240000-0x0000000000264000-memory.dmp
memory/2772-396-0x0000000000240000-0x0000000000264000-memory.dmp
memory/2772-452-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
| MD5 | c56d7e972adfdd33b5edd30e5eaff45e |
| SHA1 | b432f4e48e0d1f219741e6eb94140aa469f5cacc |
| SHA256 | da08d1e739a250eda7fa14ed6f891cc18ca2af86859eaccd614dc2f36e3c7de3 |
| SHA512 | 08f9dcac07f0dc56a36b36d2ad4f8a4a455bac23f74c52ddfcc77ae1be11a61603d2bda053fc4ce4609a7befc36cf8efceade5336b72436b76914a7c685ecfa4 |
memory/2588-455-0x00000000025E0000-0x0000000002604000-memory.dmp
memory/2560-457-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2560-510-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1948-619-0x0000000002630000-0x0000000002654000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-02 01:58
Reported
2024-05-02 02:01
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Drops file in System32 directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ppp3.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\ppp4.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\ppp3.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File created | C:\Windows\svchast.exe | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\ppp4.dat | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\SysWow64\\desot.exe \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212} | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\ = "ICQSys (IE PlugIn)" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ = "C:\\Windows\\SysWow64\\dddesot.dll" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F54AF7DE-6038-4026-8433-CC30E3F17212}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 3504 | N/A | C:\Windows\svchast.exe | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe |
| PID 4912 wrote to memory of 3504 | N/A | C:\Windows\svchast.exe | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe |
| PID 4912 wrote to memory of 3504 | N/A | C:\Windows\svchast.exe | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe |
| PID 1912 wrote to memory of 3712 | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe |
| PID 1912 wrote to memory of 3712 | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe |
| PID 1912 wrote to memory of 3712 | N/A | C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"
C:\Windows\svchast.exe
C:\Windows\svchast.exe
C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d2b8b801bbde449a802b5f28dfb45a7_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | core2637.racing-wtf.com | udp |
| US | 8.8.8.8:53 | 29.123.145.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | time.nist.gov | udp |
