079f4448507e2236bf53cc9f3f23f0e773c74c6f6f77ca459bbab16d0f27102a

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Size

252KB
MD5

95ca811952cd61f9d46c46383d98143c
SHA1

b60fb03e9886e946400ac2f203bfd326617d99d5
SHA256

079f4448507e2236bf53cc9f3f23f0e773c74c6f6f77ca459bbab16d0f27102a
SHA512

1b9b1d0baf4812b6daa9ae91e30bea9cb691ae06a07693a3b3ee3bed881f40c89c7a074b79510b93dd5ef29ea443fd1f137f5ecb7dea6e917d0da886d815f1a4
SSDEEP

3072:2tybd59fYRw/BoDWfwpsjrSc3XzfMHX7/RzviC0RsOspWqgzGB:gyxKgayg8Sc3DUHr/RzviC0Ibgm

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2660	attrib.exe
1272	attrib.exe

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2928	sampe.tmp
2104	smap.tmp

Loads dropped DLL 5 IoCs

pid	Process
2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
2692	cmd.exe
2692	cmd.exe
1140	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\FreeRapid\resd.bin	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\2.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp	attrib.exe
File opened for modification	C:\PROGRA~1\FREERA~1\2.inf	cmd.exe
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	rundll32.exe
File opened for modification	C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url	cmd.exe
File opened for modification	C:\PROGRA~1\FREERA~1\1.inf	cmd.exe
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File created	C:\Program Files\FreeRapid\1.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File created	C:\Program Files\FreeRapid\4.bat	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
File opened for modification	C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}	attrib.exe
File opened for modification	C:\PROGRA~1\FREERA~1\3.bat	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	sampe.tmp
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sampe.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smap.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429794637"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57A2E6D1-5A2B-11EF-B5D6-E21FB89EE600} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?r"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?r"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\""	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	sampe.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	sampe.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2928	sampe.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2068	rundll32.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	2928	sampe.tmp
Token: SeRestorePrivilege	2928	sampe.tmp
Token: SeIncBasePriorityPrivilege	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	2068	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeRestorePrivilege	496	rundll32.exe
Token: SeIncBasePriorityPrivilege	2104	smap.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2868	iexplore.exe
2868	iexplore.exe
2456	IEXPLORE.EXE
2456	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2928	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2928	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2928	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2928	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	32
PID 2928 wrote to memory of 2696	2928	sampe.tmp	34
PID 2928 wrote to memory of 2696	2928	sampe.tmp	34
PID 2928 wrote to memory of 2696	2928	sampe.tmp	34
PID 2928 wrote to memory of 2696	2928	sampe.tmp	34
PID 2704 wrote to memory of 2692	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	36
PID 2704 wrote to memory of 2692	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	36
PID 2704 wrote to memory of 2692	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	36
PID 2704 wrote to memory of 2692	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	36
PID 2704 wrote to memory of 2712	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	38
PID 2704 wrote to memory of 2712	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	38
PID 2704 wrote to memory of 2712	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	38
PID 2704 wrote to memory of 2712	2704	95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe	38
PID 2692 wrote to memory of 468	2692	cmd.exe	40
PID 2692 wrote to memory of 468	2692	cmd.exe	40
PID 2692 wrote to memory of 468	2692	cmd.exe	40
PID 2692 wrote to memory of 468	2692	cmd.exe	40
PID 468 wrote to memory of 2868	468	cmd.exe	42
PID 468 wrote to memory of 2868	468	cmd.exe	42
PID 468 wrote to memory of 2868	468	cmd.exe	42
PID 468 wrote to memory of 2868	468	cmd.exe	42
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2068	468	cmd.exe	43
PID 468 wrote to memory of 2168	468	cmd.exe	44
PID 468 wrote to memory of 2168	468	cmd.exe	44
PID 468 wrote to memory of 2168	468	cmd.exe	44
PID 468 wrote to memory of 2168	468	cmd.exe	44
PID 2868 wrote to memory of 2456	2868	iexplore.exe	46
PID 2868 wrote to memory of 2456	2868	iexplore.exe	46
PID 2868 wrote to memory of 2456	2868	iexplore.exe	46
PID 2868 wrote to memory of 2456	2868	iexplore.exe	46
PID 2168 wrote to memory of 2108	2168	cmd.exe	47
PID 2168 wrote to memory of 2108	2168	cmd.exe	47
PID 2168 wrote to memory of 2108	2168	cmd.exe	47
PID 2168 wrote to memory of 2108	2168	cmd.exe	47
PID 2168 wrote to memory of 856	2168	cmd.exe	48
PID 2168 wrote to memory of 856	2168	cmd.exe	48
PID 2168 wrote to memory of 856	2168	cmd.exe	48
PID 2168 wrote to memory of 856	2168	cmd.exe	48
PID 2168 wrote to memory of 996	2168	cmd.exe	49
PID 2168 wrote to memory of 996	2168	cmd.exe	49
PID 2168 wrote to memory of 996	2168	cmd.exe	49
PID 2168 wrote to memory of 996	2168	cmd.exe	49
PID 2692 wrote to memory of 2104	2692	cmd.exe	50
PID 2692 wrote to memory of 2104	2692	cmd.exe	50
PID 2692 wrote to memory of 2104	2692	cmd.exe	50
PID 2692 wrote to memory of 2104	2692	cmd.exe	50
PID 2168 wrote to memory of 844	2168	cmd.exe	51
PID 2168 wrote to memory of 844	2168	cmd.exe	51
PID 2168 wrote to memory of 844	2168	cmd.exe	51
PID 2168 wrote to memory of 844	2168	cmd.exe	51
PID 2168 wrote to memory of 1308	2168	cmd.exe	52
PID 2168 wrote to memory of 1308	2168	cmd.exe	52
PID 2168 wrote to memory of 1308	2168	cmd.exe	52
PID 2168 wrote to memory of 1308	2168	cmd.exe	52
PID 2168 wrote to memory of 1272	2168	cmd.exe	53

