1545645f6c5ecc9f14ee924de8ad3dea051e24a8fca9b34beedf958cae0c1b90

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
Size

3.6MB
MD5

fe196add855b16dc1b8e80729610a4e0
SHA1

f44efb48cda5958e5603b36d1a59709a847fc0e7
SHA256

1545645f6c5ecc9f14ee924de8ad3dea051e24a8fca9b34beedf958cae0c1b90
SHA512

78285eb98cefe794720d198509e4ccacfead6546dd0d70594bc137a41c99b6db2d8f5db1a5b674283396165b5fda7a970d34dff376dead59ba67c5e583e2075a
SSDEEP

98304:qGk6+Wzyy2Js1c8YlQvtGSpQVYQahXSj68h761:DtZz9msbEbvVY06CQ

Score

9^/10

discovery evasion execution

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 3 IoCs

pid	Process
1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
1260	gentlemjmp_irow.exe
3036	gentlemjmp_irow.tmp

Loads dropped DLL 10 IoCs

pid	Process
2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
1260	gentlemjmp_irow.exe
3036	gentlemjmp_irow.tmp
3036	gentlemjmp_irow.tmp
3036	gentlemjmp_irow.tmp
3036	gentlemjmp_irow.tmp
3036	gentlemjmp_irow.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp

Enumerates processes with tasklist 1 TTPs 21 IoCs

discovery

Process Discovery

T1057

pid	Process
2748	tasklist.exe
1928	tasklist.exe
2472	tasklist.exe
700	tasklist.exe
1100	tasklist.exe
1284	tasklist.exe
1704	tasklist.exe
1124	tasklist.exe
2212	tasklist.exe
2624	tasklist.exe
2700	tasklist.exe
1552	tasklist.exe
2256	tasklist.exe
2680	tasklist.exe
1148	tasklist.exe
1004	tasklist.exe
2356	tasklist.exe
1620	tasklist.exe
2412	tasklist.exe
1576	tasklist.exe
1056	tasklist.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2484	powershell.exe
2108	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gentlemjmp_irow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NETSTAT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2636	NETSTAT.EXE
2988	NETSTAT.EXE
2068	NETSTAT.EXE
2824	NETSTAT.EXE
2728	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2484	powershell.exe
2108	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	1148	tasklist.exe
Token: SeDebugPrivilege	1004	tasklist.exe
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	1552	tasklist.exe
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeDebugPrivilege	2412	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	1284	tasklist.exe
Token: SeDebugPrivilege	1704	tasklist.exe
Token: SeDebugPrivilege	2472	tasklist.exe
Token: SeDebugPrivilege	1124	tasklist.exe
Token: SeDebugPrivilege	700	tasklist.exe
Token: SeDebugPrivilege	2212	tasklist.exe
Token: SeDebugPrivilege	2256	tasklist.exe
Token: SeDebugPrivilege	2068	NETSTAT.EXE
Token: SeDebugPrivilege	2824	NETSTAT.EXE
Token: SeDebugPrivilege	2728	NETSTAT.EXE
Token: SeDebugPrivilege	2636	NETSTAT.EXE
Token: SeDebugPrivilege	2988	NETSTAT.EXE
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	1056	tasklist.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 2420 wrote to memory of 1644	2420	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe	30
PID 1644 wrote to memory of 2792	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	31
PID 1644 wrote to memory of 2792	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	31
PID 1644 wrote to memory of 2792	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	31
PID 1644 wrote to memory of 2792	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	31
PID 2792 wrote to memory of 2484	2792	cmd.exe	33
PID 2792 wrote to memory of 2484	2792	cmd.exe	33
PID 2792 wrote to memory of 2484	2792	cmd.exe	33
PID 2792 wrote to memory of 2484	2792	cmd.exe	33
PID 1644 wrote to memory of 2884	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	35
PID 1644 wrote to memory of 2884	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	35
PID 1644 wrote to memory of 2884	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	35
PID 1644 wrote to memory of 2884	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	35
PID 2884 wrote to memory of 2036	2884	cmd.exe	37
PID 2884 wrote to memory of 2036	2884	cmd.exe	37
PID 2884 wrote to memory of 2036	2884	cmd.exe	37
PID 2884 wrote to memory of 2036	2884	cmd.exe	37
PID 2036 wrote to memory of 2748	2036	cmd.exe	38
PID 2036 wrote to memory of 2748	2036	cmd.exe	38
PID 2036 wrote to memory of 2748	2036	cmd.exe	38
PID 2036 wrote to memory of 2748	2036	cmd.exe	38
PID 1644 wrote to memory of 2892	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	39
PID 1644 wrote to memory of 2892	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	39
PID 1644 wrote to memory of 2892	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	39
PID 1644 wrote to memory of 2892	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	39
PID 2892 wrote to memory of 2632	2892	cmd.exe	41
PID 2892 wrote to memory of 2632	2892	cmd.exe	41
PID 2892 wrote to memory of 2632	2892	cmd.exe	41
PID 2892 wrote to memory of 2632	2892	cmd.exe	41
PID 2632 wrote to memory of 1928	2632	cmd.exe	42
PID 2632 wrote to memory of 1928	2632	cmd.exe	42
PID 2632 wrote to memory of 1928	2632	cmd.exe	42
PID 2632 wrote to memory of 1928	2632	cmd.exe	42
PID 1644 wrote to memory of 1508	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	43
PID 1644 wrote to memory of 1508	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	43
PID 1644 wrote to memory of 1508	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	43
PID 1644 wrote to memory of 1508	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	43
PID 1508 wrote to memory of 2656	1508	cmd.exe	45
PID 1508 wrote to memory of 2656	1508	cmd.exe	45
PID 1508 wrote to memory of 2656	1508	cmd.exe	45
PID 1508 wrote to memory of 2656	1508	cmd.exe	45
PID 2656 wrote to memory of 1148	2656	cmd.exe	46
PID 2656 wrote to memory of 1148	2656	cmd.exe	46
PID 2656 wrote to memory of 1148	2656	cmd.exe	46
PID 2656 wrote to memory of 1148	2656	cmd.exe	46
PID 1644 wrote to memory of 2936	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	47
PID 1644 wrote to memory of 2936	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	47
PID 1644 wrote to memory of 2936	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	47
PID 1644 wrote to memory of 2936	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	47
PID 2936 wrote to memory of 1948	2936	cmd.exe	49
PID 2936 wrote to memory of 1948	2936	cmd.exe	49
PID 2936 wrote to memory of 1948	2936	cmd.exe	49
PID 2936 wrote to memory of 1948	2936	cmd.exe	49
PID 1948 wrote to memory of 1004	1948	cmd.exe	50
PID 1948 wrote to memory of 1004	1948	cmd.exe	50
PID 1948 wrote to memory of 1004	1948	cmd.exe	50
PID 1948 wrote to memory of 1004	1948	cmd.exe	50
PID 1644 wrote to memory of 2788	1644	fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp	51

