68c6d76fecd30ed22bfc9b55424106b6b4f2f56081fafd8e0e0068e4d1b2989b

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 06:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
Size

973KB
MD5

24fe407c8fcbb99bc19e24031847694d
SHA1

05db1cb7309a2faaa64df052ab3d6128b12a28b2
SHA256

68c6d76fecd30ed22bfc9b55424106b6b4f2f56081fafd8e0e0068e4d1b2989b
SHA512

e25516eafc1ac82df7c6589ed7a4fcb89d5be807f7ef69a6a5089359b78556f887161e9d73c1c88a84a6d9fc2cfa745d876275f815749f3b23182ffc2d7ca167
SSDEEP

24576:SEFB1hukUeAlGy7drn+fDWhvzJ15gyVwdqwF:SmXhVAzd6DW9JndVwcQ

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	1636	Wscript.exe
12	1636	Wscript.exe
14	1636	Wscript.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0031000000015cf5-3.dat	acprotect

Executes dropped EXE 27 IoCs

pid	Process
304	kw.exe
2888	SVCHOST.EXE
1204	Process not Found
1680	SVCHOST.EXE
348	SVCHOST.EXE
548	SVCHOST.EXE
1332	SVCHOST.EXE
1988	SVCHOST.EXE
1792	SVCHOST.EXE
1992	SVCHOST.EXE
1736	SVCHOST.EXE
2088	SVCHOST.EXE
2636	SVCHOST.EXE
2908	SVCHOST.EXE
3020	SVCHOST.EXE
1612	SVCHOST.EXE
960	SVCHOST.EXE
2104	SVCHOST.EXE
1708	SVCHOST.EXE
1352	SVCHOST.EXE
2260	SVCHOST.EXE
2620	SVCHOST.EXE
2152	SVCHOST.EXE
1792	SVCHOST.EXE
2844	SVCHOST.EXE
2788	SVCHOST.EXE
2044	SVCHOST.EXE

Loads dropped DLL 60 IoCs

pid	Process
2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
304	kw.exe
304	kw.exe
304	kw.exe
304	kw.exe
304	kw.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe
1636	Wscript.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0031000000015cf5-3.dat	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ytt.ico	Wscript.exe
File created	C:\Windows\SysWOW64\smss.exe:1961823321.jse	Wscript.exe
File opened for modification	C:\Windows\SysWOW64\smss.exe:1961823321.jse	Wscript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\emule23\5.txt	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule23\81.txt	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule23\kw.exe	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule23\top.jse	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe:1961823321.jse	Wscript.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	Wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016020-24.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000d9452ed54287c833bcdcbceda06bce86ef22c633eac92df8ee6058085935343e000000000e8000000002000020000000c8f51dab4c99a19af219efe57777d245e3f054a9b84e220ad2ddbe95a660c49390000000ba52d824dbd4409293a7ed753f56da3d27b3b7dae35fee113d8e0561e8425dcba65955849e33450fa84f429bd903256a70b99cee1ba8d4dd928da2d6413ea822bf41eb57675634de9529d91b24fbc064d74a97955a94767c064ef82de885bf3842405ce7f27d1a031e00a13477945df5836d35cc0183007216e820d7c3792a63ceaf105dbe0f4f1f8ec45369b1add05c400000008d3da04c80f0e9e0a73abf200ccc3265a8c1ac3a87e52c887e14d3ed092bba093c7c71a39145d2c59853ceab4c093462032e3ced3d140f079b1a4c430af12900	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426237441"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cf5809decdda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B887AE1-39D1-11EF-9486-4AD8236FB259} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000005baa3674776f74b36218efc73b071a1283997ada68b48fdac8e8ce89292816ad000000000e800000000200002000000000414748feea2d3d621f81e13dc804485c0f9e74622c997187f97f87f81b7f792000000061a99417a8ea8b2e60521d2970d36da08b9dfeee0fe2fb60307146d5247a6481400000003a95937b8dd8d43acc3c84884b6626412ea64eef422d7cb424401fc07691130bdb39a767b46f33149b5446a89d388420dcf7585e3a075b2ca78667cdd78c156b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe:1961823321.jse	Wscript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
304	kw.exe
304	kw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2360	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	28
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2424 wrote to memory of 2632	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	29
PID 2360 wrote to memory of 2812	2360	iexplore.exe	30
PID 2360 wrote to memory of 2812	2360	iexplore.exe	30
PID 2360 wrote to memory of 2812	2360	iexplore.exe	30
PID 2360 wrote to memory of 2812	2360	iexplore.exe	30
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2632 wrote to memory of 2960	2632	Wscript.exe	31
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2812 wrote to memory of 2548	2812	IEXPLORE.EXE	33
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 304	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	34
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2424 wrote to memory of 1636	2424	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	35
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2072	2960	cmd.exe	36
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 2960 wrote to memory of 2264	2960	cmd.exe	37
PID 304 wrote to memory of 2740	304	kw.exe	39
PID 304 wrote to memory of 2740	304	kw.exe	39
PID 304 wrote to memory of 2740	304	kw.exe	39
PID 304 wrote to memory of 2740	304	kw.exe	39

