ddd3f56b7d57c1178c4684027b326c3df10787d6f90baff3d3237b429334f6cb

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
Size

957KB
MD5

a0105c6ab812844353e357c9ecbc105d
SHA1

ef5f4bab7171161fc6f23fe22bfa9e97c31f3aa8
SHA256

ddd3f56b7d57c1178c4684027b326c3df10787d6f90baff3d3237b429334f6cb
SHA512

ddf656580edb879643cba739c655647a3d8fd2ebe73c3e603300007087618cd2242517a1617d50993aaca9a19a8712a9084b7b639054873d02071d540c8b24fe
SSDEEP

24576:66P9dgXF1lz4HqrqCEpsKe7XO2JFUc7w81qdZwC:66VeFujXGKe7XO2JicUx

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe jsphelp.exe"	Regedit.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\jspshow.sys	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\jspshow.sys	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\jsphelp.sys	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\jspplay.sys	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
964	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2596	jspplay.exe
1140	jsphelp.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000400000-0x00000000006AC000-memory.dmp	upx
behavioral1/memory/2200-457-0x0000000000400000-0x00000000006AC000-memory.dmp	upx
behavioral1/memory/2200-471-0x0000000000400000-0x00000000006AC000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jspplay.exe	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jspshow.dll	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\jsphelp.exe	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\arun.reg	jspplay.exe
File created	C:\Windows\SysWOW64\DelSelf.bat	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sPD87g17.dll	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsphelp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jspplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regedit.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000002e3b8f4490f3208ec1a5819933160489b1b56e6e7441ae9677c98a62fa3e9378000000000e80000000020000200000008c6fb5f3c2bda9467e281df4018d7d094ec15e490ad7bb06ba159803990d0fb3200000004fe055994fdf28bfc23e8c4aa477976e3e3c8e87441c2d665c16569c0455ecf640000000ec3d50007bf992c112ffec118c7725c6f716c43c6bc37c7de11d4f47b6d9d359902ad7918285f1e7288f035fc2bbd3fd0ed605af232e31eaf47558ee97e3a472	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{42FDAE51-5C19-11EF-A7E7-6EB28AAB65BF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000fa01726f0da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000007847440eb5b3d1aaebc53617becb7b4cbf080ae9f98caf0999b039d7cf1516fb000000000e80000000020000200000007459543278e19b405837f7ff58aefc676b633f825d6c292e71a74883aa76f0d990000000287f2c4f6c55cf8e33038f7ec14d5dbc71c8c29eace54f116096d803f58440504eb6495296a247b6a0a5750d98f40e82d474c91e7226982790ead5b31600761075a3c1d28257bffe0cfdd17ff3bbc48fed0c26b9bcf38626d7f43cbf0280150c6f26d9dd67a2ac6657cdd7b90cae0174b0fbdeba5bc895220ba016983f5bc04c0ce014c71e7163fb0dacf843e5e59be940000000859838ac1c4c0fe316047b90812ccae23fbb115f5ee9f7a8fa5c6fbb9b7fd2b5e0584e7cc8b430c61f706bfdb698e5de0c98b003069ffaa21c0261eb54576de8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1340	Regedit.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1140	jsphelp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	jsphelp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2676	iexplore.exe
2676	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2676	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2676	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2676	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	30
PID 2200 wrote to memory of 2676	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	30
PID 2676 wrote to memory of 2652	2676	iexplore.exe	31
PID 2676 wrote to memory of 2652	2676	iexplore.exe	31
PID 2676 wrote to memory of 2652	2676	iexplore.exe	31
PID 2676 wrote to memory of 2652	2676	iexplore.exe	31
PID 2596 wrote to memory of 1340	2596	jspplay.exe	34
PID 2596 wrote to memory of 1340	2596	jspplay.exe	34
PID 2596 wrote to memory of 1340	2596	jspplay.exe	34
PID 2596 wrote to memory of 1340	2596	jspplay.exe	34
PID 2200 wrote to memory of 1140	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	35
PID 2200 wrote to memory of 1140	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	35
PID 2200 wrote to memory of 1140	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	35
PID 2200 wrote to memory of 1140	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	35
PID 1140 wrote to memory of 1204	1140	jsphelp.exe	21
PID 2200 wrote to memory of 964	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	36
PID 2200 wrote to memory of 964	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	36
PID 2200 wrote to memory of 964	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	36
PID 2200 wrote to memory of 964	2200	a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe	36
PID 2676 wrote to memory of 2336	2676	iexplore.exe	38
PID 2676 wrote to memory of 2336	2676	iexplore.exe	38
PID 2676 wrote to memory of 2336	2676	iexplore.exe	38
PID 2676 wrote to memory of 2336	2676	iexplore.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a0105c6ab812844353e357c9ecbc105d_JaffaCakes118.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.soft-show.cn/setup/setup.asp?id=CCBAE3F0598FA5C68CCA5315EF9169777F4FB1ECA4F678B2&pcid=AB05D3964EEE3D3184268335E9BBEF7BC7901ACF10B0624019C5A491EB4F846F8026F71A84FEEF721573432560CE6197&ver=1001&taday=1
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2652
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:1061895 /prefetch:2
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\jsphelp.exe
    C:\Windows\system32\jsphelp.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\DelSelf.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:964

