59fb9642404b919528481fa867ff11c55b145521375ba163c9f1742bdb913ce0

Analysis

max time kernel
142s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 05:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe
Size

522KB
MD5

fdd9249c6515cbcf37b6a78312f6dbf3
SHA1

4f6899e0135e4f3b20c0e31c88b0b82dd85b1fe4
SHA256

59fb9642404b919528481fa867ff11c55b145521375ba163c9f1742bdb913ce0
SHA512

64ad3ce3a9346bd50267da6db8fc792cf9ae1f51ce6a87eb442d9c62547c8a11281fb915def60c8815ddfdb3122f158a286f4214a834ec1fc738e131df37d9ec
SSDEEP

12288:7q6my5cKp64B4JuQnNfIRoe2f8c26nV+V9y+eqo2SUzYr2aqR9tG:7ey55p64BAuQNgRobkc2c+fNoRUI2FPG

Score

10^/10

defense_evasion discovery evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	E4U.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	EuroP.exe

Executes dropped EXE 8 IoCs

pid	Process
5100	svchost.exe
1440	7za.exe
4532	ic9.exe
2084	E4U.exe
1120	EuroP.exe
1916	Gi.exe
3416	tbp.exe
1936	geurge.exe

Loads dropped DLL 3 IoCs

pid	Process
4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe
1428	rundll32.exe
2696	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Otohubayave = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\BDCLoph.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewrgetuj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\geurge.exe"	Gi.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	geurge.exe
File opened (read-only)	\??\y:	geurge.exe
File opened (read-only)	\??\a:	geurge.exe
File opened (read-only)	\??\m:	geurge.exe
File opened (read-only)	\??\n:	geurge.exe
File opened (read-only)	\??\o:	geurge.exe
File opened (read-only)	\??\t:	geurge.exe
File opened (read-only)	\??\w:	geurge.exe
File opened (read-only)	\??\s:	geurge.exe
File opened (read-only)	\??\b:	geurge.exe
File opened (read-only)	\??\e:	geurge.exe
File opened (read-only)	\??\h:	geurge.exe
File opened (read-only)	\??\i:	geurge.exe
File opened (read-only)	\??\j:	geurge.exe
File opened (read-only)	\??\r:	geurge.exe
File opened (read-only)	\??\v:	geurge.exe
File opened (read-only)	\??\z:	geurge.exe
File opened (read-only)	\??\g:	geurge.exe
File opened (read-only)	\??\k:	geurge.exe
File opened (read-only)	\??\l:	geurge.exe
File opened (read-only)	\??\p:	geurge.exe
File opened (read-only)	\??\q:	geurge.exe
File opened (read-only)	\??\u:	geurge.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00080000000234e3-38.dat	upx
behavioral2/memory/1916-45-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1916-76-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1936-80-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4444	sc.exe
796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2644	4532	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E4U.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EuroP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geurge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe
1428	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2084	E4U.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1916	Gi.exe
1916	Gi.exe
1916	Gi.exe
1916	Gi.exe
1936	geurge.exe
1936	geurge.exe
1936	geurge.exe
1936	geurge.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 5100	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	82
PID 4028 wrote to memory of 5100	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	82
PID 4028 wrote to memory of 5100	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	82
PID 4028 wrote to memory of 1440	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	92
PID 4028 wrote to memory of 1440	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	92
PID 4028 wrote to memory of 1440	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	92
PID 4028 wrote to memory of 4532	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	94
PID 4028 wrote to memory of 4532	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	94
PID 4028 wrote to memory of 4532	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	94
PID 4028 wrote to memory of 2084	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	95
PID 4028 wrote to memory of 2084	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	95
PID 4028 wrote to memory of 2084	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	95
PID 4028 wrote to memory of 1120	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	97
PID 4028 wrote to memory of 1120	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	97
PID 4028 wrote to memory of 1120	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	97
PID 4028 wrote to memory of 1916	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	98
PID 4028 wrote to memory of 1916	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	98
PID 4028 wrote to memory of 1916	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	98
PID 4028 wrote to memory of 3416	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	100
PID 4028 wrote to memory of 3416	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	100
PID 4028 wrote to memory of 3416	4028	fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe	100
PID 3416 wrote to memory of 1428	3416	tbp.exe	101
PID 3416 wrote to memory of 1428	3416	tbp.exe	101
PID 3416 wrote to memory of 1428	3416	tbp.exe	101
PID 1120 wrote to memory of 512	1120	EuroP.exe	103
PID 1120 wrote to memory of 512	1120	EuroP.exe	103
PID 1120 wrote to memory of 512	1120	EuroP.exe	103
PID 2084 wrote to memory of 5004	2084	E4U.exe	105
PID 2084 wrote to memory of 5004	2084	E4U.exe	105
PID 2084 wrote to memory of 5004	2084	E4U.exe	105
PID 1916 wrote to memory of 1936	1916	Gi.exe	107
PID 1916 wrote to memory of 1936	1916	Gi.exe	107
PID 1916 wrote to memory of 1936	1916	Gi.exe	107
PID 1916 wrote to memory of 2624	1916	Gi.exe	108
PID 1916 wrote to memory of 2624	1916	Gi.exe	108
PID 1916 wrote to memory of 2624	1916	Gi.exe	108
PID 1916 wrote to memory of 4444	1916	Gi.exe	109
PID 1916 wrote to memory of 4444	1916	Gi.exe	109
PID 1916 wrote to memory of 4444	1916	Gi.exe	109
PID 1916 wrote to memory of 4640	1916	Gi.exe	110
PID 1916 wrote to memory of 4640	1916	Gi.exe	110
PID 1916 wrote to memory of 4640	1916	Gi.exe	110
PID 1916 wrote to memory of 796	1916	Gi.exe	111
PID 1916 wrote to memory of 796	1916	Gi.exe	111
PID 1916 wrote to memory of 796	1916	Gi.exe	111
PID 1916 wrote to memory of 3104	1916	Gi.exe	112
PID 1916 wrote to memory of 3104	1916	Gi.exe	112
PID 1916 wrote to memory of 3104	1916	Gi.exe	112
PID 2624 wrote to memory of 3804	2624	net.exe	118
PID 2624 wrote to memory of 3804	2624	net.exe	118
PID 2624 wrote to memory of 3804	2624	net.exe	118
PID 4640 wrote to memory of 1884	4640	net.exe	119
PID 4640 wrote to memory of 1884	4640	net.exe	119
PID 4640 wrote to memory of 1884	4640	net.exe	119
PID 1428 wrote to memory of 2696	1428	rundll32.exe	120
PID 1428 wrote to memory of 2696	1428	rundll32.exe	120
PID 1428 wrote to memory of 2696	1428	rundll32.exe	120