C:\Users\Admin\AppData\Local\Temp\24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http://www.admama.cn/g/?1017"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.admama.cn/g/?1017"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2548
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\emule23\81.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\emule23\5.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "ITBar7Layout" /t "REG_BINARY" /d "130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      Modifies Internet Explorer settings
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "ITBarLayout" /t "REG_BINARY" /d "110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      Modifies Internet Explorer settings
      PID:2264
- C:\Program Files (x86)\emule23\kw.exe
  "C:\Program Files (x86)\emule23\kw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
    3⤵
    PID:1092
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\emule23\top.jse"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - NTFS ADS
  PID:1636
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:348
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:548
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2088
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:3020
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1612
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2152
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:1792
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2844
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1961823321.jse
    3⤵
    - Executes dropped EXE
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\emule23\5.bat

Filesize
6KB

MD5
e4b15a37363b2c78c25d1285dbf525fe

SHA1
1f13b61970790a7a6aac07af4d27e55d8b5cbfca

SHA256
3638bc42e5c2e6bc146a71b47ab36a04e61d55837a095ca1fc89bf08e89b2c14

SHA512
2dc17802adba070def32a7d007d481c77294197790689e584f9e6ed8266ee5431228619a2530191a331f5bba15b38a4eec4207086539ab1e338f3979b5e0d98e

Download Submit
C:\Program Files (x86)\emule23\81.vbs

Filesize
214B

MD5
0dad41a6d7587d680d50165fa2cb90ed

SHA1
e15507013523e0c4a44c142af3dde3af5d08b4af

SHA256
8c16278a9c751f2a162be6b09fb8bfd20668e0a321e60e27abd892f66c0172e9

SHA512
d109afed9bd5e8bc009c23af71a9b7d5d54a77a639c65a3066d6d174b5b1b28f985efe5ee952c598a0dced639c628f5daa3a6cd9c5cef472cd3997d617389d44

Download Submit
C:\Program Files (x86)\emule23\top.jse

Filesize
34KB

MD5
309a7bfd0ca4128da7a55da61ab85edb

SHA1
9c4a6aa60161da78cc8e9732e9e668c766b2f765

SHA256
5cd85e4b0ae12d00fca69642abc342e2cb4bf95ca3ea45d7ec3915dde0457637

SHA512
b4750e066eb62636824baf35caac7c1f59e60823246b8cf9d1bb14004fb6dddc132b9d4f72bc021584766160ae88e9d044a8efa23c7733478168cda84267a76f

Download Submit
C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a83e42c2280ca6505d778406c4ec9406