C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp" /SL5="$400EC,3326047,56832,C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\ex.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq newversion.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq newversion.tmp" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (1).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Setup (2).exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Fiddler.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Wireshark.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
      4⤵
      PID:2404
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Capsa.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq ipscan.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Procmon.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c tasklist /FI "WINDOWTITLE eq Process Monitor*" |find "PID"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "WINDOWTITLE eq Process Monitor*"
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\find.exe
      find "PID"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:792
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq regedit.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Taskmgr.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
      4⤵
      PID:1668
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq OLLYDBG.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Regshot-x64-Unicode.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq Regshot-Unicode.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\cmd.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5900 " | findstr /C:"ESTABLISHED"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5900 "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5901 " | findstr /C:"ESTABLISHED"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2824
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5901 "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5902 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5902 "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2324
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5903 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2636
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5903 "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C netstat -na | findstr /C:":5904 " | findstr /C:"ESTABLISHED"
    3⤵
    PID:2748
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      netstat -na
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:2988
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:":5904 "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2668
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /C:"ESTABLISHED"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:476
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq TeamViewer_Desktop.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2656
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq DFServ.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:1948
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq unchecky_svc.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C ""CheckProc.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
      4⤵
      System Location Discovery: System Language Discovery
      PID:2960
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq unchecky_gb.exe" /FO CSV
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
- - C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe
    "C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\is-JVE35.tmp\gentlemjmp_irow.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JVE35.tmp\gentlemjmp_irow.tmp" /SL5="$1F01EE,2930134,56832,C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe" go=ofcourse product_id=UPD xmlsource=C:\Users\Admin\AppData\Local\Temp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\ex.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -NoProfile -NoLogo -Command "& {$avlist = @(); $os = Get-WmiObject Win32_OperatingSystem; if ($os.ProductType -eq 3) {Write-Host \"ServerOS|0\";} elseif ($os.Version -like \"5.*\") {Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct | ForEach-Object {Write-Host \"$($_.displayName)|$(if ($_.onAccessScanningEnabled) {\"4096\"} else {\"0\"})\"};} else {Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiSpywareProduct | ForEach-Object {$avlist += \"$($_.displayName)|$($_.productState)\"};} Write-Host ($avlist -join \"*\")}"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Process Discovery

