7bd306dfdcb4cc28169e9c4fdd92cfbdb62e439f65c6d64941dfdfa9dd9baf12

Analysis

max time kernel
147s
max time network
97s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 01:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
Size

5.0MB
MD5

8cda56310ffc153207b55cd8485cfdab
SHA1

12af8be52713c9e79a62cc2f08013cd6cf78514d
SHA256

7bd306dfdcb4cc28169e9c4fdd92cfbdb62e439f65c6d64941dfdfa9dd9baf12
SHA512

ea7fd9f53b3abba944c3d7a32ae1493554eb17f96ee902daf086211a0bee165f2cf857af5682d6de651ce03a392a0eba31190ee4260600fc915a682986325b47
SSDEEP

98304:9TVy+XK3Z6+8zkyoAyi69ICLbPKUTvFZw6KcclUTewC:9rkZT3w6GOewC

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1820	SetupMeMeBlack.exe
664	MeMe.exe
2088	MeMe.exe
2280	CDE.exe
2992	MeMe.exe
1140	CDE.exe

Loads dropped DLL 46 IoCs

pid	Process
448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
1820	SetupMeMeBlack.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
1820	SetupMeMeBlack.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
2088	MeMe.exe
2088	MeMe.exe
2088	MeMe.exe
1820	SetupMeMeBlack.exe
2280	CDE.exe
2280	CDE.exe
2280	CDE.exe
2280	CDE.exe
2992	MeMe.exe
2992	MeMe.exe
2992	MeMe.exe
664	MeMe.exe
664	MeMe.exe
1140	CDE.exe
1140	CDE.exe
1140	CDE.exe
1140	CDE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\MeMe = "\"C:\\Program Files (x86)\\MeMe\\MeMe.exe\""	SetupMeMeBlack.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Feedback\Feedback.htm	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET29.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET3A.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SET3D.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SET24.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET52.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\vdbk.jpg	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\TR.dll	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\can.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFD3.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\SETFFD6.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET13.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFEC5.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\CAE.exe	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SETFFCE.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\interesttitle.png	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\SETFF7C.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\SETFFA3.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\SETFFD0.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\global.css	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SETFFB5.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFD5.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET25.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\Save.exe.acm.dll.mdmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\MeMe.exe.tr.dll.mdmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFF67.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETE.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFDD7.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\SETFFD4.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\fb_ui_logo.gif	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\SETFF16.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFF57.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFEC3.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SET56.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\initial_user.html	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFB6.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFB8.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFCF.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\SET69.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFD57.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\CDE.exe	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\help.html	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\SET11.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\searchtitle.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\ffext.mod	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFF68.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_ngs.b_	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\feedback_logo.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\gamestitle.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\_pro.dat	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\privacy.html	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\audiotitle.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFEC4.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\FB3.exe	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\_anim\search.png	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SET66.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\SETFF8F.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFF91.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SET68.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\Feedback\feedbackupdate.exe	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\SETFF91.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFBA.tmp	SetupMeMeBlack.exe
File created	C:\Program Files (x86)\MeMe\_anim\SETFFEC.tmp	SetupMeMeBlack.exe
File opened for modification	C:\Program Files (x86)\MeMe\SETFFFC.tmp	SetupMeMeBlack.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	SetupMeMeBlack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupMeMeBlack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeMe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeMe.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	MeMe.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	CDE.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.EvtTrigger\CurVer\ = "CDE.EvtTrigger.1"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E5AC58F-251B-4525-8273-DA3FD7DB4482}\ProgID	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD9CBF70-D5B2-4AB5-9397-650F5610339A}\ = "IEvtTrigger"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A84E302-6BD7-4B66-8140-EC4972B86C6A}\ = "IIntrWindow"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.Interest\ = "Interest Class"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7FB0EA6-9A9A-4A17-8654-946331ACD77F}\TypeLib	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4A84E302-6BD7-4B66-8140-EC4972B86C6A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.InterestCollection.1\CLSID\ = "{9E5AC58F-251B-4525-8273-DA3FD7DB4482}"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}\TypeLib\ = "{A675138B-7E78-4618-BE19-85F993ACB987}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD9CBF70-D5B2-4AB5-9397-650F5610339A}\ProxyStubClsid32	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}\ProxyStubClsid32	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}\TypeLib\Version = "1.0"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}\TypeLib\ = "{A675138B-7E78-4618-BE19-85F993ACB987}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}	SetupMeMeBlack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid32	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.Interest\CLSID\ = "{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}\TypeLib\ = "{A675138B-7E78-4618-BE19-85F993ACB987}"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}\TypeLib\Version = "1.0"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\TypeLib	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\TypeLib\ = "{DABF362D-D442-4402-9208-CA9ED70DD01E}"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ = "IFetchData"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}\LocalServer32\ = "\"C:\\Program Files (x86)\\MeMe\\CDE.exe\""	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}\1.0\0	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ = "IFetchData"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}\TypeLib\ = "{}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}\TypeLib	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}\TypeLib\Version = "1.0"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TR.TRFactory	SetupMeMeBlack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.InterestCollection\CurVer	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB999AF2-D800-4E93-BF9C-6110DBB18CBE}	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7FB0EA6-9A9A-4A17-8654-946331ACD77F}\TypeLib\ = "{A675138B-7E78-4618-BE19-85F993ACB987}"	CDE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MEME.1\MEME_Id = e4d294c2ffb2e7429295637fb6441798	MeMe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}\ProgID	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}\ProxyStubClsid32	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}\ = "IInterest"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.EvtTrigger\CLSID\ = "{5946ADC0-2BFD-4356-A29B-B56880D280DB}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B36D7032-AA9C-4DBC-8411-A62C32CF3202}	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\ = "TRFactory Class"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F6E4845D-1D13-4BC0-942D-B9191524CC48}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}\VersionIndependentProgID\ = "CDE.EvtTrigger"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}\TypeLib	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.InterestCollection.1\CLSID	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E5AC58F-251B-4525-8273-DA3FD7DB4482}\TypeLib\ = "{}"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}\TypeLib	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}\ProxyStubClsid32	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TR.TRFactory.1\CLSID	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TR.TRFactory\CurVer\ = "TR.TRFactory.1"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{602D9049-B4AC-4A25-BF75-A9B54D747CBA}\ProgID\ = "TR.TRFactory.1"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.EvtTrigger\ = "EvtTrigger Class"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CDE.InterestCollection.1	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{69E0089F-28BC-4BB5-862B-E2B07C3B83C6}	SetupMeMeBlack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TR.TRFactory\CurVer	SetupMeMeBlack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DABF362D-D442-4402-9208-CA9ED70DD01E}	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5AC3A9EF-C0F8-41D4-B4E2-B7CEBB794151}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SetupMeMeBlack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5946ADC0-2BFD-4356-A29B-B56880D280DB}\Programmable	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TR.TRFactory\CLSID	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{862DEF42-89AA-49FA-AE1F-8A84B1B08A17}\ = "ITRFactory"	SetupMeMeBlack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4C110AC-2C97-4C7A-B02A-C8F5F7499DDD}\AppID = "{C246F100-ADD0-47C0-8720-9D5A7C0385EA}"	CDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD9CBF70-D5B2-4AB5-9397-650F5610339A}\ = "IEvtTrigger"	CDE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3776A01-7DE0-498D-8987-8B9BB4BB2F5C}	CDE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeRestorePrivilege	1820	SetupMeMeBlack.exe
Token: SeBackupPrivilege	1820	SetupMeMeBlack.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe
664	MeMe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2280	CDE.exe
2280	CDE.exe
664	MeMe.exe
664	MeMe.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 448 wrote to memory of 1820	448	8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe	29
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 664	1820	SetupMeMeBlack.exe	30
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 1820 wrote to memory of 2088	1820	SetupMeMeBlack.exe	31
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 664 wrote to memory of 2280	664	MeMe.exe	33
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 1820 wrote to memory of 2992	1820	SetupMeMeBlack.exe	32
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35
PID 664 wrote to memory of 1140	664	MeMe.exe	35