C:\Windows\SysWOW64\jspplay.exe
C:\Windows\SysWOW64\jspplay.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\Regedit.exe
  Regedit.exe /s "C:\Windows\SysWOW64\arun.reg"
  2⤵
  - Modifies WinLogon for persistence
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9544ffa103208568b66994c3fea91fa4

SHA1
ab4ed09f854310050ad6b720ca05de689211ccf1

SHA256
54d5ea64fa8217b3d767f856317ce051eefb1fbe69ea71898e8167f4bedb5113

SHA512
870ec7c2325f75bf1e1672d06e86a6dda3064c3d1e9339cfa70dede7442cadceab610c507bd6f9662d133ce941f51245f6f58d67e61813c84b64a6e53913afae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e1a5dde31c41897eab7f7e5e4cdb4fd

SHA1
87d8f365aa77e1d611dd0608d0b5fd8873cad286

SHA256
49772a78c68f507296d1de8113deb73d6013aa489d142b2a62a98aa8710024e5

SHA512
26fc3fee9836df63b56fd7cd59ae156f52c38695596e3a56b820e6c510bbf9279397ec83d621c9dc99bd9faf365808bfe935c61829d66eefd5176c0de0a225bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7930e8885f26465e9d903ea39e09742b

SHA1
04c820fd605ecaefe553c5079cb4bc7359b94921

SHA256
7b366388943a79bac1588d37f7463831f43cbc5d60cc720a81c4769100ba2b8c

SHA512
25898f4f99294588b813530d7c9576f43ddb89a43af01273325d9bfc712720aba600b4c816ce3b1bfe141f24cbb35d1831c998b4b3b32d039d5219a867e63dfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b59da59cae970b059337fe6a224837

SHA1
c917dd3f03a3f06e1a2c74db155281f94b0c8c7a

SHA256
2d4ee03440fc1d6076c445f976164a64f884a365b9fde88ebf58ccfe4d87fc4f

SHA512
a86df019552c2b25d89d12eba34a396da4b2a0692aff3a7c4be737fc3aca996cdfa75ea6bd3b10fc420e7ebf688e4b95c8c69dc4b6df6c9f9d4dcb7c5fb7bc8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2889844729e8001a1d169e89887bdd94

SHA1
19c2c05369c1767fe5dcd0d0e675ac182ab18355

SHA256
a359a5546e4b3847ee28007888a42ac87a82139a35055e1a94bc83553cf7a37d

SHA512
5658553a2150ab2e59210a9dd8e0de48f4fc0a31d632bbc5ac4607df336c835ebd30a47e17e7b4f6e6fe67f6bc9fa53cc2da7268ce5523bff95bda893d5c66f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dfcb70213836e56ddbee4ec7512f670

SHA1
b3cb8fcdf38b54c5bbde0c9c6b8ea6673ea76894

SHA256
32c2892893a728f3e9ff86f30772f20308ac8bd91849fdf685189570bf32c5c3

SHA512
0bf5528179ea27b1bb40f0250fb89a04efe8f156a3f6f32aa6fd79c30ecddc11942a6799419df9771a76cb87c8b0517433ae2b229ba881e2d4a352ca85a6a97f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b06a2ad7d6049c31d0c5939bbc99511b