| US | 8.8.8.8:53 | 2.97.163.132.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1912-0-0x0000000000400000-0x0000000000BFB000-memory.dmp
C:\Windows\SysWOW64\dddesot.dll
| MD5 | 8fc55c7103c6464e032f7cf7a8dcdf0b |
| SHA1 | 1c8635200498ed5318d1e6e9f9009cc930dc802e |
| SHA256 | d9d19b0daae9e33a25e59e5b962ce8cbf0379a4c16a3aec947d993d7908bd406 |
| SHA512 | 081020fed6e41a29f5c9576cfc8e16cc13cab640dae7eced4527052f16f79ffa3cac53c21f34628d6561d37081d715056f793c36a81f4d3e11474f4b0c728174 |
C:\Windows\svchast.exe
| MD5 | 90a91811c024dcdd991520bb2d5ca737 |
| SHA1 | 261de7e48fc021566bb7fdf411fb623447fde8d2 |
| SHA256 | 1c59abe73e3a19d9723b552dada15e21db14dd5929b321f2e3f653fd9daf9df5 |
| SHA512 | adb4bfd978b2cca19124b5b8547b20734d2bc4d7c2ce332b4acd7ca790750bfca6558e3a5795722ca84d99f8bf0e49e4c3558085f4a94544f787f2054e6d48d0 |
C:\Windows\ppp4.dat
| MD5 | c59a09a1edc7b73a312e2c58d4c22312 |
| SHA1 | 78ec0f61e0a301c442054cdf4fc0ccecf501201b |
| SHA256 | 40149a3f657cfb159d0877186e91efec6a43ca3080e0862410d84ef5ae87b733 |
| SHA512 | da60ade8147be9fae09462fef4761b24e5da8edeb3b601c76b4645bfd7785dc1722c72a39659b3a80e5b6bc5e8e8fbe3ffab023d1250b8ea13d372e4c071daab |
C:\Windows\ppp3.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/3504-17-0x0000000000400000-0x0000000000BFB000-memory.dmp
C:\Windows\SysWOW64\desot.exe
| MD5 | 4a40db1ee43171f6aa88ee67ec10f0ae |
| SHA1 | 83cd34dcfbd6c1a950ad3a3305e5a75a477353e4 |
| SHA256 | 3a6a665b5076eab45ffc58006fa52428f5c2d91a21f3533d8a4e997b062e2c70 |
| SHA512 | 98a5f7d206b1a0f74798e662fdc8d40c64d19352df89480b1bc10770258c07c61ee9d879f1873a2b8a2c8c93f615af104e55dd59e9b1f9a20f5f088c15b4b9de |
C:\Windows\ppp3.dat
| MD5 | eccbc87e4b5ce2fe28308fd9f2a7baf3 |
| SHA1 | 77de68daecd823babbb58edb1c8e14d7106e83bb |
| SHA256 | 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce |
| SHA512 | 3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb |
C:\Windows\ppp3.dat
| MD5 | 1679091c5a880faf6fb5e6087eb1b2dc |
| SHA1 | c1dfd96eea8cc2b62785275bca38ac261256e278 |
| SHA256 | e7f6c011776e8db7cd330b54174fd76f7d0216b612387a5ffcfb81e6f0919683 |
| SHA512 | 3c9ad55147a7144f6067327c3b82ea70e7c5426add9ceea4d07dc2902239bf9e049b88625eb65d014a7718f79354608cab0921782c643f0208983fffa3582e40 |
C:\Windows\ppp3.dat
| MD5 | 45c48cce2e2d7fbdea1afc51c7c6ad26 |
| SHA1 | 0ade7c2cf97f75d009975f4d720d1fa6c19f4897 |
| SHA256 | 19581e27de7ced00ff1ce50b2047e7a567c76b1cbaebabe5ef03f7c3017bb5b7 |
| SHA512 | 0dc526d8c4fa04084f4b2a6433f4cd14664b93df9fb8a9e00b77ba890b83704d24944c93caa692b51085bb476f81852c27e793600f137ae3929018cd4c8f1a45 |
C:\Windows\ppp3.dat
| MD5 | c51ce410c124a10e0db5e4b97fc2af39 |
| SHA1 | bd307a3ec329e10a2cff8fb87480823da114f8f4 |