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1272	attrib.exe
2660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95ca811952cd61f9d46c46383d98143c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Users\Admin\AppData\Roaming\sampe.tmp
  C:\Users\Admin\AppData\Roaming\sampe.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c afc9fe2f418b00a0.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zmzzmzwbd12.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
    3⤵
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2456
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:2108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:856
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:844
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1272
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\PROGRA~1\FREERA~1\tmp
        5⤵
        Sets file to hidden
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2660
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:280
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
- - C:\Users\Admin\AppData\Roaming\smap.tmp
    C:\Users\Admin\AppData\Roaming\smap.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\smap.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\PROGRA~1\FreeRapid\resd.bin,MainLoad
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\95CA81~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\FREERA~1\1.bat

Filesize
3KB

MD5
2b99b7f66b8ebba3071330bcbaccc022

SHA1
1a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52

SHA256
3ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09

SHA512
03671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671

Download Submit
C:\PROGRA~1\FREERA~1\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\PROGRA~1\FREERA~1\2.bat

Filesize
3KB

MD5
66255a9ad2f8d7deaa5577ca57942871

SHA1
8003fcd6cf3edd5b053b2765c7178ae90832f370

SHA256
553e76f0372969152c699aa8f02d0610114492cf1a0386cd425a6b6e861aa197

SHA512
895951abacd29c28e2970096db9e694626952791f4ff84a77c4f584baae80eb9ef7206fa501d671c6983c9c08cce9016a6a572b65d79fc9f5da39cea9e2d4a04

Download Submit
C:\PROGRA~1\FREERA~1\2.inf

Filesize
230B

MD5
f6dcb2862f6e7f9e69fb7d18668c59f1

SHA1
bb23dbba95d8af94ecc36a7d2dd4888af2856737

SHA256
c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

SHA512
eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

Download Submit
C:\PROGRA~1\FREERA~1\4.bat

Filesize
12.3MB

MD5
77ff1a5a05d0ffb2ed34e6ea281f1412

SHA1
386b1dfa37275c15a90dd9871cca514bdaeb58c7

SHA256
efc356727537bcc61af0f1d8b9b24d9c41db7691db330e90a85e9d2ad51e816e

SHA512
a86a3bd7baac6557af1cd37756f3e8aa95c74a40c99cd01ce02b935c74c2e2a14eac6816d17f922a2e93bd6e848e4c60d4090fd6b714e95037358d3c46f55c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
def157420b3ea0e94d54be45f30ce7e7

