2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2

Analysis

max time kernel
121s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Size

6.7MB
MD5

a0f26553dde5cc1d8ff54d6c92c86dd4
SHA1

62a8a34ce8a7c7dd4ca42bfdc198adfa0657d4cd
SHA256

2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2
SHA512

33b49ea87267895ce6c67ae10b6085d6cfdf963f24222c316ac2b96b9592aba0dc8ff0912351d1909fc599d49de9ff0f371eb9ab8a9dbe99d3314d3fb8aa9c6b
SSDEEP

196608:EQU04EBkFK95xMQtICDTh93p4ehtaTfOEnt6DbPwCwHTZ:E7XFaEQjPz3HQTfh6fPwf

Score

8^/10

discovery evasion execution persistence spyware stealer upx

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 13 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002340e-35.dat	acprotect
behavioral2/memory/1676-83-0x0000000002580000-0x000000000258A000-memory.dmp	acprotect
behavioral2/memory/1676-92-0x0000000002580000-0x000000000258A000-memory.dmp	acprotect
behavioral2/memory/1348-276-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-321-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-316-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-525-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-528-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-526-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-543-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-542-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-545-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect
behavioral2/memory/1348-544-0x0000000005700000-0x000000000570A000-memory.dmp	acprotect

Executes dropped EXE 4 IoCs

pid	Process
880	35874682523ba0e19cc9dfc95c80fb6b.exe
4068	35874682523ba0e19cc9dfc95c80fb6b.exe
3108	35874682523ba0e19cc9dfc95c80fb6b.exe
940	35874682523ba0e19cc9dfc95c80fb6b.exe