| SHA256 | 3fdba35f04dc8c462986c992bcf875546257113072a909c162f7e470e581e278 |
| SHA512 | 413f2ba78c7ed4ccefbe0cc4f51d3eb5cb15f13fec999de4884be925076746663aa5d34476a3df4a8729fd8eea01defa4f3f66e99bf943f4d84382d64bbbfa9e |
C:\Windows\ppp3.dat
| MD5 | c74d97b01eae257e44aa9d5bade97baf |
| SHA1 | 1574bddb75c78a6fd2251d61e2993b5146201319 |
| SHA256 | b17ef6d19c7a5b1ee83b907c595526dcb1eb06db8227d650d5dda0a9f4ce8cd9 |
| SHA512 | 7c73947fa1821233428dd9684e52ce908130a91b903d5179f731c9ded61f06cecca427a7a1a5aabefaa35be5a6dd84efc03f2cb779f339b0766481eabb241e0c |
C:\Users\Admin\AppData\Local\Temp\tmp\dbsinit.exe
| MD5 | c56d7e972adfdd33b5edd30e5eaff45e |
| SHA1 | b432f4e48e0d1f219741e6eb94140aa469f5cacc |
| SHA256 | da08d1e739a250eda7fa14ed6f891cc18ca2af86859eaccd614dc2f36e3c7de3 |
| SHA512 | 08f9dcac07f0dc56a36b36d2ad4f8a4a455bac23f74c52ddfcc77ae1be11a61603d2bda053fc4ce4609a7befc36cf8efceade5336b72436b76914a7c685ecfa4 |
memory/3712-182-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Windows\ppp3.dat
| MD5 | 1f0e3dad99908345f7439f8ffabdffc4 |
| SHA1 | b3f0c7f6bb763af1be91d9e74eabfeb199dc1f1f |
| SHA256 | 9400f1b21cb527d7fa3d3eabba93557a18ebe7a2ca4e471cfe5e4c5b4ca7f767 |
| SHA512 | 8d89aa701de5a35b24cfadbd2088986ae13311d1a7c63abe5c780c62bc939a0577c3a78cf7ee4951c1b09f6849074c21ca1f7023e89bee683c1dbb2134a984d0 |
memory/3712-237-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp\wispex.html
| MD5 | 2e52292483adbe80180839f1b5fcef01 |
| SHA1 | fb0fda21f6201bfa2b2c985bf41aa5055e80f354 |
| SHA256 | 64c12de6572f09fba2e2296f087e574e529f251c45e6c3a57ae695d04b1b6bfc |
| SHA512 | f06ee569526b1f9f120b17aa2bb3d1aff4002aa6db7afe962c3ff93a73022d12272f79e5a5c5d51ed509afe68c69fbb00b8a447ea709c19b83752fe2dbb54637 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\up1.gif
| MD5 | b38868b01af72aed2f144ec5bab8f083 |
| SHA1 | 5997ad30ca267d0cead151ee141eae6ed8044a7c |
| SHA256 | 702adbe7dee9a6e86d9d0bfee652323c0e3e4df0304a02834ba755263a3e74a4 |
| SHA512 | d42926688d16e5ca6950090b29af53cf035150c7bf725e66bbecffc4caa1cecb58aabf45e4d53095b5702bf499c074c6293c0026b91a164b4546f7f6b2706419 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\l1.gif
| MD5 | 94ab0618d502daf24bed9450b9bcaa38 |
| SHA1 | 101af6f573ea588df70ca11b341e2d996da49ae1 |
| SHA256 | efdcbb6b6fe95f088b075cebae655d855081073a4a5c2d0b3da0bdf7f4190da4 |
| SHA512 | 477ad1d04d787e27cff2bab245075b76a6afbc86a64c8331433fa8ff349137c87c3424beaaf53e783f124b5a8c6a1045114ec090461179f4fd2f3ae1a9ae6b6f |
C:\Users\Admin\AppData\Local\Temp\tmp\images\pix.gif
| MD5 | f7eb3f820edd7f05bbae8021b7a7c3de |
| SHA1 | 25bd83866c2a9bd7bc61d26ed6fc7bb58dbb43e9 |
| SHA256 | c548d4650f7fa991d9b70cde6cbf015eafb3a8308838dd7c6026f792045c61fd |