SHA1
62d1e945d034a5b7ac77e94ff5ffd452dc63504c

SHA256
a064ad9f372dd5ee627bf8a44c492e7acc5fc2c01b0cebd66af31d6e02ff4852

SHA512
f6c35249b4c9f10737cd0cf9461449f826e8d1649f67c586e9be0f22ac8b42f0fb55fa2644dd8d082e6e94364f2299de858f44f86f1d7076f3a1527e33b90410

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a31010605e7dc543e903678bd527601

SHA1
d688005fedfe473a9da2c161bf1685081c5da704

SHA256
99e6967bbe1498252766b5f850c3e982146ed54d4a127d617a3f92159ea61aa0

SHA512
11c64d0173186d572bad3dee61405ff62a42912c248cd39bf2158358a5be0492f9f4ceab0a973f4fcf2654ddb9bbb0df22109beb44e3b2d5d8da9c73a90f4387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae5f5b40f4e8e182ea283b21851db638

SHA1
bb65d10e9557d2458db5ba1338fd8e2e3f799959

SHA256
8160c06c1a3111cd816b53c2b26e15ffa991eba00799bff55bea28e0316b5537

SHA512
dd1d4c79e98477e11987f57fe5a5e6e142b3e55d822fa9dc7296d4949cdd7f7a8d6d79a84123ba8f571e141a5945d97b35e3edba21aeeed423f2d5dd526074c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f403c43193899535405c03f705c5fc8

SHA1
eb1ce7602989c333cf0704971143ea8d30fd8a1f

SHA256
c3881a5a8224a546bbf3af8d97127b6dcaa1dc4cf4806f5d1796c912af206b59

SHA512
944c9b8531a66129bb4e86c5111a50c31dfdb65a85d0646fb617a6bcc2c50c49c0291efdd70b3396649712b23576be8d569a9e726f6ed92ee9c623b15fe83548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51168724592ad82fec172e18d39554ea

SHA1
17ce455c7ab7778634af4d1e9deaa164e256c351

SHA256
825f49aa437f4f8827e54cc1f13ed07ca375dbbfc826366acbcf086a971dadcf

SHA512
45320b2cc83f34f1d40e48dd8b50585096b86bcd5c55035e2b02698d6d21fb3fb35d9cc9b1800ed75d4f309ff5cceb59f586e381b681594e2fb49417119ae0fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
931b94c105e425e634d4172b246e80ab

SHA1
1d94ac415d2f051dbaed6b8cb19e85d0e45eba96

SHA256
d9d2412d6c4357221591741f9e3d7847183eeb3d42aa58d7fc388a3af851d466

SHA512
34e4408477736de72618c3e505e7a26f94daa52c7dd756082016de039ca0f879b249876bad0d31e2980ca55f64a928eda243e43d2b95fd250360a7ea8da41b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60c326eb496759d9876504e250ed07bc

SHA1
3c5da1576eb308ff6d3d463ff03e8749fdb1e324

SHA256
b1565dd81525ab17fc42cffe8eec48034f33e58de54f4a730466b54c2fdaac65

SHA512
1cece522d8816db87bed789797168c81f45f2cd857453c8caf422261bcea78d752888ddb082acfee7e738a203602d33fe33fd70344df76ac90daba3d335bc637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3256bf6b60fdaf396f88a409d19811a7

SHA1
bfa8d15a119491bbff4e35293d69763167f58a98

SHA256
f02f901eb9d3594a90314ee98eda2910bc001c15a5cf96ebc304e405ce8cd34f

SHA512
b3638423b3d89a902035074d461b2ae631aacef0da947f665ab20d816494a4c5137ad50b3c689e65f1017dc226bd305efae5f021912fd4db68283821ffdfb75e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0de216a3e3b9cf19529c6a0233f59274

SHA1
2ee4fc198f19a5ab4c6cf1a5954a91d341f2ed5e

SHA256
9cd6c2c5e2f4c7e76eaa0b401837ddbee1947f6746882db3ef4ddc1d585ddf08

SHA512
ded76f1da68dde76fbc4ec5566b6a601a347207700edf71428953bb79750973faf305a4e3df9cc9ab99eb1497acde449ee496e48ce24bfead3e8d326c2d17788

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eb0d3d9e75da4674ce92c716602031d