SHA1
29320d769014bf4f0b43e9c17822c42e5f6f5e3f

SHA256
d88119e1ea1d191da820c38524b24c4e91f0725a52f018c3cc6870f0ae5155c2

SHA512
b4a65fb0bdf0c380823cf8be1cbecb21593bd8e958a35469078672d4fb7f42df2f7d1ea26645ddbe9dfcef2227e3c5b11428c40986eaf531dfbcc1f017eaa5cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26cc2e1e1402ae0477e3879903f5ad50

SHA1
24ccd099313a66f3ababe0b3594d4079c6a4a9e7

SHA256
bd5406ed31dd455bb697dd00c5f35de214216c4155b81a95268f3c1bae6c9e24

SHA512
c73bc0182faf36afad5a4d5499c24c3800421a234bdf28b4ed4a89e68430c367b96e9535233cf38524cad9fd3201cd90087e7b2e6f54a137043ca8d6f0d8047f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6837f375d5b697fbcfe021ad858e724

SHA1
0fe5d5b0fd151e048bf76c33e05c4a3572956cd0

SHA256
cc18d8e6db52af97044d84694cc4c209725fea417af0ae8c4e66fe10b4f4fa40

SHA512
ab3e62026b9c3465f672538a1d1a1d88a7d730c89f377d118726a2eaac1aba7f95ac78f707a2e1f1c7a1d5058c1f4ce5e6bbad9314a507cdd70a62f1f6607941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93acf5d7172ceb0a8bbce44e8ed909a3

SHA1
8d83a862e921a34faabe661a50c0764611c0c9f3

SHA256
eeb2b181f7a56b0bd6c8bc2c5832b86a1d12b836ef3cca7c6119b150dadbe3fa

SHA512
c4dc380f65f245467df200b4873180a1ae278a03ae8656a017290453b85bb6bb3b409e9c804bf59e98785ed0917023022301868b16ea38e9da7659a05b7a563a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8708b0deb51d09f8930e586c70efeb

SHA1
c250a7b121ecb27f4d48e032090294896e4ad2af

SHA256
fa8a10b785da4f15c86b5e6ace6a69ebd1546e4d7de011ffdf942aa2a6a9cc25

SHA512
c1127e79dc81d27005aad398e0875072f70ab6d50b7cb5989dcb7152bf4d5f8041bf0bf0e6ee95814ce569aceeacdae25c0ffa21d63dd22fe9aa29eff8fa50ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
910f94ff6d947f0652286112be183c2b

SHA1
8c51215a7a012b188d03ddd0de3d10e7d8e5ef55

SHA256
4a53ce41f53fccb7f374df97b27476b5f0abf0f0388f1a357c6d44736250f734

SHA512
b8f536c3b9b2ea0cb775506da2ffe624b8216c09f110e551d663d8f5cf46d1f4827b4660f13f976d4243a8150ba671574cce4c9cc2ec888375c86079eaa1bf98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a652cf9ae6d8eef68c01082dead079e6

SHA1
d511eac056578cb7229255ac2c3c3a0806411851

SHA256
99e9e04a99ac76bf4f52daf41778358b2258dcd0f537f5ff5c73aa175af0df31

SHA512
a77e94d4762ae29737fe9eebe2c2ae0d730a68b3e84d5daf97c0f446f4f510de72acdeecfdd8acf2b1e8bc5a46f1e23ddefd3ab6a55d7c73ee57b8ba74e77fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fa48cdd2a72ad05b335220d781a439a

SHA1
8631664b51b0c5e13220998732f832a4b7c011a6

SHA256
a703ab72a0a7078c546ac45b232dd83576f3e44550d615a11e4f898fd5c21f7d

SHA512
43578e596971915a4dc1121464c9969a7aa393b5a8a7724275946af77b14761ef91ef4850051725ace467b5fc579048551e74411b7842b64f789d5075e7f4e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d03d085b552eb051597c972413edbd74

SHA1
77bb4ebc978e5b0abbb1215e4ff1b731a7d61138

SHA256
4dae43db6b0ada9990d2088d73ab857b11a7b3e32faba7fde64f690a964ac9e4

SHA512
0ed5f8156cc4859c9167e95da343a762749bd8cf8c2ce1c123ed99e82d31544bb05c8255689e373f24d9dd96fc909924ba86f921e504d47e18870787a21f7514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9eea31c009ad65655d50e6f1af57ac2