| SHA512 | 3d32b3258fdb45e89ba1eae41870fadeb9c81db64c95b3456a70b9aaeaa9bc6e05e5b95e99f52c67311d79612164bebe75a8e18c12ba936140737154b043ce82 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\i2.gif
| MD5 | a4b546ff96e833a78b4668ce192b4cc3 |
| SHA1 | 94bb99076b4296df34c05b992359dbc40bf89202 |
| SHA256 | 84f4d33074ae1591eb0cf4abef5324a7b2763a0d27e7f76bf4490d0a40d84c8f |
| SHA512 | b24fd8fe053a34253198e1837cd029e5b4cf8b14d57aede116aea2b09c36fbe866c230400b362703cf77aab33bd53bc24ba68c077a4bd6fae64d98934c6885b1 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\i3.gif
| MD5 | 8598b9748c737242b50d91fea4dfa9f0 |
| SHA1 | c508faa5954117c4cff454a64b00f316b3d63b44 |
| SHA256 | fa81b98f812e8be06d9feae6d232a58964ebe838b98d4aaee58803eac0a52e49 |
| SHA512 | 24e28ef26f99d5b7903647ef71ca4a3cc5069ef6a4121cb336e283e8d2757cae42b3e0878fb07c0f1a0492b44fb703baf369e4b5f7620d66a288119e09847a76 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\i1.gif
| MD5 | d76aa095c7bbbb776a7a23265b225a3d |
| SHA1 | b8d5258344350310a51eb9c4711685f05cd0a61d |
| SHA256 | 89420e989162a718556b56d0423bb9950e7e072e60adc9e88a0dbbd58f1cd308 |
| SHA512 | 340455b2c9fa50d05d297875a4fdf5ce8f8fdc91e5604758ebeb17987cf695c7b72e17e047ab513ba3a3c55b6ede1805dea9bbad98fbdaa19b30de4777d2aeff |
C:\Users\Admin\AppData\Local\Temp\tmp\images\t2.gif
| MD5 | 4e629e426c553631ed38b4363f41f824 |
| SHA1 | 417c9395f9e32cf7d573ec1fec2b227ea2e49719 |
| SHA256 | 8db978ed3b9c4d358be99b67144f85887175c4b1991e9cef236ac7a286a7ccfe |
| SHA512 | f865330a29ce4bab368cfa08b505e064c3e5173e4413184fd6fffe1b0f856d461493f5e3ce6d4ae63ed969c8399ac5f0c4376ed61691e44dcd4e3fc363376bad |
C:\Users\Admin\AppData\Local\Temp\tmp\images\jj3.gif
| MD5 | 09c210a0a41489b3a9e1b9117aa5686e |
| SHA1 | ae92400bc35213d54ae2ed98df79aa0f3936e0f9 |
| SHA256 | 8d1876ff47f644d2168c847ae2c9f065ea4331765254a26225682030085a94a9 |
| SHA512 | bd7a03c72b863346cae795e25b027b3345ab14e9fd886ab54f17e7efd59f2aa2d5f3f943d8f8bd96038446c8de09a091d1bb6a3b8cd95962c46be090e7562917 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\jj1.gif
| MD5 | 6eaf773c60e233e4a27ac99a2491dfe6 |
| SHA1 | 0f90f6217280912166a887a2acd42ab3bd22f9ba |
| SHA256 | f79c122a83ef1de3386dc1e3286871ad8ee1fa3b4a451a16b9c0302bd6deeddb |
| SHA512 | c56d777f5247c3ef27bcf2c9f68f972feab8e66683443ecd2e400a4c2557dde697e00a0104c77ac78d9ccfb191973ad969843d6566688128f37e14e578a4e15b |
C:\Users\Admin\AppData\Local\Temp\tmp\images\jj2.gif
| MD5 | 745975524fea29121ed5f4bb9e422ab5 |
| SHA1 | 351400f4be06a1eae071258cac9a663502193155 |
| SHA256 | 036bc6dd2556d565a889b248cec035105e9feea45f56e0a896fcde1b611c34f8 |