SHA1
f79d0ad8698b60c2c732ef4a51aaefb7cf4f7975

SHA256
08dd1e9d0b4dec94c9472c8cddff9296624581afd6dcc8628fff2019732e5219

SHA512
1a5810be97ac5be84b4de3fd26b140b01e49849c64ffd88f591c1a103bd6444b822556ebb2e1e27f2f73e2ee1350a796ddd1e9a231d55b174d4711bb2c4b4d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07f5cdb85394bd9fdded6fea9a895372

SHA1
fc028190e2d9f4534fb1c3e1ca9b8a2e23fd4d75

SHA256
e024dd40d5ad2065ba641187e5b042b43fe9c2a5a50ddc76c9e90cc9ccfc223f

SHA512
9e8a00676fbe9662bc7ae3268eaacd492b586d463fd9a8a05df2347addc93257fac5dfd278eef6ff5536affbf4c58cd30cd0b683f189c56e1d5cf679387a9a48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
868b3bf4b5a7d54143d511b26a9a3321

SHA1
e60e8a15580ace90fe6bf7a1b301019be73e3e31

SHA256
4c9f576d28625f5735d2f7ccf5af51ab28b436d36641bd63179b5a9a8e9c5ec1

SHA512
90e08cbc9e535e0b3ba13bbd1a8353e5bbc3810da121d33993666863cdc3d3350fdba40e7f5c16dd15016ab586f45b739a963adb342397256322a57902d0a90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\DelSelf.bat

Filesize
228B

MD5
a0a2332b7c3daf1f55673aa1132d1652

SHA1
b10ea57ba60e4f7e23292963e83073a152954643

SHA256
2c3c0833f3f1e649d2a7d2d46c82f5883e5185712d8bb766574835174499aece

SHA512
5c02890791ddc22a3088cce8e174390fc166c274ae64546498212d67d3ae5d29787291cb1bef0cc2d968b966b0e48444eb037123406a14e9158f1e34a0f15149

Download Submit
C:\Windows\SysWOW64\arun.reg

Filesize
150B

MD5
ed7b7db6f213df4e24b1b7f1821644e0

SHA1
31fece6abef02fc21b80fc0d525a4c681d0ef412

SHA256
2e0b3b6154fe67421a61f6c8b1d94901f25601efc0f80d627fc87eac38c3cfdb

SHA512
c654b62a61b606b65c4fdf6f5664708485ab0c52896100e6569d4d14fcc09fb7126be843ac4f91006eaee97cd7ad5b9fb83461a2e31cfec8d6c8e37d857421d7

Download Submit
C:\Windows\SysWOW64\jsphelp.exe

Filesize
367KB

MD5
d72c4f4ee11cd376407794569f0ecce4

SHA1
5e3d4b3d7a33bac8d4f0e003912836527f61ca91

SHA256
056d6b97cb4285a1e36697b19e86f8fa5d7d090a71e1fcc4903f7e0d69a3304c

SHA512
41825c189672d316f0e58909f0dd3cf25069ba2a3611b336157a167a0f38fc0b0ace26c77f6ee5ae5c22c6c10a55778b43eabb8dae8aba0eff1159cfd29607a0

Download Submit
C:\Windows\SysWOW64\jspplay.exe

Filesize
408KB

MD5
7624208d3eba7ff91943a426ee892a87

SHA1
b46703dc3c685b7b20ddc961c1fbe4dfc8dfdcdf

SHA256
7dfc785d59c14e407e6b54fae4305dddd5af639225368f76a87fd15df8fbd76d

SHA512
bbfc6cd1a4e6865b08d48992cc20ecc7395dbc4dc44fab6fe314dd6d1cad54a33d214436be3817fc096dcd0442493d0c98a53d1886457c39f6bda4fd79bb95c6

Download Submit
memory/1140-458-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1140-456-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1204-455-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2200-0-0x0000000000400000-0x00000000006AC000-memory.dmp

Filesize
2.7MB

Download
memory/2200-457-0x0000000000400000-0x00000000006AC000-memory.dmp

Filesize
2.7MB

Download
memory/2200-471-0x0000000000400000-0x00000000006AC000-memory.dmp

Filesize
2.7MB

Download
memory/2596-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2596-475-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download