SHA1
89636324c7c768625bfeb83ac855ad5a37a9eaab

SHA256
d1b5c407b00ba520fb743dbfe95933f7afa855699ead94ffb5058a3c8bc20c26

SHA512
78ae994674ca33de073116fa94205592c24a2e1b382626375b1a9b4290d69e546cf9bb9b641c2b49dd915a43e649a9518151ab79634e1513b0987adadf27e75c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c04da1928b4379ba88d811ff66e83a3d

SHA1
594d0a155c2ad058d5b992087c8159f76863b88f

SHA256
39e05bda9d4a668b08b05b56c8ff9b09b4b8efc70129992cfbe5f566aaaf3b3a

SHA512
7e8a0d7dd26803cb4599dbde1e90f2e7723480534223a85303ed457a5475a9501ec5f3374c8707fa2ec703aae3ea127074e1ecbb9a36340643b693112885b295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67f79333cccd079dba503edd9d81bf4e

SHA1
52add55aca261682051f0a95a2c9e37fc073804d

SHA256
2c3a13c79649965428da842ed8ee6958da7fc8a2574e657b2bdca8e3477bfe7d

SHA512
7ff17de825f40321f59220101f6e5fecf529dcd4f0cd39c5baed0134b3a0f9cbfa5ea437f4c9c867578d834c07a7d0723993e69b2cade804a9f0cee72377aefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0cae13109b9bc172666343ca603e84f

SHA1
dfc06914b6968769333bbc22834bbb6d59c6b078

SHA256
747daf16caa8a248c5d2e8af0de986a5314617a8d852dff45d27c2c7b70ea236

SHA512
a85b3f4b1e16113a0bddb165292b8c5c77b082a8c106d73c8efe24dff97aabd77ec42c41c8b8d8aa22051a5d030cabbdeef7776a838dd5957ab92e9a3beb3c8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44a180b4887e0a5103690b8081431a42

SHA1
1d4336f69e813de6c2f60e48e2d99ce08641f76c

SHA256
0688341708c8b0de24e141d2340bc60af13e1e2fb9124a818bcb82aa64991c1f

SHA512
654ecd268679de501f263df7d8d16a374f7144f36f3abe954288f9f96b6d0dc73c22617f70c4fced6a8ad0e4aac4af3d32713750d2ac44ee086a5f994afac499

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d2bedb8bea520a71e0aac71965df8a6

SHA1
e36007e37fc499ce78c51bafc133aebc7b58bab6

SHA256
2bdf3f3b6ab9b5956a631dd09485a792eda0f78a5144ce5b315760282412fd9b

SHA512
ceebecf53948e5c2402822d42f6db2e88635f01a60a435f57cf5ad5bbe4af8a09a5ca90af261a97d8289ede17c3060eaaceff7be7f570b4407a0f9a0a39097dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86ae58a0be7b2345dd09326c2292a160

SHA1
00ffcb1d2ef49866bd46a911313eb92d19d39317

SHA256
f410db19030c8755fd97ef3f9ea738cc955acb7700ae3942e9599fbc91240f46

SHA512
e5bfc8d5a2e07785f85104aeac09b5517275c01251cd21712cee5408ea01e145e78054fe75d9d29d212247cebfc38e6629d41a9817d567d9d0269ab62ad21bb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45c61a10a027b1d2b4b804bdccbe516d

SHA1
69dafda09edc209e2e644cddacbd25738d1240d7

SHA256
d3d3ac61a230c6e8471e497beafb43346e83cc25bd31c02a60831d87bdf3ae00

SHA512
06ff52eb3a1e02191fa4714637f4ac7958c6d96670b385c8b51fe4e29fc37a9cf736156d596121fe729f3d2f43b8ab299f5c0353b98ecc0aa244ca40f200474f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0813d88faa3c8bbe8ff54bf2bc466854