| SHA512 | dbe05040cd39f3db28a3d8196ac7ea75326f371cd575d70520cdedb584af8f3b5d89660899a6dd70cc474501b6913e737efe8316e3d15434bfffc8164c676941 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\j3.gif
| MD5 | c0e3c3f95973fbdfc3d7c5b4c16b2988 |
| SHA1 | 24bc72f11e72529f33c398f671613928ff039f81 |
| SHA256 | 59886eb62a0a1ee89b47da408c11d73cf3eef8528d24cc924235170d5b4653ce |
| SHA512 | 6f1314d7ae7360e9c9b2b9d958c337bbded7569dc620b96e59a9b8ae84a15d6fccb18c872726343c537aff9b1196c71c78f559bd682d49847fd1e246c6b9f40a |
C:\Users\Admin\AppData\Local\Temp\tmp\images\j1.gif
| MD5 | 99f9f01323dd47fa2ff9c46164364c9a |
| SHA1 | e8dec6e590b414ca7e7c64c2fe9a9408a928ff87 |
| SHA256 | b95448e504dc41cd7e76980d0d520c634cf810aa93fe292d1fe08e8833a411cd |
| SHA512 | faa4f59803b089ec6de2e4617a0968d199e3fa29ef1dbfdbf45b2d6009acde5bf682c06c7b250fba7fb393e623f85cc9020c8eb9c234ebb179e4ae2eab94dfd0 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\j2.gif
| MD5 | 70902cedfde493658e47e1d60155f5c3 |
| SHA1 | 0099b30d2b40784640f6dc472d26f43980d1ac0a |
| SHA256 | 6832cac666ab2ed365b5cc3a57091e387f7818491de92e1479cdd5e7d0312be8 |
| SHA512 | eb521f6b9541762fcf266abc0b243aac3c0de533829fe5f7334364edc1ca228dafe0ede26fa279901ab898113d3ceb2b9335f6951a22d074ec865f1274436eda |
C:\Users\Admin\AppData\Local\Temp\tmp\images\w11.gif
| MD5 | 7b2345ebf342efa04d9b005acb354d6c |
| SHA1 | 6b4f0669a780c45bb2d278f3bc84a30cb3e061cb |
| SHA256 | c3a5ae624c4fcef9f095c298ae9e9397fb180139e373879d9a1e6d46e8358b18 |
| SHA512 | 30c2fb0f472d62c654424153ad079af21b73d7ec7a283fa3133e6688620677d2815f2b1a90b4b7debc7d25f71a9515f03b6fd15052bbe736e6822b97d2650c57 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\wt3.gif
| MD5 | 3946582dd142022bf90bab9190b7fcb2 |
| SHA1 | 16c9f00145d9ea95e0544bb1cdf9b191bc2714f4 |
| SHA256 | f121c0c46d07f63715f31c4419e1a8291c77147592a0fed5da564e561c1ab06c |
| SHA512 | c5ee0c05c41c72597286d8711ea299a0c2eeac45385f25ce46ac9c713702fb8b21f199d1c69bf4c97775e60effb3448868a4b4d421131bcce3bde5b67537a592 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\wt1.gif
| MD5 | 1c76ce328401d00d96fd495215609d91 |
| SHA1 | 561d8c1e9960fddfaa55f8e22624fd069731c519 |
| SHA256 | f03b60202c531c2e0c135600344d9a2e0f8ea09cc281173b1086480cc44c98ca |
| SHA512 | 8e0dc9f51690660793375bbede0784a368a5170f0017d0cb71104020b33505c902521ac602728e62c67efa4508dd53a6d520c65cee1800b14852187e9e964c14 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\wt2.gif
| MD5 | 78c728ccf262a6c7fddd35b138dc1381 |
| SHA1 | 5f51dae174cf14c20c1112111f52f3867041d4e8 |
| SHA256 | 980bd155cd14037a7de2e50829dd917270b2e24ff136adf76940e495f8f1957d |