C:\Users\Admin\AppData\Local\Temp\8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cda56310ffc153207b55cd8485cfdab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\7zSF69E.tmp\SetupMeMeBlack.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSF69E.tmp\SetupMeMeBlack.exe" /i"pop;Britney Spears Isaac Cohen;Isaiah Washington;oscars"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Program Files (x86)\MeMe\MeMe.exe
    "C:\Program Files (x86)\MeMe\MeMe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Program Files (x86)\MeMe\CDE.exe
      "C:\Program Files (x86)\MeMe\CDE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:2280
  - - C:\Program Files (x86)\MeMe\CDE.exe
      "C:\Program Files (x86)\MeMe\CDE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1140
- - C:\Program Files (x86)\MeMe\MeMe.exe
    "C:\Program Files (x86)\MeMe\MeMe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Program Files (x86)\MeMe\MeMe.exe
    "C:\Program Files (x86)\MeMe\MeMe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MeMe\SETFB5F.tmp

Filesize
905KB

MD5
438a203c0d997959ac7f156a7c737a73

SHA1
37db4bf189944cecc64ca823b8d94a6bd5f8fc19

SHA256
9cd6252d70917ab75ef983b58efb47649dd49702213b3d005fd6dc9c6162a28c

SHA512
34134cd18c20e5dbd913945badb10194be7f663b119aa436d9d78be724f724dc278a3751525c3273423fe56d697d2f4d79d71ccac99a161730a08eee5638ed6d

Download Submit
C:\Program Files (x86)\MeMe\SETFB72.tmp

Filesize
136KB

MD5
74c94a69d6eafcd52e76c06a69f3d958

SHA1
a46bf7a956747dc603a6ddbf9740f15bec6f172b

SHA256
c1aa8716b2c77ca89b066511e81c2e65f383e6b04463e2182751bcc7bcbc52a8

SHA512
757a3963b940a417ddc1432b65f5b3ce2f909b14db5711f5f6aa4955cdef0e375560fd4d6341e3e6f53249799add1de284218e4c555903ff481ebb1187e976a3