C:\Users\Admin\AppData\Local\Temp\fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdd9249c6515cbcf37b6a78312f6dbf3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  C:\Users\Admin\AppData\Local\Temp\7za.exe x C:\Users\Admin\AppData\Local\Temp\a1.7z -aoa -oC:\Users\Admin\AppData\Local\Temp -plolmilf
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\ic9.exe
  "C:\Users\Admin\AppData\Local\Temp\ic9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 272
    3⤵
    - Program crash
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\E4U.exe
  "C:\Users\Admin\AppData\Local\Temp\E4U.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E4U.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5004
- C:\Users\Admin\AppData\Local\Temp\EuroP.exe
  "C:\Users\Admin\AppData\Local\Temp\EuroP.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /q /c "C:\Users\Admin\AppData\Local\Temp\Uxz..bat" > nul 2> nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- C:\Users\Admin\AppData\Local\Temp\Gi.exe
  "C:\Users\Admin\AppData\Local\Temp\Gi.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\geurge.exe
    C:\Users\Admin\AppData\Local\Temp\geurge.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1936
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3804
- - C:\Windows\SysWOW64\sc.exe
    sc config wscsvc start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\net.exe
    net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1884
- - C:\Windows\SysWOW64\sc.exe
    sc config SharedAccess start= DISABLED
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\tujserrew.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3104
- C:\Users\Admin\AppData\Local\Temp\tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\tbp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\BDCLoph.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\BDCLoph.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4532 -ip 4532
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BDCLoph.dll

Filesize
59KB

MD5
3007639996c51ee004616559afd17713

SHA1
5e3a5666b03ad0ef6b142022e98df371e52fbbc9

SHA256
f59196325f82ebda80cf0c8efefd0c1345afcd835f47219e484f3b95995cb3f0

SHA512
af758ef925b61e7ee82004ff3d3fe6884cda25afb7683139a92bf0ee4565e8628c777792d10889af1b016a6afd1fdf7836b3da6c92a91e1e955b52b0737d8d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4U.exe

Filesize
17KB

MD5
7e6e73e7fc425de45afd9fe2b752dc63

SHA1
662d4cda9dc247f570d2d3cb68d2f9a52ac65519

SHA256
98bea02a7fb98e4c3c3ec916d31c145d667660c477421391c96118f1f9348a8a

SHA512
ff82204793b6bf10415d5b08da1d137c2d27d4d0a1d18d7ca31604fbb372df5b3e54fcb369d2a28dd29ba7229af79b5fb3e5a288db37831d645471aaa632e0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EuroP.exe

Filesize
115KB

MD5
33cdcbd7a92d6ad28402996c2dbbddee

SHA1
0236321eadc076ddc4c3c5680e165b93acbed43c

SHA256
0e895d8e3b17000a61add0242a803f5e374fa005253c0f401f1e8ff6e5839547

SHA512
deea9548e5bdfeac0fe95ef0f8f9697eced2ffd07a36733f6fc9a0e9e4fd3e6f561076b3f2f6cc3c6c5b692ccc092c8cb404121215882adc686d155ad7f42b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gi.exe