| SHA512 | c65a7b3d637ac9c81baaea80ee39a61eb669b4f0a8b1f2a66f4c6e4dcde4d0fe10128d2cb382a8404a11628fa14117153bb42329c4858cff064378b65437fcb0 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\w3.jpg
| MD5 | 71f0fae3427d661c2b5dd27148a2112e |
| SHA1 | e886e18bf7516fd59b66339f6c73d8be817d85d6 |
| SHA256 | a2724b34aae2fbb98a50bcd7252e0888b4abc4587eb90dc78b496d78988e5851 |
| SHA512 | 528b06b680d02a2cd38e6d16c7180fc4875625194ac3ffea1b66280f4c146671f10894875fffddedca34cd48743d410feba16c8307e511adfe772b4e16a1b761 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\w2.gif
| MD5 | 54c6502b2880e2c28cabfce05bc054d6 |
| SHA1 | 7d3e49a8e223e5a0aea814df7d2ce9920574c2e5 |
| SHA256 | 5e10d83cd2e7ada3a96c8f9eedb9b8ca16da825182e23cbdc94b3d596d6b58a9 |
| SHA512 | 3a98bd28962baf67864e132a130fd2524797ca4b29875c3ff10daa1cd71349133df0e24c7b6f9ee450aa945a24746fbc57d4441a683f1979b22655b1b0ccde9b |
C:\Users\Admin\AppData\Local\Temp\tmp\images\t1.gif
| MD5 | 11b91a9a65ad3bb030ec3d9ce07b3862 |
| SHA1 | 1f5a36bec18aa94ed1139f68f35ded63746d6b88 |
| SHA256 | 806e9704f421262b00b610849fc2e4e3ec556a0d2a8f32024c510f590068f3df |
| SHA512 | 7a61765ecfe0b18a46776ced2b3ab001d088dadc3c15e262a53d7ddc850cc4a6ce8db0f734af569a7d1ffdf9deae87c13b82bba4fba4b187ab80fa691dbaacef |
C:\Users\Admin\AppData\Local\Temp\tmp\images\l3.gif
| MD5 | 015d02e2256ebf1de10df7391f208480 |
| SHA1 | 7aaa65837f50d3b148bc06088dd09c866d26b33b |
| SHA256 | d234dbeb1d0e7b418f4bcbb154b51c380b7bd013003615edfe066c43c1e6e994 |
| SHA512 | d3d627f859d9c7191eb7ad30e4438c5db5e94d8d2be9939ec070aa978f9240c0ba9133d2eec9ab83bf76cf5531c76fd3b38781acfa242ad0a20722a5be849a42 |
C:\Users\Admin\AppData\Local\Temp\tmp\images\w1.gif
| MD5 | e67bb1ddc5b8991f9f45fefe787424af |
| SHA1 | 48b2f386a7f8e0bbf766fd08aaebefa412cee4bf |
| SHA256 | 7fa89afbb9adbf47062c65e90c018490b22731cf9ddc6aa1d9af2cc578ead4b0 |
| SHA512 | 47c9d3afba93fa11616ad1fad711fad70c0f56fe8647ef10a6802b8d90fb9bd21913b34a1e193fccfb60e338b6f3af67d9703eb3c38f659f6ea5eaf49bed8a7a |
C:\Users\Admin\AppData\Local\Temp\tmp\images\l2.gif
| MD5 | 77fe12e4807d1abfe9e998629615f1b0 |
| SHA1 | 620e56e7ed10315a121e3d99adb1209962741d57 |
| SHA256 | 9375fa5942f3161884b876e6a3629b8df61192cb5884e41b5174554881fc9be2 |
| SHA512 | 7bf27be1cc99165daaa2dc6dcd27642b0985974da5f075cc3829fc94ac763d980340abcf91f8f071189891e6433d16b4975a606ecbf7224894d4fa2cbaa9763a |
C:\Users\Admin\AppData\Local\Temp\tmp\images\up2.gif
| MD5 | e04d135d8f5074e1767274fb19140ba3 |
| SHA1 | 3eaf2ba8a6d76ff72b88a57044a7ca1367d3a0d8 |
| SHA256 | d2c95221d5350e9705846d81e8b5f9ab9ba1b836e6b9ed5ce9a8af4902030289 |
| SHA512 | 98e70205e94e9edb6ef14d898f2754ec3bbff85b5457bef19d1e36b9189bb6751ddcaec9793fd1b7a19965be480639957bb5d74443433fd87b122756ffc87287 |
C:\Windows\ppp3.dat