Download Submit
C:\Program Files (x86)\MeMe\SETFD57.tmp

Filesize
263KB

MD5
422b25df8a31a149a07fe83516dbffc4

SHA1
b1af919d0a7213a3c29f3cf10bfd1ca19df2b094

SHA256
2844c4cfcb2c4f620faef97b1daaca03768cff578e9cd4cc3bbbe944b4ce4e30

SHA512
78a17e14a70e3e3d0d7cdabee2d73c7f75aee4668d675a4bd1c47c4a67b1a8d43a53eae4b5312a06b370440a49ae69a07bfe3ca56d0afb549c13397bfa8cf05b

Download Submit
C:\Program Files (x86)\MeMe\SETFD59.tmp

Filesize
12KB

MD5
a6001d9514edea530f3ff2084b1a4dd2

SHA1
adb708d83238ada451471a6dfd73e20243bd116e

SHA256
4fe78a4870282c5d7ad6777623ae82135788c670801865c8dcf934a5792768c4

SHA512
d8c96ad3cd9928a9117bd7e199c44d16bb3d81ae901b1e589db01865b2c976d6b551c7ad19cd20675c2ba2009be69779cf45879e75f91f529dc04390e4d74eb6

Download Submit
C:\Program Files (x86)\MeMe\SETFE45.tmp

Filesize
505KB

MD5
c3d98dac60f6f8a6ae60bafa9e6745e6

SHA1
ca366f3d14e1b6dc9658ec5fe8a34899e59d6f4f

SHA256
436a0dc3b237db6d8307c7f67d6f4b1f236bfa99a9939c8cdc25afc84d236b9f

SHA512
cea86ed341295c1bf7776a7ffd22bfc7e1cbc979a5c652556bfa71ec4cea6f8e873db664e9338238868db1fdfe107d2d9016a46b590b441e96597709680e1171

Download Submit
C:\Program Files (x86)\MeMe\SETFEC4.tmp

Filesize
2KB

MD5
0b90b26ed1085a6caf07186f5bf744d2

SHA1
c7374ef6aa6f52dfcbe0db28ec6188594c9eeec7

SHA256
eeb484cb2b6e9f3b4e597395fbe6f638e956e6610d570d97e5371871b5810c95

SHA512
8acc2565a9ab3f12332e0cc4acb82b9ec7e8cf3b11557c74d0781c94f8216f7b593b26fa09dd809ed8002f182dac866519fff49e2d0d9940d0757c51dc00ad84

Download Submit
C:\Program Files (x86)\MeMe\SETFEC6.tmp

Filesize
297KB

MD5
77d5bf42c135b3a7c521a8392669edca

SHA1
387a9022334b908321b3d79c5d9d5cfefd5b864a

SHA256
ce79a131cb4266b309a816a551fc3bf889b97af7e28115dd8bbbc1f6bd75eb90

SHA512
d6ce2e1fd7858db5a9a3639863daf175c00604bf22ae8a06026f9dba74603a5718c5b7602df4092c0fde42420d8ddbbcbde0aab41560a83c56e1ef332ad85f68

Download Submit
C:\Program Files (x86)\MeMe\SETFF16.tmp

Filesize
3.4MB

MD5
4a8b5cb8cd4df660f5198c66788825db

SHA1
68feccb2a7acb4b5cb774592dcabd98ab7886c3f

SHA256
033d463d3bcee72e2a5fb0a62f978e127115f60bb3f43f7143f846acbb910f4b

SHA512
6f35763003b2bad241cdec115cf4bdaad81da4c90b4f394aed5252c2edec7aca091377d52b8c0f1cd0b7d6381b8fa77d56996028804c57be3c0baf5bb313e28b

Download Submit
C:\Program Files (x86)\MeMe\SETFF57.tmp

Filesize
15KB

MD5
d4b2d9878ded851a435663ac3db1249b

SHA1
ae918d1b25a047174aafdf577a0f9d31302e1349

SHA256
3a2e7e13042ada25a544ca5453654b5af6ecd527e2a3da39743d7e2440a06f4a

SHA512
f129b8f9d45faffff2337b647e9f61b639b2fc55f48d7a36bc6587cb9139ca9807cc147ce4cd0788de0c292871b3713ac2305e243f0d93d75b8c431c6cdf3eef

Download Submit
C:\Program Files (x86)\MeMe\SETFF68.tmp

Filesize
3KB

MD5
f5c24960681badb6b6231705810203ec

SHA1
93307e722f6c7fbaef8d65a78b919f6007525f8b

SHA256
017555647d03ff949ec459411654a87fae1c27a649f80b3bd5f222c1d8517a94

SHA512
4d4f688abec04adcfdf4bf46fb893a77d5da7af04e6097e6e92d94259a1cad66f0436e5c867d8481eaec69107557039da2ed6a99a9409a6c8dde66220475fc00

Download Submit
C:\Program Files (x86)\MeMe\SETFF6A.tmp

Filesize
1KB

MD5
f265b3f466968523723dd4b847a510f2

SHA1
64967e14c7ad07513706d28a74b839cf0dff165d

SHA256
91960dac48ea61744b99fba2c4001f2d7b562aa1ca30d1b5c8e6235e3a7e5309

SHA512
d17f35e17abfcd86f7111c79cde99990e6844e41f07732689e0745971f7d7b9c421891ffa86f329f99bf747fb6c7f80348c915a012780abb7f0877b93fe2e31f