Loads dropped DLL 64 IoCs

pid	Process
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002340e-35.dat	upx
behavioral2/memory/1676-83-0x0000000002580000-0x000000000258A000-memory.dmp	upx
behavioral2/memory/1676-92-0x0000000002580000-0x000000000258A000-memory.dmp	upx
behavioral2/memory/1348-276-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-321-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-316-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-525-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-528-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-526-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-543-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-542-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-545-0x0000000005700000-0x000000000570A000-memory.dmp	upx
behavioral2/memory/1348-544-0x0000000005700000-0x000000000570A000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SSL\xv.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\6543245b1cb46793 2.cer	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\cert.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\x.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xv.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\cert.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xtls.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File created	C:\Windows\SysWOW64\SSL\cert.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xtls.db	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\6543245b1cb46793 2.cer	35874682523ba0e19cc9dfc95c80fb6b.exe
File opened for modification	C:\Windows\SysWOW64\SSL\x.db	35874682523ba0e19cc9dfc95c80fb6b.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\60cb5ebb756c8327d6337bbd6d4e0c80.ico	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nspr4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\softokn3.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\nss3.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\mozcrt19.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\WBE_uninstall.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\d44676e41aa285b35ad6810c42d46501	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plc4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\plds4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\39f45794e48e2f59e28c85f2268ab99f.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service_64.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\service.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kmeuigdmybpidnoh.kmeui	35874682523ba0e19cc9dfc95c80fb6b.exe
File created	C:\Windows\39f45794e48e2f59e28c85f2268ab99f.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Windows\uninstaller.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5204	sc.exe
1092	sc.exe
4820	sc.exe
4788	sc.exe
3372	sc.exe
4568	sc.exe
3376	sc.exe
3876	sc.exe
4292	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\wscript.exe\JScriptSetScriptStateStarted = "240622046"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9	35874682523ba0e19cc9dfc95c80fb6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "8851a48e15ac572110fe90b5c9102a7c"	35874682523ba0e19cc9dfc95c80fb6b.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270	35874682523ba0e19cc9dfc95c80fb6b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8	35874682523ba0e19cc9dfc95c80fb6b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270	35874682523ba0e19cc9dfc95c80fb6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270	35874682523ba0e19cc9dfc95c80fb6b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\28E4BA8454126140A8672CB55B8734CB00E5C270\Blob = 03000000010000001400000028e4ba8454126140a8672cb55b8734cb00e5c27020000000010000000803000030820304308201eca003020102021100de9dc013d6f07f9412bc41817e5c6513300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c123635343332343562316362343637393320323020170d3034303631373134313133365a180f32303634303630323134313133365a302a310b300906035504061302454e311b301906035504030c1236353433323435623163623436373933203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b050003820101005f4efcbf1ae43150ec248af4e45e27219e1d0c862fa7fd1114c50c97112ab75c690bffb2fad011652989589d023c972f573b606cff2a987fa48d9ae9e7bb3f3e11b28065af28ef8e752d6b7ccecf0ca9fcabbda15475a7a1b7c3e2b25e0340d0bdf0fa8a775ad35a5ea6efccc5a96cd6217776d00e1cf04bb3ef60ef2e8643a959c64744ff726c85dfe3af79a3c45cf53101765af84d44e5a1c469132d93be0e024e6a9ca33debf51e90ddded06483ab331d4c4d0599a85356758c6741b0be90041741bceffe18bb5476fd2c9d3cd0547b39b3d78064513f79800c6f8ff95c722bf22bb4ac9c5910bb99a83582b98b88b222f3eba71a8fefc874f9249410cbc8	35874682523ba0e19cc9dfc95c80fb6b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3108	35874682523ba0e19cc9dfc95c80fb6b.exe
3108	35874682523ba0e19cc9dfc95c80fb6b.exe
3108	35874682523ba0e19cc9dfc95c80fb6b.exe
3108	35874682523ba0e19cc9dfc95c80fb6b.exe
940	35874682523ba0e19cc9dfc95c80fb6b.exe
940	35874682523ba0e19cc9dfc95c80fb6b.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Token: SeRestorePrivilege	1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Token: SeBackupPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeDebugPrivilege	3108	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeBackupPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeSecurityPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe
Token: SeDebugPrivilege	940	35874682523ba0e19cc9dfc95c80fb6b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3500	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	81
PID 1348 wrote to memory of 3500	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	81
PID 1348 wrote to memory of 3500	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	81
PID 1348 wrote to memory of 3372	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	82
PID 1348 wrote to memory of 3372	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	82
PID 1348 wrote to memory of 3372	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	82
PID 1348 wrote to memory of 4412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	84
PID 1348 wrote to memory of 4412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	84
PID 1348 wrote to memory of 4412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	84
PID 4412 wrote to memory of 3096	4412	net.exe	86
PID 4412 wrote to memory of 3096	4412	net.exe	86
PID 4412 wrote to memory of 3096	4412	net.exe	86
PID 1676 wrote to memory of 5324	1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	88
PID 1676 wrote to memory of 5324	1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	88
PID 1676 wrote to memory of 5324	1676	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	88
PID 1348 wrote to memory of 4568	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	90
PID 1348 wrote to memory of 4568	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	90
PID 1348 wrote to memory of 4568	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	90
PID 1348 wrote to memory of 2412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	92
PID 1348 wrote to memory of 2412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	92
PID 1348 wrote to memory of 2412	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	92
PID 1348 wrote to memory of 5708	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	94
PID 1348 wrote to memory of 5708	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	94
PID 1348 wrote to memory of 5708	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	94
PID 1348 wrote to memory of 5328	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	96
PID 1348 wrote to memory of 5328	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	96
PID 1348 wrote to memory of 5328	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	96
PID 1348 wrote to memory of 5112	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	98
PID 1348 wrote to memory of 5112	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	98
PID 1348 wrote to memory of 5112	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	98
PID 1348 wrote to memory of 5544	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	100
PID 1348 wrote to memory of 5544	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	100
PID 1348 wrote to memory of 5544	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	100
PID 1348 wrote to memory of 4248	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	102
PID 1348 wrote to memory of 4248	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	102
PID 1348 wrote to memory of 4248	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	102
PID 1348 wrote to memory of 880	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	105
PID 1348 wrote to memory of 880	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	105
PID 1348 wrote to memory of 880	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	105
PID 880 wrote to memory of 5204	880	35874682523ba0e19cc9dfc95c80fb6b.exe	106
PID 880 wrote to memory of 5204	880	35874682523ba0e19cc9dfc95c80fb6b.exe	106
PID 880 wrote to memory of 5204	880	35874682523ba0e19cc9dfc95c80fb6b.exe	106
PID 880 wrote to memory of 3376	880	35874682523ba0e19cc9dfc95c80fb6b.exe	108
PID 880 wrote to memory of 3376	880	35874682523ba0e19cc9dfc95c80fb6b.exe	108
PID 880 wrote to memory of 3376	880	35874682523ba0e19cc9dfc95c80fb6b.exe	108
PID 1348 wrote to memory of 4068	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	111
PID 1348 wrote to memory of 4068	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	111
PID 1348 wrote to memory of 4068	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	111
PID 4068 wrote to memory of 1092	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	112
PID 4068 wrote to memory of 1092	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	112
PID 4068 wrote to memory of 1092	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	112
PID 4068 wrote to memory of 4820	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	114
PID 4068 wrote to memory of 4820	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	114
PID 4068 wrote to memory of 4820	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	114
PID 4068 wrote to memory of 3876	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	116
PID 4068 wrote to memory of 3876	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	116
PID 4068 wrote to memory of 3876	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	116
PID 4068 wrote to memory of 4292	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	118
PID 4068 wrote to memory of 4292	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	118
PID 4068 wrote to memory of 4292	4068	35874682523ba0e19cc9dfc95c80fb6b.exe	118
PID 6124 wrote to memory of 6120	6124	rundll32.exe	121
PID 6124 wrote to memory of 6120	6124	rundll32.exe	121
PID 6124 wrote to memory of 6120	6124	rundll32.exe	121
PID 1348 wrote to memory of 4788	1348	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	122