| MD5 | 37693cfc748049e45d87b8c7d8b9aacd |
| SHA1 | d435a6cdd786300dff204ee7c2ef942d3e9034e2 |
| SHA256 | 535fa30d7e25dd8a49f1536779734ec8286108d115da5045d77f3b4185d8f790 |
| SHA512 | 6ff334e1051a09e90127ba4e309e026bb830163a2ce3a355af2ce2310ff6e7e9830d20196a3472bfc8632fd3b60cb56102a84fae70ab1a32942055eb40022225 |
C:\Windows\ppp3.dat
| MD5 | 4e732ced3463d06de0ca9a15b6153677 |
| SHA1 | 887309d048beef83ad3eabf2a79a64a389ab1c9f |
| SHA256 | 5f9c4ab08cac7457e9111a30e4664920607ea2c115a1433d7be98e97e64244ca |
| SHA512 | e053886e1b797bc5a80f932302f0201265a599d82e2502d41941d6e652614ef88fa058e009094d26655f880200df12c2100f690254fd1e5bae75d7441763cd33 |
C:\Windows\ppp3.dat
| MD5 | 6ea9ab1baa0efb9e19094440c317e21b |
| SHA1 | 7719a1c782a1ba91c031a682a0a2f8658209adbf |
| SHA256 | 35135aaa6cc23891b40cb3f378c53a17a1127210ce60e125ccf03efcfdaec458 |
| SHA512 | a64c0e99969683e7224137b2726353ffd630fc15cceda1c75169daef65c9802a54dfebffa3902943044fe3273ccce95d0ddfff08fdbae388357a79ce891cfe38 |
C:\Windows\ppp3.dat
| MD5 | 182be0c5cdcd5072bb1864cdee4d3d6e |
| SHA1 | b6692ea5df920cad691c20319a6fffd7a4a766b8 |
| SHA256 | c6f3ac57944a531490cd39902d0f777715fd005efac9a30622d5f5205e7f6894 |
| SHA512 | 3163a8d6a4540ecf1794ece0245f291154d30e1080359d2e994ef79c1a469aa0cd808769d9c7ee30ca342c6803d2ebcec3eb71a928d6db187dfb1fc2cf640395 |
C:\Windows\ppp3.dat
| MD5 | 19ca14e7ea6328a42e0eb13d585e4c22 |
| SHA1 | fc074d501302eb2b93e2554793fcaf50b3bf7291 |
| SHA256 | 76a50887d8f1c2e9301755428990ad81479ee21c25b43215cf524541e0503269 |
| SHA512 | 22d862f2af40c95f5f6ee6e6b7883e3fdbe98b2a86ad1af794228371e806f7f3a7900140dc6f70961e87b297d6b49c3b9b7c3d511fa5ed8f23180cd4dce2bb89 |
C:\Windows\ppp3.dat
| MD5 | d67d8ab4f4c10bf22aa353e27879133c |
| SHA1 | ca3512f4dfa95a03169c5a670a4c91a19b3077b4 |
| SHA256 | 0b918943df0962bc7a1824c0555a389347b4febdc7cf9d1254406d80ce44e3f9 |
| SHA512 | 3eb88e150a4d2a351c7cdcbbe6dbe0e549339dc651dedaba39ee5f53f95e614fadd959c69402cefbbd88e50efa1c5811528e9b4c9dda137ffa4c8daab5a1fb11 |
C:\Windows\ppp3.dat
| MD5 | 17e62166fc8586dfa4d1bc0e1742c08b |
| SHA1 | 0286dd552c9bea9a69ecb3759e7b94777635514b |
| SHA256 | 44cb730c420480a0477b505ae68af508fb90f96cf0ec54c6ad16949dd427f13a |
| SHA512 | d94a45acd81f8e3107d237dbc0d5d195f6a52a0d188bc0284c0763ece1eac9f9496fb6a531a296074c87b3540398dace1222b42e150e67c9301383fde3d66ae5 |
C:\Windows\ppp3.dat
| MD5 | d9d4f495e875a2e075a1a4a6e1b9770f |
| SHA1 | fe2ef495a1152561572949784c16bf23abb28057 |
| SHA256 | 25fc0e7096fc653718202dc30b0c580b8ab87eac11a700cba03a7c021bc35b0c |
| SHA512 | 9c3211509a9eee80f881f6b6666ab82df6bec222c84ba583c5bb636a0a0d811d850524e9adba61950e09fcd06ffacdd0ee164220ac09a2319b2f35db219fc8c9 |