Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 08:49

General

  • Target

    0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe

  • Size

    266KB

  • MD5

    0478bbd07527cc07911a77377a09cdac

  • SHA1

    c6205bbc0f7c653109caaf88736e5b824111a4e7

  • SHA256

    4c145cbe75b48f1dee957d833654be2e2519ec52a78c39e298d153557c2a8eb8

  • SHA512

    034e3331b25b8f810c0bd4918e121c71cc9d8372095e1b96fbbb5b296f4614e9118faa0dff73d9f729e1f88fbd7bfd78f2da729b50905b86feaf83b40ede0998

  • SSDEEP

    6144:6mJQXShdasuHrrmv6c35rGfa5YZ+HTk/i6Dyp0QQApWJ:64QiTG05rGS5YZiTq+1Q5J

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Modifies security service 2 TTPs 22 IoCs
  • Executes dropped EXE 11 IoCs
  • Drops file in System32 directory 22 IoCs
  • Runs .reg file with regedit 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0478bbd07527cc07911a77377a09cdac_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\Temp\25565.exe
      C:\Windows\Temp\25565.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\a.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\regedit.exe
          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
          4⤵
          • Modifies security service
          • Runs .reg file with regedit
          PID:1400
      • C:\Windows\SysWOW64\zonealarm.exe
        C:\Windows\system32\zonealarm.exe 1168 "C:\Windows\Temp\25565.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c c:\a.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4644
          • C:\Windows\SysWOW64\regedit.exe
            REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
            5⤵
            • Modifies security service
            • Runs .reg file with regedit
            PID:3192
        • C:\Windows\SysWOW64\zonealarm.exe
          C:\Windows\system32\zonealarm.exe 1164 "C:\Windows\SysWOW64\zonealarm.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3912
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c c:\a.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:212
            • C:\Windows\SysWOW64\regedit.exe
              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:3964
          • C:\Windows\SysWOW64\zonealarm.exe
            C:\Windows\system32\zonealarm.exe 1136 "C:\Windows\SysWOW64\zonealarm.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1696
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c c:\a.bat
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4720
              • C:\Windows\SysWOW64\regedit.exe
                REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                7⤵
                • Modifies security service
                • Runs .reg file with regedit
                PID:4324
            • C:\Windows\SysWOW64\zonealarm.exe
              C:\Windows\system32\zonealarm.exe 1140 "C:\Windows\SysWOW64\zonealarm.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:4612
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c c:\a.bat
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4620
                • C:\Windows\SysWOW64\regedit.exe
                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                  8⤵
                  • Modifies security service
                  • Runs .reg file with regedit
                  PID:2220
              • C:\Windows\SysWOW64\zonealarm.exe
                C:\Windows\system32\zonealarm.exe 1148 "C:\Windows\SysWOW64\zonealarm.exe"
                7⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2020
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c c:\a.bat
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4084
                  • C:\Windows\SysWOW64\regedit.exe
                    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                    9⤵
                    • Modifies security service
                    • Runs .reg file with regedit
                    PID:3612
                • C:\Windows\SysWOW64\zonealarm.exe
                  C:\Windows\system32\zonealarm.exe 1144 "C:\Windows\SysWOW64\zonealarm.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3152
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c c:\a.bat
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3816
                    • C:\Windows\SysWOW64\regedit.exe
                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                      10⤵
                      • Modifies security service
                      • Runs .reg file with regedit
                      PID:3832
                  • C:\Windows\SysWOW64\zonealarm.exe
                    C:\Windows\system32\zonealarm.exe 1152 "C:\Windows\SysWOW64\zonealarm.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    PID:4124
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c c:\a.bat
                      10⤵
                        PID:4584
                        • C:\Windows\SysWOW64\regedit.exe
                          REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                          11⤵
                          • Modifies security service
                          • Runs .reg file with regedit
                          PID:1120
                      • C:\Windows\SysWOW64\zonealarm.exe
                        C:\Windows\system32\zonealarm.exe 1156 "C:\Windows\SysWOW64\zonealarm.exe"
                        10⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        PID:1716
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c c:\a.bat
                          11⤵
                            PID:3076
                            • C:\Windows\SysWOW64\regedit.exe
                              REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                              12⤵
                              • Modifies security service
                              • Runs .reg file with regedit
                              PID:184
                          • C:\Windows\SysWOW64\zonealarm.exe
                            C:\Windows\system32\zonealarm.exe 1172 "C:\Windows\SysWOW64\zonealarm.exe"
                            11⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            PID:2468
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c c:\a.bat
                              12⤵
                                PID:3324
                                • C:\Windows\SysWOW64\regedit.exe
                                  REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                  13⤵
                                  • Modifies security service
                                  • Runs .reg file with regedit
                                  PID:4784
                              • C:\Windows\SysWOW64\zonealarm.exe
                                C:\Windows\system32\zonealarm.exe 1116 "C:\Windows\SysWOW64\zonealarm.exe"
                                12⤵
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                PID:5036
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c c:\a.bat
                                  13⤵
                                    PID:1192
                                    • C:\Windows\SysWOW64\regedit.exe
                                      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
                                      14⤵
                                      • Modifies security service
                                      • Runs .reg file with regedit
                                      PID:1912
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3900 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:2688