Download Submit
C:\Program Files (x86)\MeMe\SETFF7C.tmp

Filesize
412KB

MD5
d9338efeb7f0513dd226479ea4050188

SHA1
60db01552d14fabf6f0821d563e7b87a3141de15

SHA256
d06d878aabb27ae09261b4e111ba7fb2049374e20f2a9a28120828b1e3daa14b

SHA512
50d6d3ef484e2818fce38794d973b571f3be0af13a02db2a2cb77b7a7cb142ad426d51db9696d5e4cf3638489cfd82978c276fa26c0e0301f7559beee5ff5c24

Download Submit
C:\Program Files (x86)\MeMe\SETFF8D.tmp

Filesize
12KB

MD5
921ca94952f685ff5f95effe6b0a2880

SHA1
40eed2fad9df80c1823b67978575f27f26fdf467

SHA256
857a02a18332d679c789fee623983a28796c3318cbdbdf98c85e10edac48098d

SHA512
f64c275e40dad491009dccec5042379d6c6dd39419f36ba4e58ce366ed5ead9c1fdad2b973cdd837dbd8fe00deda5d9c1d20e1e821bd6af067725f712f8e4514

Download Submit
C:\Program Files (x86)\MeMe\SETFF8F.tmp

Filesize
13KB

MD5
e300d27179e77ad81a56f2076fa972ed

SHA1
c67aced5cfeecb307286b8cec0f11ae6849c8cef

SHA256
9397884d4f5c1f4a5ac5b12efd4f25bf2e2aeb1cb651d38c90f725c24eb4ac92

SHA512
48992ad5497da2388494ad52cfcc4d6c0b22dc09081cd5a166d6eb4533dc0a29b09835cf2e7ac6deaab490221b2dfd6664d8dac4af191cb55aff46f22c563f05

Download Submit
C:\Program Files (x86)\MeMe\SETFF91.tmp

Filesize
6KB

MD5
0e87bb6ccad5d0383526395d95e56b9c

SHA1
e2b1eb16fe6dbe54318c6d2e1e851189ce2e498b

SHA256
3b53bc471905f83e75650c5cff694224dd423be4101cd87489fdacdfedad1882

SHA512
a040496fc103fd7a3ea3680a6d6ebf86c8d89e9bde9e04617067c6062d8cadf720ca2e16027a0eba2d1552cf31d680f4254777bf37d3e3202657de0057793c91

Download Submit
C:\Program Files (x86)\MeMe\SETFFA3.tmp

Filesize
375KB

MD5
a834b5a428f53ef44706f81208c820cb

SHA1
4874e0e1547dd0ed8394e9d90b0d243487fffe37

SHA256
01438704767b3af519e46886ae7e0a88e32de6f611d18d886539dd900ecbffab

SHA512
a49bb5bec1fb1d054b5b49f117c7c6d32da4faf2cf7742d7899a97bec27ac6a5eaa5f8fc14468d22babbfe15a44f40b496f26ddaecff884a5a8fa532ab800d35

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET11.tmp

Filesize
33KB

MD5
deedf55205d3c52dbc0fceaaa8435744

SHA1
3ae0e429132ec17ff8258468fa3cd5b747fefc2a

SHA256
17954d64a23b7ee8cbce12fcb8b9ca68db979a942ec76b709516c0d294cb2c73

SHA512
c1ce104d20dd1162076f74e3a51815d8be074094137215f7dedabbabc7e0f26e941ba3e059151072c70d2d55b8edae77a055dcfe5cc4bb3efae93d6bd9c86bb2

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET13.tmp

Filesize
50KB

MD5
b8b01e944329c574927ba2e3357d0a33

SHA1
db94487e604070b576b1919439f112213c5a1aae

SHA256
a46bfa7a79848bde2a5ee6e3ea92793108d32dcf9e056d164cd4c27d4d2100cf

SHA512
c6032a020de1b1289ca84e2a2316b5b2716536139f8f17e8c6b77ebc722081e42a537700e711387799b56c0b5280bf7ed8a138af819e103861aad952e48fe326

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET25.tmp

Filesize
6KB

MD5
cd657e7af77a6e808d56473ccb6419e5

SHA1
7ff4c737ecd94a229c0116d0108df3c1f2a03608

SHA256
0dcdea6cc9e6a154d09a3a212b92c784c7c946822e00e6afeb2d6391d84875ba

SHA512
7ecdb84e7bd482a09add7328ce72d93fb30d563b3dc27f0738ba64908574a8a8bd4204e4481503778e3fa9e8bd56ac64b9b0dd9572777e784d42da3734ed50b2

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET27.tmp

Filesize
62KB

MD5
21edcebbf4b384099e288d5bf3a2b5c5

SHA1
83f08fb483fdd59ed7ea66e4e49f5096c9bc215a

SHA256
b4f6f46a4bd3b96f1dbeb83e7258b220c90337e3761bed98dea1edb590a10e03

SHA512
fb8a1f47d2c25126334a6d622228241f5b70d0ed61522529df5e1952a28fb7d776d4f4f82a9eacae5bb4b1afd3934de97946c9802a4672e1224a060fa0bfc803