SHA1
d65b352f972b5f11e82409a8bbc54529971a34f8

SHA256
f91739e1dedb0d944c7df2f495f1c0c91659521ee3f6af9b524df9150cb625e7

SHA512
8fc49c283200ca3456df808d84f6eac81799a8e529c6c6bebfbf54ba22099c7b376d1c3fb651a4e611cdd7ee5afa66513cd07d48aca19a64abadb4fbf88c0358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7d35713af69679dca1a565d2e46732f

SHA1
e1069e578a2963f60c93dd591fdfe713fdab901d

SHA256
d4f38f577dcf67209d109fcc0c8387e682c85d98275412fbebaafa4d661879fb

SHA512
a4ee98b7dc7c5c0191633fe41444fe15523e185d202fa77897a2bca838a6c31e8b663b3ed36d65a1ac8751ecaa613a49ec94da3c1bc3000b13421a23f612e655

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccbeb1c76acb6674ad1c66467a0cf93e

SHA1
799a698b01cc1e3159e22d90a9632f37002cd431

SHA256
242a5865a2614a20405e42049fec11db63388cfa165df964524d66a7d068f5ac

SHA512
19f688460b7c8afaea025f19fc0b51439679ad3c87d097792e27a3a5c8234f8b1a671937c0cc6c7fe28af1385aa1f3720e2da0165311f72f0cef1a2f82fa200e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f647f5828339a1bd16a4dc5fa41cb6f4

SHA1
b919fe439e7e1953abb49a14d15489da953a06a1

SHA256
a0baf347ed8e1b20c9b38f37142dc1f98ed50ccb61e3d46e8408c593eb480caa

SHA512
35c7bd9a5d31ff8d68886f75f7ce8d8b03a31cd6b78e3bab45ee201e43905258992e4e8a4245e9086aa8fb619a19c8db49e7563f9b4d255e164d6fda6a95e35c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4befaf93c959256bf26f9da244d9dfe

SHA1
fad3e61a3c889e4d4479fea3a500ab3437658160

SHA256
eb5b9c79e6ce8917cd5b6c3ba32462bbb64614eb6ff11be559e5245b8d338709

SHA512
27468e16c9ff181d1df2dc540d5930c9046be3c519b307ce45d8325fe292c2e680ea904517b15ddb69bd88dbfc5e6118aa697d7935e3bf918f634d137aa8eebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z2D3H3V6\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48C5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
0540cd83dcfe13fc8873e80ee631218c

SHA1
bd7f0d1bd11dc2f4f579f0c8c728e609d3df7126

SHA256
3e2d56e382961a72e8f0ec73f9cd914d46baba5d70fbb753a911c73900731f26

SHA512
bd4eee174e4abe8097920c548a8dbeb37c02d0b4550ad72b2f4e70dd2d30504ef7f741a6db05161bdfd12d42f7ab620c8215acaf31bde6e44e1ddf6d5300f25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
631B

MD5
0b92bb1f3b9141d221dfedfcc5a59527

SHA1
8d0a11d39776442b53436490284dc460137d3e7a

SHA256
5ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99

SHA512
e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmzzmzwbd12.bat

Filesize
150B

MD5
3d7ee8e51d09d54e8efe7b4699f8dde4

SHA1
4d397727078e6e1dcf190730a6ccca2e0317cdec

SHA256
3e5ea12a32fd172f1fb119b3b59a6e589765903f45191dc99aa1b37b42b184f9

SHA512
7653dbb3b4b8fa2e3307519fac16eaf1a592400ff1657bd2b7734fe3ef8b07ab28f385acfb5eb0fcd0a270d22141e96b67c728c180ebe6dde1fc66bf7766c40c

Download Submit
\Users\Admin\AppData\Roaming\sampe.tmp

Filesize
89KB

MD5
b5b4b1321360fbceac935d215a0db480

SHA1
dc54405e1506d866ef1ff2e0617f3618fedb257b

SHA256
787585a9ec9cabc69b459f44b6bc583ea41534a471e9926e03af354360e8eec4

SHA512
067ca0b4e4d7981073a5a40268658b651d2ab03da41b609eb48cae55e8d2fd3d957c58e868b04dcf835ee186168a924a1bde5ce66ece56a4e4c2809c8382df06

Download Submit
memory/1140-592-0x00000000741E0000-0x00000000741EA000-memory.dmp

Filesize
40KB

Download
memory/2104-110-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/2692-109-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2692-104-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2704-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2704-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2868-99-0x0000000003140000-0x0000000003150000-memory.dmp

Filesize
64KB

Download