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Privilege Escalation

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Defense Evasion

            Modify Registry

            1
            T1112

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              384B

              MD5

              c93c561465db53bf9a99759de9d25f07

              SHA1

              5386934828e2c2589bfe394ac1f03ffbfba93bfa

              SHA256

              32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

              SHA512

              bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              3bd23392c6fcc866c4561388c1dc72ac

              SHA1

              c4b1462473f1d97fed434014532ea344b8fc05c1

              SHA256

              696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43

              SHA512

              15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              f31b2aa720a1c523c1e36a40ef21ee0d

              SHA1

              9c8089896c55e6e6a9cca99b1b98c544723d314e

              SHA256

              cea90761ea6ef6fb8ac98484b5720392534a9774e884c3e343ae29559aa0a716

              SHA512

              a679ce1192e15cd9b8dd4a3d7ecf85707ec23fa944c020b226172497c0b5600460558cfa9304ddf2c582a95e0fcd7f1b26004c8fba0ed9afcddc6ded770c85bb

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              47985593a44ee38c64665b04cbd4b84c

              SHA1

              84900c2b2e116a7b744730733f63f2a38b4eb76e

              SHA256

              4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70

              SHA512

              abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              300B

              MD5

              9e1df6d58e6c905e4628df434384b3c9

              SHA1

              e67dd641da70aa9654ed24b19ed06a3eb8c0db43

              SHA256

              25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

              SHA512

              93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              386B

              MD5

              4be01c629881eddccb675ba267a66899

              SHA1

              23324e7814bcd157b27e810f4c786b0c39bfc9b1

              SHA256

              39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30

              SHA512

              7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              908860a865f8ed2e14085e35256578dd

              SHA1

              7ff5ee35cc7e96a661848eb95a70d0b8d2d78603

              SHA256

              d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f

              SHA512

              a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              748bce4dacebbbd388af154a1df22078

              SHA1

              0eeeb108678f819cd437d53b927feedf36aabc64

              SHA256

              1585c9ef77c37c064003bd746cd0a8da2523c99a10c3fb6eabd546e2a343646a

              SHA512

              d9756851b4aa1108416b7a77f0c6b84b599d695850d704a094a1f83b322d892ab6706001d5322e876b93935b830bcb52a951b4c69004ea2be338f64b85be2ea1

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              f1cbbc2ce0d93c45a92edcc86780e9f0

              SHA1

              d893306caae2584cdeba4c80c3bfe18548fa227a

              SHA256

              6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7

              SHA512

              b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              b9dc88ed785d13aaeae9626d7a26a6a0

              SHA1

              ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e

              SHA256

              9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc

              SHA512

              df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              0a839c0e3eb1ed25e6211159e43f4df1

              SHA1

              a227a9322f58b8f40b2f6f326dca58145f599587

              SHA256

              717a2b81d076586548a0387c97d2dc31337a03763c6e7acb642c3e46ec94d6f0

              SHA512

              bd2b99fb43ccd1676f69752c1a295d1da0db2cb0310c8b097b4b5b91d76cff12b433f47af02b5f7d0dd5f8f16624b0c20294eebf5c6a7959b2b5d6fe2b34e508