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET29.tmp

Filesize
2KB

MD5
6744824b34493bc2fff5c6214e80cb3a

SHA1
e730292efc6168f37185782da390bdec322dadfa

SHA256
bc673f8c6b76d2e4097fdfb8bbfd9347a7e83a882e84a65e5d8651d70d9c3f45

SHA512
dd011905068518876fd7ee807c18a31d0029fef455db7ab9eb64842baf5d9f111a2a765d2f0d57b48a239c2ccca2664ff2395b5d1e546e23ce5a1e6cb3cd8844

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET3A.tmp

Filesize
34KB

MD5
d987f993facd6e98b700dc51457ca81f

SHA1
bb991d37fea0036b4183106c768d0141e4752b4c

SHA256
7ed4eabb236a083adcf1af2c9cd2239945d35a3135adbbe4c5820d10800d5bef

SHA512
2c10bb469292a42477776972ad0f707bcdfc33807d1e696f186ea070477b2a5d796696648ad170abf5c95a55dc83ad6192ed7e1e16791a4e2ecea74b2deb2fec

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET3C.tmp

Filesize
52KB

MD5
097061cfe75c079d9f8744ea6abb159e

SHA1
172933f514ebfd428f717c6a799e45a1fed029a3

SHA256
9ff762cdc43e6da60287fef51db0a77f41fc7ca0078822d6be581f9b704c39b4

SHA512
9a6f3322d6aaca9aaa5d70e087d13f05a154a28a69c0c2481cb08cc8ad1b5b7a118d6a2162c32396681ef7121513f1b4e6bf63266312087cf350abc4e82f1fe9

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET3E.tmp

Filesize
2KB

MD5
9b3c4cf8325e04e8d428ce7b030e1861

SHA1
8612c7a79845b012be260bc10c7f524cd35cae1f

SHA256
ec485e76ba2e6f78e3029680f77590eb84956692d2c8db5f936c5fdabf124911

SHA512
ab77e84e11b34922dec8fdabd98bf01d1ad80d1b8f21a9538b09bfbcedf45fea0bc12676f6a9e99b978a4a1205c92fd0f4364a832a88761bc83828f42b07c0c3

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET50.tmp

Filesize
15KB

MD5
6a491f76e01bc9928c5cee4a82ac34f2

SHA1
0dba61e265af7617138ef3f04e53e4c318d384ae

SHA256
b1e5060fbd9006564c836e6a55516d5df300e5ccc0d1c6bb11a2de8e000db5ac

SHA512
345164a1060fcf81f0df9f5c96536d578ad10ed39cc9f8ca690563e7545842a52a7d67993ec0bf32d7a75eba8bd8407362494c816ff0cb891411e9386193afd0

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET52.tmp

Filesize
2KB

MD5
c6a31ce89b810fef02f4b6b79926d3a0

SHA1
039e44589e05dbf667f27e757024ec9353eaad24

SHA256
4b19c408cfff3339c32aa444e97330a8623fd564a8c6fa0565b73596d0938256

SHA512
5d55029d04a0f0d58a7c7b2d908d9d504e78c2ff26f62f03bb3fa3a3157db43e242ca72d8949f625470d5c9f1f2db087aa0cc777b8c21537ff1e41d385b94fd3

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET54.tmp

Filesize
32KB

MD5
c10889869bdcf9d8a0da33576bf33831

SHA1
ab2ff47ca7c44ffe73aad99a0e17ac2c3ad8e9ba

SHA256
f58cdfd3ee8d60ab130ae5d2954a81244428bfafaff8b66513d4c2d87785586e

SHA512
7a220add7d8441375d2a42f8bd83b46eb2a1d27bc0e373ce7839de6750aa2f0c324cbfcf60ff1b9175975c24a3b8cf39f302bdadf207f74b1e4e99cd283478c0

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET56.tmp

Filesize
58KB

MD5
44ea15fc261a47af2e532c83c6114ea7

SHA1
68a7aa8772a0d9f375868c67c9dc74a798bd90b8

SHA256
16b1c26d6b39483203cd0bbb107934589251d95ebf69a9a7ee925bdfc9175de8

SHA512
d3930ca0223a91028c09e35871d37386610ac1f8b6ae025dcbdee58896334ff9c9fdc9c3937ac6514502ca575185f122d2a1e8a91afb7be1dd8e8be3a2446b69

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET67.tmp

Filesize
1KB

MD5
610f6665e3f7930cfe69cd2515d4e95d

SHA1
52cfdc49c5867b899985d60e98adce136b78396f

SHA256
58b669ea51e581c14c458ff5e2c37d42e03f45f6ebb2df57491319a194cdfc70

SHA512
b2e4a3b7a385b98656a036ffadeb39f1af3567cc94a76a8134000e288b11ecc1888dba2694a9978ff9832131a3b7d50615f6b43add45273b159e7fa54c47c294

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET69.tmp

Filesize
53KB

MD5
44067d7490b2f8c859ed2796990ef66b

SHA1
dfe2cd62a05fd314a6ca66fa56e355c16963572e

SHA256
e5ce7f48d8cf536ddd7e99bf239f9f48b601441fec617b4db56e02243c63a54e

SHA512
cc45e67c1e60095bd5cfc9230a1209535c9145f47cd317fb1acffdb55c148943be6b51144beeb5bda36781214e5ec2e59faff805beaa8b680fda59c32b299fb3