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nso4363.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\sc.exe
  sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"
  2⤵
  - Launches sc.exe
  PID:3372
- C:\Windows\SysWOW64\net.exe
  net start --
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start --
    3⤵
    PID:3096
- C:\Windows\SysWOW64\sc.exe
  sc delete --
  2⤵
  - Launches sc.exe
  PID:4568
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:2412
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
  2⤵
  PID:5708
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
  2⤵
  PID:5328
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:5112
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
  2⤵
  PID:5544
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
  2⤵
  PID:4248
- C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
  "C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install_updater 0
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\sc.exe
    sc create 4751186987c488b730105857f007e3b1 binPath= "rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe" start= auto
    3⤵
    - Launches sc.exe
    PID:5204
- - C:\Windows\SysWOW64\sc.exe
    sc failure 4751186987c488b730105857f007e3b1 reset= 30 actions= restart/5000
    3⤵
    - Launches sc.exe
    PID:3376
- C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
  "C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" --install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\SysWOW64\sc.exe
    sc create b6853ce52f7d6144b04e5ff97658e701 binpath= system32\drivers\b6853ce52f7d6144b04e5ff97658e701.sys DisplayName= b6853ce52f7d6144b04e5ff97658e701 type= kernel start= system group= PNP_TDI
    3⤵
    - Launches sc.exe
    PID:1092
- - C:\Windows\SysWOW64\sc.exe
    sc start b6853ce52f7d6144b04e5ff97658e701
    3⤵
    - Launches sc.exe
    PID:4820
- - C:\Windows\SysWOW64\sc.exe
    sc create 8851a48e15ac572110fe90b5c9102a7c displayname= 8851a48e15ac572110fe90b5c9102a7c binPath= "C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe" start= auto depend= RPCSS
    3⤵
    - Launches sc.exe
    PID:3876
- - C:\Windows\SysWOW64\sc.exe
    sc start 4751186987c488b730105857f007e3b1
    3⤵
    - Launches sc.exe
    PID:4292
- C:\Windows\SysWOW64\sc.exe
  sc failure 8851a48e15ac572110fe90b5c9102a7c reset= 60 actions= restart/5000/restart/5000/restart/5000
  2⤵
  - Launches sc.exe
  PID:4788

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nsg49DB.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5324

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe
1⤵
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\kmeuigdmybpidnoh.kmeui EXMe
  2⤵
  PID:6120
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 C:\Windows\kmeuigdmybpidnoh.kmeui EXMe perform_update
    3⤵
    PID:5628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net start b6853ce52f7d6144b04e5ff97658e701
      4⤵
      PID:4300
    - - C:\Windows\system32\net.exe
        
        net start b6853ce52f7d6144b04e5ff97658e701
        5⤵
        
        PID:4104
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start b6853ce52f7d6144b04e5ff97658e701
        6⤵
        
        PID:6012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net start 8851a48e15ac572110fe90b5c9102a7c
      4⤵
      PID:5376
    - - C:\Windows\system32\net.exe
        
        net start 8851a48e15ac572110fe90b5c9102a7c
        5⤵
        
        PID:1676
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start 8851a48e15ac572110fe90b5c9102a7c
        6⤵
        
        PID:1020

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe
"C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\35874682523ba0e19cc9dfc95c80fb6b.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\8851a48e15ac572110fe90b5c9102a7c\87908c64f535c12e6c01ab342ac8bfc9.exe