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              f5fa5178657d29a36c5dc4ac9445cbdc

              SHA1

              4be1a87a89715d24d52b23c59006f9cb74437ba0

              SHA256

              f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114

              SHA512

              54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              2b307765b7465ef5e4935f0ed7307c01

              SHA1

              c46a1947f8b2785114891f7905f663d9ae517f1b

              SHA256

              a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85

              SHA512

              fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              e6d8af5aed642209c88269bf56af50ae

              SHA1

              633d40da997074dc0ed10938ebc49a3aeb3a7fc8

              SHA256

              550abc09abce5b065d360dfea741ab7dd8abbe2ea11cd46b093632860775baec

              SHA512

              6949fc255c1abf009ecbe0591fb6dbfd96409ee98ae438dbac8945684ccf694c046d5b51d2bf7679c1e02f42e8f32e8e29a9b7bdbc84442bec0497b64dfa84cf

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              1daa413d1a8cd1692f2e4ae22b54c74a

              SHA1

              2e02e2a23cfaa62f301e29a117e291ff93cc5d31

              SHA256

              10732e2612780d9694faf0bb9b27cdc6f3376ad327da7dfc346e9e5579493d33

              SHA512

              b947c70c7c4af971e3fbdc66fb7175b6624ac68c6a723dac7ecb5cf5f43bbe210fa0fa61fd4b6153dccf7de077d003ca03f061e209dc37773546b038e6aef277

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              576B

              MD5

              8a0897226da780b90c11da0756b361f1

              SHA1

              67f813e8733ad75a2147c59cca102a60274daeab

              SHA256

              115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee

              SHA512

              55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              851B

              MD5

              a13ff758fc4326eaa44582bc9700aead

              SHA1

              a4927b4a3b84526c5c42a077ade4652ab308f83f

              SHA256

              c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588

              SHA512

              86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              1b2949b211ab497b739b1daf37cd4101

              SHA1

              12cad1063d28129ddd89e80acc2940f8dfbbaab3

              SHA256

              3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c

              SHA512

              a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              f82bc8865c1f6bf7125563479421f95c

              SHA1

              65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d

              SHA256

              f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6

              SHA512

              00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              431B

              MD5

              9fa547ff360b09f7e093593af0b5a13b

              SHA1

              9debc99bb7450f59a7b09f16c0393e5c7a955ba4

              SHA256

              7ff65c0be2004867f536ce9b94783da4b5e4bc06cca5bd899933c8b68a44c705

              SHA512

              30e5aa130c6b0869dc3fbb79da54d42699be6de0af65c9127ea047548a22d98b68300f18432141207166687576ba86433d4ae9d3458dbcc2aec9f14198c58193

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              978B

              MD5

              2e2266221550edce9a27c9060d5c2361

              SHA1

              f39f2d8f02f8b3a877d5969a81c4cb12679609f3

              SHA256

              e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb

              SHA512

              e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              6b0182442d6e09100c34904ae6d8ee0c

              SHA1

              6255e65587505629521ea048a4e40cc48b512f2c

              SHA256

              cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4

              SHA512

              64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              9e5db93bd3302c217b15561d8f1e299d

              SHA1

              95a5579b336d16213909beda75589fd0a2091f30

              SHA256

              f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

              SHA512

              b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              784B

              MD5

              5a466127fedf6dbcd99adc917bd74581

              SHA1

              a2e60b101c8789b59360d95a64ec07d0723c4d38

              SHA256

              8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

              SHA512

              695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              f708dcfd087b5b3763678cfb8d63735e

              SHA1

              a38fa7fa516c1402762425176ff1b607db36c752

              SHA256

              abf4c5f7dbed40d58dc982256535a56128f86d5eaf163d634037ae2b61027a10

              SHA512

              fa0e84032b88e19fc67c5be846983cf89c8ba021351a0aa9cab0162ea27a3933dade0b78146b2230b0c57f218b18da52a5ce1d04b6f9746b21e4285e2540049c

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              d085cde42c14e8ee2a5e8870d08aee42