Download Submit
C:\Program Files (x86)\MeMe\_anim\SET7B.tmp

Filesize
1KB

MD5
7111bd8f50c9399712af3e85890008c2

SHA1
30e00537315f717593dc92dfec01e7cab5f4f3dc

SHA256
660856417552cd9ac755d0f0937ed848c010db80caa3b4ec6ae1fc69baf6695d

SHA512
6fe91fb747a3d2696b4272954eeab58bff659bfc2eca5ec20478f050f4a259ff5f106c714181dc901e0166282e344a7e939415e01f5c600cd4923ccf5ce8fa03

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETF.tmp

Filesize
1KB

MD5
22d7d2d3b76bc9497d60f81681ad5bdd

SHA1
62e678c8c1105f39812b7df898d87a2721e8e9f0

SHA256
ec79ccbd7a625878003b80850d8993a2067dc9dd224120796474ebd6c8362cd1

SHA512
29d512628fa9863b075b5d6870ee4d35434f2c091ac4aa8eb34855c3858e7a0c76ed0ef9a3446dd881306366a1cf66414ac4b1e9f70d29bf3b91426807621c61

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFB5.tmp

Filesize
57KB

MD5
9140f749450ceb2007d5ba794d276513

SHA1
418d2dff17265ba01ccfbf45e797668a05a29a50

SHA256
c152fcdce144112e50d4629be45c7b1c80431712eadffa173d4afe8d0670f890

SHA512
739599d807d6b5fd1faa0664953d70925724c4a1c8cc205fbb2ba65214dfe133c3c7b2bb81691dc0a55104286fb710f5e77e41bff3c54cf5510a7c77af9a6f6b

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFB7.tmp

Filesize
1KB

MD5
738b47658c5de3b07cf616713ca1df40

SHA1
c17ba84f10816a7c4f6143f02c5279ed40bdbcc4

SHA256
645dc4032948f01611cb3bf51f255d51c3a18cb34c49e614fded6ab6894e7637

SHA512
1d6d1a38839556c275dbcb940e0a9a23713be6d9c275e52801c6b553a323937ee54d572b7959f28584dfc0c394a533fe908d63291c106eeec18b5106a3c845d9

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFB9.tmp

Filesize
52KB

MD5
4bd1b3f64e393e6e494c7030d0585a80

SHA1
6d1246df0eba101f3c76294bbff33740b5c90dd5

SHA256
2a5527a2497b86c4421e320837ccea7522e7ed2dbb228fd8474d3fc3bbe260b7

SHA512
cd230ecb88e44428a155efeab9e5caceecc3cc7d22a8c80930ebcaa507748a84cb5f6157b8f36f8a09404295a8d77dfbb770e77620cd07055e80717ebd7b66a7

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFBB.tmp

Filesize
1KB

MD5
0b03783d1d988dac0c26fa4811e031ff

SHA1
ad3f7092ff430a494c9a7ef24c8ac0fab561314a

SHA256
edb0d4e5f6488908d33caec33c0c3b6198ed5e6ed7849edf0e407624f1e84ba4

SHA512
04f3ca76250179c24a4d56d3fadc1d06f9d76f3ad48052cc0dcd4ee74a787856ee64f2a22ae8752ba93704a587bccfdf8cac2a20827c6f8fc6613ef26e79aa73

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFBD.tmp

Filesize
14KB

MD5
c257f737a73602a88de212d7f2d61cbb

SHA1
cd3b8f2a4c6921a611033dbe79085a15c305119b

SHA256
ecf4b85ceb6e3ec2f4b52587204239c68e186459871799cffda09660e524cfa8

SHA512
e8ca6e00f9d0c6cdf95dcbf738fa66d0e1b5792fb90a1e80d644d5aafe90ee7dfaa1d140a6c9e05605318ed5ae180c199c3affbcd1f046fa525cd00812eb17ec

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFCE.tmp

Filesize
548B

MD5
2099e639da86bc2d395517b9b3ed77eb

SHA1
b29d193634a028dd42965ce289122683c1ca32f8

SHA256
5d42b0edc0d6a6a9b78bd8f633520fdc99aa3ece867e7e96fd2fe7828372933d

SHA512
7e36c7099818298941d30750f3ff4f64685e5d4735e396d9c3136fc295d88c7cba99e92d538ff452c471991d517502656a99fcd5ea2fa0f7fe913fda8ddf0e5e

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFD0.tmp

Filesize
13KB

MD5
7d43a5a360842ce56b7a619b5b613230

SHA1
01a73255bdf79af6267a02cce1ea66ffa860f14b

SHA256
83a662855d5e9fb484706e8e3d6380ea85a590045b3a40c2660d7e01637afcb3

SHA512
aade87a8e98c17dffccd635d482746564b082eebac937458255969cf91c3aecc58ef4df55e73723b9b295249e5a2d32f15dba4745d0e772055d443e9485d3b0b

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFD2.tmp

Filesize
24KB

MD5
c92642918f3600bc4bf0cf098bdb7de4

SHA1
78f7a0b09cab8533955f0b5585e0315a82f0bd05

SHA256
5617ed4759bad8181a52dd55ebad730ce605de1cfcc464ade966c50dd752197d

SHA512
4c809e9c10cf6c15a35fd8e0c90cbb672720df55ca329085e934de3351fabe7463a4ce895d4ae410e2d279d7150a539172f05d6911934ce78d1d36aad227799d