SHA1
692c5a1533f9a49914f171fe1c7046582c60199a

SHA256
71d075b56e018251f4ac298b2bb3487e21425e0b051f9a0e5833b965128e16b5

SHA512
6b7ce89d37feea5ac11eba62d8e5ad0c8c124d1cb99ba768f25f4bd7db780fdf5326778cb9748257dc87ce33df835150cde03ebe71c665598a9d3be35d877210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d57d2f620cb775314b621807dfc511fd

SHA1
0eb68ef5f10d1ea2873353ced877a6ffe5714501

SHA256
28bdad3d412914ce5966b8564009cc093bdd701364a1943b94f65caca18f3ad6

SHA512
72e5d4406dfc7f7943ae63aab8654e1555bb1ddfa6cec2e02dd0b2f6ac17e9cecd64b34f4272676669130d56e5c9061f5429d602c2f33694d2e7a6fa7ff49d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb1733a2dc37a945e9b88cfb940326c5

SHA1
3a5d594680bd801c740226c5ea325a395732d92a

SHA256
4f02855467513e741592e79ce8f1502d3de9fd4edfadcc4a60a2a1230603e47b

SHA512
164c708caa7eb8cd3c3dfa5ce74479cab36c8a4141150b4203e2f86383200efa3a38eeea794f314c3fe7500e01b036b55fe5a40bba98851cb98cdb3719759345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
973edabfe6cacd7331e35e37950b8fdf

SHA1
9be2427c2ebf24e9e1c6f7c79dd58f4de5c9670a

SHA256
dbe9a0944ac349376d1b2d5a8ffbb72412b52a84a58fdadafdd1786dead46fc2

SHA512
7957d26180a2b3406eb4287d05219d5ccf22e30b7024232d3d1ffedf69862fbbbc90434caeeb622a48028ca9c6f4bd25a03a6c8fc9ec27a7ab4d7d69aac326cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2bf773a78c567ceb7705d44237bce8fa

SHA1
3e1c0c15f0b6a489ac47fd599d35f4c113e7f3bc

SHA256
fe96f3a1a99fd8385032ab1eb378de9767d6c4d454b9116c0909b35bf424e483

SHA512
77f22e4e574b139626a7c781f2882318ed7e8f111ab1a43192e6b7848a4c5fe677b9cedb2226fecc8684aa80b189b7a16d491a53d0e86b75f9baa2e0efa6c18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD96F.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD972.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDA71.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
131B

MD5
8f25b9779bc320c2fe597b33386fcdeb

SHA1
5bee82e61c81fa5304389646fcac2ef3891ad320

SHA256
54c45fdf9e72bf4b29f0324099e905d750d7f6f38e45229c5b984a6d06e0efc3

SHA512
9da2ef2c82f0977e9e02cae2d9981d2e0522973716dd73c65d841a44d8ab557befbf231eae66b089f28006521c98014b5631ca91a906800bd99cdafe7b80feb7

Download Submit
\Program Files (x86)\emule23\kw.exe

Filesize
912KB

MD5
0e434ae78033051350fb80040a2643eb

SHA1
1a7cdc5d12553a74991633caeddcc1318a7ad021

SHA256
2f6da9d3d5abf30789d2caa8ca82f086dfd4e14fd9b087cf1ef9942895db2b73

SHA512
06e7917a90760cde31356c752f3a087a9c2f07f8097b65d80cee8bc00e90ce45bea9ff591525c90cb3fcd3bf9d595c4edbe50c1c4abde408b826495aeecb771b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1CB5.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nso1DBF.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nso1DBF.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Windows\system\SVCHOST.EXE

Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/304-42-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2424-19-0x0000000001E10000-0x0000000001E22000-memory.dmp

Filesize
72KB

Download
memory/2424-20-0x0000000001E10000-0x0000000001E22000-memory.dmp

Filesize
72KB

Download
memory/2424-21-0x0000000001E10000-0x0000000001E22000-memory.dmp

Filesize
72KB

Download