Filesize
593KB

MD5
7e6f083c27bc2f551f37119c8833e3bf

SHA1
bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b

SHA256
29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee

SHA512
bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js

Filesize
356B

MD5
a35b87106725234045494a6404a003f9

SHA1
f4d1a2529a271946382c17132a5ebea6449a753f

SHA256
17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4

SHA512
7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\CCGylfvpPId.dll

Filesize
352KB

MD5
41061901c1afc95553800c7203a31cd0

SHA1
38fc9f859502166bf5e356b8820ed6a48b060f6d

SHA256
cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05

SHA512
c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\gHbMwlFrsMB.dll

Filesize
493KB

MD5
31eafd1f2c5bceb7761b52ea85cf6c26

SHA1
51045a6eeddc1832a9a71fe95bb746192b1bbb2b

SHA256
27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6

SHA512
4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\lDerpvVTsgA.dll

Filesize
650KB

MD5
e4bdc739307f32b968e32fcebc9c01f6

SHA1
5f3d406f01579e3e8a67c05d2e31ec369e14604c

SHA256
17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0

SHA512
494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\IpConfig.dll

Filesize
118KB

MD5
a75e3775daac9958610ce1308e0bca3b

SHA1
d83ce354cde527c2e20fb425415f6d4795dd4cd4

SHA256
fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

SHA512
48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\MoreInfo.dll

Filesize
7KB

MD5
bd393029cc49b415b6c9aeb8a4936516

SHA1
c67fd92fffd18941bed41bfd6ac4f3b04fd123df

SHA256
227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026

SHA512
3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\NSISList.dll

Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\brh.dat

Filesize
752KB

MD5
99569bc87c4b4ccfde67559bba19aab1

SHA1
65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20

SHA256
24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401

SHA512
05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\inetc.dll

Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu4692.tmp\nsExec.dll

Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
C:\Windows\TEMP\nsg49DB.tmp\YdSLBLjn.gif

Filesize
5.7MB

MD5
76d55de34d422ce2d0cfd50cd69e8504

SHA1
3840919f4b55f13cc80a8f22aacf7b7826d8572d

SHA256
207ad318eb1f2872831661e135af8f6ee17555e19cf46132d72fcd17cfe994e3

SHA512
a7727239b9cf84ade24ab21f902d43ddfbd37ed8656ee9b01c98b11db50f2c6848a931ea8f8c4e74445df1041578d04ac70185ebdaeaa5033c7b1d81b5361cd7

Download Submit
C:\Windows\Temp\nsx4C11.tmp\brh.dll

Filesize
446KB

MD5
915ad39a9a5cac612cee374d81ff8af0

SHA1
d9f20e5174425e063194eefb18ef61ddeed14d4f

SHA256
31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32

SHA512
24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5

Download Submit
memory/880-300-0x0000000002EE0000-0x0000000003422000-memory.dmp

Filesize
5.3MB

Download
memory/940-429-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-421-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-437-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-438-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-439-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-436-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-434-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-433-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-432-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-431-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-426-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-430-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-427-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-428-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-425-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-424-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-422-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-423-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/940-420-0x0000000002770000-0x0000000002CB2000-memory.dmp

Filesize
5.3MB

Download
memory/1348-324-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-531-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-36-0x0000000003930000-0x000000000393A000-memory.dmp

Filesize
40KB

Download
memory/1348-310-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-204-0x0000000003960000-0x000000000396A000-memory.dmp

Filesize
40KB

Download
memory/1348-321-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-316-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-340-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-344-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-343-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-341-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-37-0x0000000003930000-0x000000000393A000-memory.dmp

Filesize
40KB

Download
memory/1348-548-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-382-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-381-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-547-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-546-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-544-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-295-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-545-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-542-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-543-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-532-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-526-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-528-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-203-0x0000000003930000-0x000000000393A000-memory.dmp

Filesize
40KB

Download
memory/1348-525-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-480-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-482-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-485-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-460-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-21-0x0000000000400000-0x00000000015DB000-memory.dmp

Filesize
17.9MB

Download
memory/1348-173-0x0000000003930000-0x0000000003957000-memory.dmp

Filesize
156KB

Download
memory/1348-184-0x0000000003960000-0x000000000396A000-memory.dmp

Filesize
40KB

Download
memory/1348-185-0x0000000003960000-0x000000000396A000-memory.dmp

Filesize
40KB

Download
memory/1348-231-0x00000000040C0000-0x00000000040E4000-memory.dmp

Filesize
144KB

Download
memory/1348-278-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-298-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-282-0x0000000005700000-0x0000000005713000-memory.dmp

Filesize
76KB

Download
memory/1348-277-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-273-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1348-276-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1676-71-0x0000000000400000-0x00000000015DB000-memory.dmp

Filesize
17.9MB

Download
memory/1676-92-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1676-106-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1676-105-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1676-84-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1676-83-0x0000000002580000-0x000000000258A000-memory.dmp

Filesize
40KB

Download
memory/1676-109-0x00000000042C0000-0x00000000043A8000-memory.dmp

Filesize
928KB

Download
memory/3108-391-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-415-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-413-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-408-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-409-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-410-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-412-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-411-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-407-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-404-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-403-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-402-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-401-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-399-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-400-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-397-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-393-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-395-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-394-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-392-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-390-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/3108-389-0x0000000002010000-0x0000000002552000-memory.dmp

Filesize
5.3MB

Download
memory/6120-372-0x0000000001B10000-0x0000000001BCC000-memory.dmp

Filesize
752KB

Download