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFD4.tmp

Filesize
10KB

MD5
1f843b42b2eacdd574e7fc89e74323e6

SHA1
0d64f02c0e8a1581d38ae2334c29cf377c08b62c

SHA256
ad703b0baa99c02778dd3d7a745003e5c091e8b0e520b025de6ee2da0af66c08

SHA512
bd69b5b68a2cf4d73fab141ab05aef728a99d83094fdb1b378c2c192f32866fe8b36cfd00129c94acf2fa883d490b6d2127547f08431ac89ee33ddbaf9d34f01

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFD6.tmp

Filesize
3KB

MD5
b5bca94b1629c1bc59603e86ea2071ac

SHA1
806f6dbee100fb3799b962cdd3a6ea3a38bc58ac

SHA256
a3957dbe6ce9163adb5c925b06aa95790985c40b4912cea671b4f8b406b63da4

SHA512
d795e377af45854e4307a1cb670535521be8f2e18908a6db2b30f8464aaa7225ac21720fa74052bc44969d6419758123ced8a7060f920caddf216aa0256c3d37

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFE8.tmp

Filesize
56KB

MD5
5d3c51433be76784a5ed10165e654b94

SHA1
e92ae697cdf029448e43458ff0670ce1bcf0a2e4

SHA256
0a47d309edb982ac03305b36764d6ac18dd72802f01a274aa8616f54143a1620

SHA512
563d6945f0813e9be195d78d1a4f435713bafef54f3a59673c9b6e1a1c16ad3382214dca9d857cba6477a51cf22ccc66d0090b4cf97588f8f98ccae5058d8317

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFEA.tmp

Filesize
1KB

MD5
4750760231eb904ac4f3a702defb7b59

SHA1
1ed5b99171716fbaf418fd69d3f36ea2fb13dd28

SHA256
d4e028e457370e53087322783ea90b818f41d5b547a3efe6c90ac7fadd5c5579

SHA512
d62ef0a0608e37939ba78b584121b6a597e9caf1031730e7777f8b3addff9eb87c52a7e119d9ff8fffc7483a558f78882af4ab5a83cdf319fb7bc13ea5e95647

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFEC.tmp

Filesize
13KB

MD5
9b48c4a2d165398bce702803b8313948

SHA1
a7aff8f7dd956463799ba894bb8ccbd3bd9e64f3

SHA256
684fc152085626ce12458e4bad9b006c89743dcf963d800f14646b907c99b326

SHA512
04c5c6040b0b66ea9901898e33c6db2fde71314f3252acf91a9676559450602f1e40f239a940d45db9a728a40eadd4bc5602803a8e59f0d1b249347c5620c479

Download Submit
C:\Program Files (x86)\MeMe\_anim\SETFFFD.tmp

Filesize
1KB

MD5
8f44bbd047b5fcd90b5e5db0e51f98db

SHA1
99955cabc7ca4efb4605186409e30e24488aad16

SHA256
905e94a362de1848b2568f7fa262206397ef804d4f04bcd8e74af625021f4fc3

SHA512
fea44104b649e5a51e696d0e33452f3afef23139d40edd984e910fba15128a95eeb842b602d2f1c3b4a545af91d415070b90adc4dc9dfd36b3fd6811dbd9ffe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\btn[2]

Filesize
3KB

MD5
6679dec6de3aec53f35b5be3b2eb0394

SHA1
0f7a68eb0a3eaee01166b6a869c0db220bc01bba

SHA256
18f477352d0cb274b3d6ce70ef7d6ee57754c0f9effe5e60d27b26a9afbbd42d

SHA512
f98b1237aa0064654002b34158314041ec05c8c678c39dabd6ed237cd0e63c4e1019176e498303ccc508043ec3fc41abc4de410a553f87a05b2e0e4dd818e71f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\no[1]

Filesize
766B

MD5
a55335875a53fee6319098743a0f3457

SHA1
7cf5214ae378aa631a0e8f4f4f26d7c2a49c76ef

SHA256
5f97b6938d18185cfd9a0723756da616ed4e10e5e97726227c563168a65aa7fd

SHA512
2bb92b6c5a8cf185b708ded9823b6467bcf8b9250880a2acecaf17082b8556ff605bab10d29e244cd0ca36e96c3fb4c71e0459a12ad30c4200c3273e6ac3571a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\video-bk[2]

Filesize
5KB

MD5
e777a305305232abaa82cd0926a7d316

SHA1
1022439c8d3ce04b387ef049c782d75e91a8afd0

SHA256
7c0c54d346327b6dac337ad55ff3e44b390f5f502a8699ce29d0ea594d90d52c

SHA512
6955da2f5c34396f62671fea08f89187ffb327cf97f056cedaaf084aa1b1fc4e0b859a20eba01d289a664e0b627e6913ac72920b4d08274b8317e86434f2e16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\yes[1]