Filesize
72KB

MD5
eef34ac2017f57554229ff9fe485bb73

SHA1
f7d23a4e9d561b69c1f2102cfce93936ed63a9bb

SHA256
1d3a38047829167637de9948c60f76047962f3b312c740ef1ea57b2b624c8b32

SHA512
8ee04d0c7215dab898e28e3ba3659029be382b45c8543c405fb05daf9a1df300970343e9690665114b690c9ee94bf4ff40efdc5a845203e0b87bbfd8a53f1185

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uxz..bat

Filesize
156B

MD5
0409d83b63abd89f94078ee412973aa2

SHA1
6a502a5acc8598437a742d5a0f84056ed25d5d15

SHA256
67bc9e3c95cfe47f4a94225e27b161d8d70dbea5c0a37c4e8a2b98cd4490151c

SHA512
268590394d0d84da0f83b4b51a96af50fe06dfe12c32976cb400815e44b94f1550e015b5bdd2addc30ded88a729ea5f17416ba7b5ddef3c237f846768e53b5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1.7z

Filesize
250KB

MD5
7d8de13c7aff86cf5c788b76904dddc0

SHA1
33588ca84170f60e8d905ea0da424c707c326b96

SHA256
2309bf3fcb08a0e87856d6ce5210aa7ed1d03f06df3b637b95d97b3240832bee

SHA512
b869b676d40a0bc210f4c3d57abe8f5effb9bee2c418bd843a1416df7ffd956c14377bf5f8a7e577da13487c9e688c710729d4e96b5dc4be16a74f3cf2ebc390

Download Submit
C:\Users\Admin\AppData\Local\Temp\ic9.exe

Filesize
80KB

MD5
e7231bb1bd728f85bc2f181c9f1491c5

SHA1
313b76ef8d91d67d99f6a1359c243a5b45d84d55

SHA256
919f9c0ac573f4313a50cf2ec32c1e24172d6f8f9b6f3082e5d3509b19552848

SHA512
73618baa39a8b899a803d1c079e5a44a3535a900bb3c5b6d25c43d9a43620151ce371a24102317579d88e7172c340d3620e58fdd7bb68b415d132ddd107c4897

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA209.tmp\ExecDos.dll

Filesize
5KB

MD5
a7cd6206240484c8436c66afb12bdfbf

SHA1
0bb3e24a7eb0a9e5a8eae06b1c6e7551a7ec9919

SHA256
69ac56d2fdf3c71b766d3cc49b33b36f1287cc2503310811017467dfcb455926

SHA512
b9ee7803301e50a8ec20ab3f87eb9e509ea24d11a69e90005f30c1666acc4ed0a208bd56e372e2e5c6a6d901d45f04a12427303d74761983593d10b344c79904

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
3KB

MD5
46e07fd3a40760fda18cf6b4fc691742

SHA1
53ee1a754bf5e94fa88a6ab8bb6120b4011afcfa

SHA256
bd7ca609d2fb63e14d08acab1091579c23e298b4fa2ac1e8d2daaff94fc107be

SHA512
ce13f6527cbd13002dca00b71ab38ab12e3f3f7138ada0780ad3f40e7c49946c018a00782ec957b1fd123fb439aabc0d9b3660829dabf10ddcebba08d6e2fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbp.exe

Filesize
59KB

MD5
4c6afd1229f3b51008786b8c2cef3729

SHA1
d7ea831e4936dcd7e4816a617cfaa3b8b94fc631

SHA256
3ec2c3e848ff3ae552d5253e5d7df45e9c61ca3108a4af158456adb0e8248b14

SHA512
9c4d1b1f9c16bf99b9be5202a114bffacadf9c01a7266174f5594f722646175e6f41c8ec7755d59f899188c3dc5f6e79cf4799819a7bdfefb68cd411ccbb930c

Download Submit
C:\tujserrew.bat

Filesize
130B

MD5
d08cb97e3b90ca2dac463f834008b9b9

SHA1
3db0d4da98d144669284f50d9e8ea87a988ac93a

SHA256
033632928b0c1a737728bb51db824f5fc92c84cbebae99553e8a1f40bd05b8f9

SHA512
d843a43695c808bf3ee6088e5213f5b97f225412c36a41778a41a950c7459e4e9c4332b98bc9007544863e4d39b5f11bf15308ceeaceff7320847d301febe97d

Download Submit
memory/1120-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1120-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1428-93-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-88-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-60-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-58-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-90-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-79-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1428-96-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1916-45-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1916-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1936-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-40-0x0000000001ED0000-0x0000000001ED3000-memory.dmp

Filesize
12KB

Download
memory/2084-64-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2084-44-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2084-37-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2696-92-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3416-78-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3416-52-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3416-51-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download