cf5263fde392d6f83e31d5f8c727611ac99c9c0b6a6b46e7afa024bc41b6f298

Analysis

max time kernel
147s
max time network
156s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
Size

36KB
MD5

49c5a7fb400ff77555abe31a6488160d
SHA1

1853c695eea3878b1b4f15d3d3edd5c31e3d3167
SHA256

cf5263fde392d6f83e31d5f8c727611ac99c9c0b6a6b46e7afa024bc41b6f298
SHA512

45ffa5ab02692642986b1c1cd2c579876d5ce7aead9627bbc1bcc6ee9af81a3139c3131bcb92628ea390866ea9e66adaab9999d97a1ab327b5306834562b4651
SSDEEP

768:TYCRkQFrNS5BwnRTCRn7xqjY3mDNDyBy7Gq6rOuboGNw0Peoox:TYLQ3MBwRK8jbyBvsmWx

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\pcidump.sys	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\aec.SYS	rundll32.exe
File created	C:\Windows\SysWOW64\drivers\AsyncMac.sys	rundll32.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe\xcommsvr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe\Rav.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\QQDoctor.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe\livesrv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsTray.exe\RsTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KavStart.exe\KavStart.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe\engineserver.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\KVSrvXP.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\ccapp.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe\AgentSvr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHSTAT.exe\SHSTAT.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmscsvc.exe\mcmscsvc.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\RsAgent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McProxy.exe\McProxy.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdmgr.exe\mcupdmgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\360tray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\mcagent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safebox.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpfSrv.exe\MpfSrv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe\vsserv.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSetMgr.exe\ccSetMgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McTray.exe\McTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\mcshield.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\engineserver.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\bdagent.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe\RavStub.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISSvc.exe\KISSvc.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccEvtMgr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vstskmgr.exe\vstskmgr.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsnetsvr.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\RavTask.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfevtps.exe\mfevtps.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeboxTray.exe\safeboxTray.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\egui.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScanFrm.exe\ScanFrm.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPSVC3.exe\MPSVC3.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\mcsysmon.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FrameworkService.exe\FrameworkService.exe = "C:\\Windows\\system32\\svchost.exe"	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	update~.exe

Loads dropped DLL 8 IoCs

pid	Process
2652	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe
2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
2128	update~.exe
2128	update~.exe
2128	update~.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a360 = "C:\\Windows\\system32\\scvhost.exe"	update~.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\killdll.dll	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2652	rundll32.exe
2652	rundll32.exe
2652	rundll32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	rundll32.exe
Token: SeDebugPrivilege	2128	update~.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2652	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2220 wrote to memory of 2128	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	32
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2084	2128	update~.exe	33
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2128 wrote to memory of 2252	2128	update~.exe	34
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2084 wrote to memory of 2820	2084	cmd.exe	37
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2252 wrote to memory of 2876	2252	cmd.exe	38
PID 2220 wrote to memory of 2604	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	39
PID 2220 wrote to memory of 2604	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	39
PID 2220 wrote to memory of 2604	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	39
PID 2220 wrote to memory of 2604	2220	49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\49c5a7fb400ff77555abe31a6488160d_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\killdll.dll killall
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\update~.exe
  C:\Users\Admin\AppData\Local\Temp\update~.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls C:\Windows\system32 /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\cacls.exe
      cacls C:\Windows\system32 /e /p everyone:f
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Users\Admin\AppData\Local\Temp\" /e /p everyone:f
      4⤵
      PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\_uok.bat
  2⤵
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uok.bat

Filesize
300B

MD5
f364f7399a2674ae6d8cf6d22fa513c0

SHA1
f741106e43f9a4d14c8f7e385eee43889aad2891

SHA256
3b69dfa4dfa695787d5ca60eecffb2b9c2dfa53cc911d780eb8ba09adf40bf51

SHA512
15fdbddc651bf9bf9dde78e9a20f7f8be546af9580a24a9305b60836ea47afd2eb69b13d3fe7ed5e8985cd3aa16ded20653ebdc56ca3d7d4ae4da4555b52afc5

Download Submit
C:\Windows\SysWOW64\killdll.dll

Filesize
56KB

MD5
622c82fe356f19b2800e51db3490d8d5

SHA1
eb62a2e329668c6bf70efaa0647f1bf683a7311a

SHA256
4d79c7d5ec4030e60fab6a5001b79bf71bd73bf08223c4a1875b990a2fe3cd81

SHA512
3384d19790e0680570c33ad8bede977c6466e3b14e40ec603efe2063d51e206f5327be9a692c3d0a4ba1b2f5e8f9ac4ec390fefbed709d1239aa17bcb93c97c8

Download Submit
\Users\Admin\AppData\Local\Temp\update~.exe

Filesize
9KB

MD5
1e01566b55739bbc91befa73dee5827b

SHA1
52f1959305352fb9a7ccddb0261ea0e69f8c0629

SHA256
99be705551bb1eea39ff313d8e8b6b35489dbf93b409d3110bf2c6460c01eccc

SHA512
9ac5c002a781e64e5ce5caae8b523af1c9c7f513fc478b37b9df87a83e228761ae1b2c774c61b0c4deacbae669f0d2001a57a748564b1c98d3d31eedcb916fa3

Download Submit
memory/2128-20-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000004000000-0x0000000004028000-memory.dmp

Filesize
160KB

Download
memory/2220-30-0x0000000004000000-0x0000000004028000-memory.dmp

Filesize
160KB

Download