Filesize
766B

MD5
f272e9d04753a1f9eaf08be00ed0156a

SHA1
f0f282461ad66f0a1b58bec8ad0efe1b90979b3d

SHA256
cad018fae9de70e96424c1cd23c222bdfebd7b44b8ed3739cc67782b40f95812

SHA512
9bff84343c46b0a5f09551279d117acddc1b2b560321171c77601a8f56274207974f647a7e03dd28a8ba947712b33ac9b78076d2c59fdb7948ed61855f40da0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\circle[1]

Filesize
1KB

MD5
ff0b19073d2b2b069be6f18bb1fa1690

SHA1
4cc6c6a6d1e72fde10ff666598f5b7f75b3d8e96

SHA256
e5ec774add5afa81aa7c37b00dd356dfeaf38c69964e4839e63e7f7dd0fba351

SHA512
5091e4adf4a5373e1edcc2fe00cb41696130dab43f949b3e86f330f2c6ba90ebfd4bcbe1c0d63b085b6b2e039b5d4d13f3f51b1de4b9d9dee961886109495e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\news[1]

Filesize
4KB

MD5
142478cfc83a5d8cfee30b76b40cedc4

SHA1
c484550c222c175b1d878448388f3c969596f67b

SHA256
2eab3fb93941b30a8a99d2d57135707ef70cc0e1ddf620199d0738e10b5ae371

SHA512
f4eaef870a772336efed112d8df62fb694ba07c9818e3fbc592986bf474f3bb1fb972095460ec8c58f84c47e53196d40820396c4960342e715de37c33f8ea1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\searching[1]

Filesize
2KB

MD5
ceabe8714ed2d1cd36e5387f64ae7cd8

SHA1
0bd5c8f13176094f865fe415684c5f30537c9802

SHA256
a2bdc2990850b1b58455fcf1c06a26b807cba6f5e6cb94e527511ef9e3f6c2ae

SHA512
c50de2dfee34e1fbec31c59403945bd482614bee85e0e8057c18df809bc17154a453768ab22989ade776359ec992d7a60971c94a8229819b6966dc20c47e97f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\video[1]

Filesize
4KB

MD5
b4c4562d21c698d678e90a6c81c61c08

SHA1
c3f540ab49863ce6b8671dcc5f8a1448ced6e9b9

SHA256
64e4e35c3fb47d8576c3b1efdcd0acaabc88431793b376f6ca5bbd3d86ff1863

SHA512
3778ca2ceb2af45821bdb2aea158b9c256087060b21c576609f8d29d464665397d6504822af7b7839194170bd313a8a80fc620a7d2deaa3a5c4d60baa62427e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\news-bk[1]

Filesize
15KB

MD5
059381e302730df35ac2534a426d1a03

SHA1
bcf128e409ea217824b9a9c70fccf613b6c152fc

SHA256
3d7d93f215557f1c0a4e7ac27652b96ef869a1348e1a10e8d5c432086c503572

SHA512
88e36c077e8e712f8773aa4b07c840f3041001c9599c514b679e0302aee875c1eb994f5bddbdbc2b152c0412ab9b8ee8a55f628524728c262b0760c41c953472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\failed[2]

Filesize
5KB

MD5
78072cd5bfdf6a6f268515fffd2810d1

SHA1
9a754e6a3829f09d26683bc9a15c3d19e37a951a

SHA256
6945302cee4b8accd2ca2bf1a2d3bc0ab2e56822a51dfdff32fa2104033b8978

SHA512
224a5223247b78448a33cd19452018fd60477b4722bf0fe4c0fceaf7edf86d0d88d2fa49c1165decdc70e9b950a4e1b864ce9f60e810833c51068a7b7239b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\71C.WUT\MeMe.cab

Filesize
804KB

MD5
59c82b6101bf4274b4c04eec5fa26509

SHA1
07143685f250cf0cff95efb2d068001c10878e59

SHA256
98a10c6f00ee08cfdf94840397b8098865f62b42af60ca4aabecc2f43aa9db43

SHA512
7d7eb50016ea50c21e140cd29107ccc10268574e6d0cf057087b5c0c22f281d3fa7976290404d9f1a079af5007757bb456f90f181bb61ae26f8216281de5d010

Download Submit
\Users\Admin\AppData\Local\Temp\71C.WUT\MeMeInstHlp.dll

Filesize
16KB

MD5
1804e5e69f370611c429d7f47bea8606

SHA1
fea2597d865659926fac53c9e5a48d499211511e

SHA256
815ba8b38d4a9ff067989445a5e9be2dfc6c939c5371469706a2140064c921d7

SHA512
653c1ee69dffb7166fded4d756a21b0aafb1acd981c59f9f0ada183d47640aa513d7901f65ece5ae3c40df4b398a8eda20cb246600990ebc9a11c54ace4855ea

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF69E.tmp\SetupMeMeBlack.exe

Filesize
4.9MB

MD5
a148cad2fb750a7e033488fa1061317a

SHA1
d4b461a429a694f4c20c637bc20f2bb424422b09

SHA256
2e07f66128041c0f21118604ead81fcd0e7a9a51ccb5e985fdfb96302c563d46

SHA512
e28a0895aabb90ff613a889fb6166be2c56ef17ad23863199e7f97de12b7e267ec0f3c7d019f5bc7b8fefbf0f0e27fa337fa7d149fcc8dbf0345ba93d9434183

Download Submit