              SHA1

              c8e967f1d301f97dbcf252d7e1677e590126f994

              SHA256

              a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

              SHA512

              de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              208B

              MD5

              67a0c98a371995d5434cb9788ee1c42f

              SHA1

              7171d3dca52f038ca9d9e8b13f356462dbc8f3cc

              SHA256

              2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3

              SHA512

              f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              449B

              MD5

              c6b0028a6f5508ef564d624eda0e72bc

              SHA1

              18901c9856a9af672c2e27383c15d2da41f27b6b

              SHA256

              b41f477ecd348b1c3e12ef410d67b712627ed0696769c2c8cc2f087d02121d06

              SHA512

              5d5f6fb437767096562f2ab9aac2cb75611afcc090b0a65ea63dfbadb3c4a73a3d45bbe139e43a7beea889370c76ac2eb2aa0fdffa92b69cfe47dd1ffbf10a71

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              701B

              MD5

              e427a32326a6a806e7b7b4fdbbe0ed4c

              SHA1

              b10626953332aeb7c524f2a29f47ca8b0bee38b1

              SHA256

              b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

              SHA512

              6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              8c6aa92ac8ffdfb7a0fb3dafd14d65f1

              SHA1

              cac3992d696a99a5dec2ab1c824c816117414b16

              SHA256

              dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa

              SHA512

              f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              5da7efcc8d0fcdf2bad7890c3f8a27ca

              SHA1

              681788d5a3044eee8426d431bd786375cd32bf13

              SHA256

              7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8

              SHA512

              6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              1c6131354c6987300ea512b765475b82

              SHA1

              2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53

              SHA256

              3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640

              SHA512

              b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              872656500ddac1ddd91d10aba3a8df96

              SHA1

              ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

              SHA256

              d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

              SHA512

              e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              476B

              MD5

              a5d4cddfecf34e5391a7a3df62312327

              SHA1

              04a3c708bab0c15b6746cf9dbf41a71c917a98b9

              SHA256

              8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a

              SHA512

              48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              2KB

              MD5

              6bf876cd9994f0d41be4eca36d22c42a

              SHA1

              50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

              SHA256

              ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

              SHA512

              605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              895301bce84d6fe707b5cfd50f1f9f97

              SHA1

              50a012f59655621768f624c4571654145663c042

              SHA256

              b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

              SHA512

              a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              c1e5f93e2bee9ca33872764d8889de23

              SHA1

              167f65adfc34a0e47cb7de92cc5958ee8905796a

              SHA256

              8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a

              SHA512

              482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              1KB

              MD5

              bf7ee07851e04b2a0dbe554db62dc3aa

              SHA1

              cad155b66053cd7ce2b969a0eb20a8f4812b1f46

              SHA256

              13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9

              SHA512

              9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4

            • C:\Users\Admin\AppData\Local\Temp\1.reg
              Filesize

              3KB

              MD5

              ffbb389d817acf25cc38799c239d512c

              SHA1

              8b4854ed9e257c3da9ec11d0f145805c6ae6193f

              SHA256

              f3aec599ccf14f9ee446772c26b24628ba08698be4dc66b5b54acd37d26b8e39

              SHA512

              382e043195d74ed0e0978dcac0db8bc962bc41f2cbd1a8a80c1a5a54cb8831b5e63a74bb3f69ccd9e241a47c1a79fcc7e7dad71696bf957a349a0f7e62247931

            • C:\Windows\Temp\25565.exe
              Filesize

              250KB

              MD5

              dd18a6628a119b8695cef08da6c10b48

              SHA1

              d1f6c322aede47f1b13bdaef4a89ba4e477ef0fc

              SHA256

              cac97e2a05108c09b0387b6ce6ee5e4824a898e76aea6ae3535500eabe3bfe09

              SHA512

              fa191bb38c2de3cbc17670e1ead306a4aa1eecc015444509283c858465cf6ed8fdac39620ac8c32bfaf1878a13f3475db57e86644beb4920e2227cb2622e8f23

            • \??\c:\a.bat
              Filesize

              5KB

              MD5

              0019a0451cc6b9659762c3e274bc04fb

              SHA1

              5259e256cc0908f2846e532161b989f1295f479b

              SHA256

              ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

              SHA512

              314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904