Query Registry

Software Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\ex.bat

Filesize
786B

MD5
36cd538e59563dd6dfaaf744a718612e

SHA1
6c02de74a7ff4db0b3c5cacb5443211147c5427f

SHA256
3b72290ba3027448f40e3c64d19be827366731ae2369c87989a60269415fcf54

SHA512
caf38e1ed469201e35e2623d48bde8cad5eae8d6a983fa8afbc42cd3dfa6791e34b48f6eb5a50d730b7fb71749b5fdd621e3f5ad291c82395c3d78347e1cb607

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
128B

MD5
dae8768bbb8a4fddc4dca8eae7c4d65f

SHA1
385ffb932fcff489392536d62e291ed9e0beea98

SHA256
ca1bf4fe8a59a31f06a4f2d975671fbb2eeca33d40b0c35318f2131a118754cf

SHA512
492feada84b7064547bd6d22ed13cf6949156eb3daa9af5aa9c3da44dd6ac7e540904c494de14a7858d498944ab51c7525caac3c9aa933d1e55ca35442c075b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
118B

MD5
f0315949ccc3d22d958503f5735cfbcc

SHA1
883bf4e366046eb1ef6e2d81fd74fe75ae73b2c0

SHA256
201c4e665ce446e067cb152d1c3834e416f6a09a9e6d7c45c20f1bc1cc74534d

SHA512
aa1faa44ba8f47052bf236d5135dc70f1293028663f4abbc7cc043277428217b047b25d6e6691c1685db52bd2065f0d5c4306d9db590696773c3becf2481a251

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
144B

MD5
e902b4bcf5b531d057d091d00be3daee

SHA1
0cd058fcfab51dbfe91b139dc52245d5a4326f55

SHA256
9daadc1e6c019a712e5236eafc29e687ea79efd4de1310dc2eeb1ed165ea26c3

SHA512
5f7a84040b4bbf46173ff5404d970af5cb3e54c0dfc0d6ab6b161c2f417b6b1a023abe7b9f2b723b2985511894649c54c045204de01b2a52a51d7143e8f82c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
128B

MD5
6a745081c62a706c014a876f45b5a56b

SHA1
25f17fcc50dd202d2381c00970e2dc04c2ad9707

SHA256
e9f9690b327cf24e6c260f93232dd4b961d82a709c16589ba72aabcdba0c039c

SHA512
a420efa894ef6fedad4fafd5e15042f947ff96a169031b7299afeba797bcaefa675508f72f57bfa8452a35d61314a544e26bc535ddb61a0cdfdca03c07ae372f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
126B

MD5
110d64c0e450ff59542f81690a2d53b7

SHA1
7f2e989deb095a0530792989e5fa9d7279d5f3e7

SHA256
735ca381b6d3cbb675e698aa92222566d5174c0fbdf7807605f105c512c9fa1e

SHA512
00b86a1fd4db9e8861d3973a395c34b41a5a277901552b66ac671ced492638174f256785f563bfad263bc93315544bce87c91d26bd48a39fbab7daccceae0d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
120B

MD5
c842d438cebab4b876572a8bc032aabe

SHA1
e95c7d4e2f6246daba6f0baec8e1b94c91384c4d

SHA256
ef7d9a0d456e1901b0bdebdce961d480bcf8270a7d7646591bdc2886c8716218

SHA512
aa8a28a1b0a0b9b65db195863fec9b903ffa335ccee7d50dc514f5d9c63f2ca51b2bf52694879adf43021cedfc4c5f8e7c3c90bb6dc493114a700cd79cce183c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
126B

MD5
8fec1ab28e8ee7394915990458fb85dc

SHA1
c70e183a783a9621cd64584de99f8163deb40872

SHA256
b96251154ddbfd11d36e74eae84537229912a54dcb86f1277deab084322ce4dd

SHA512
c33223c094764b9704ced1ab6256aa227873c2be81acce328d12113504e55716563ad561641b726dcd2939c6237b4a4dad522512a4f59e3f805f91ffaf3a3be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
132B

MD5
410515fbd7d2a2b4fab0fb80c76c2a74

SHA1
f32bd4fc7ade9efdc92b99e79a0b2f95edfc5893

SHA256
6b398a1053c39530e13afb3bad98900d9a5a6d27523a0c5d44c746afb539fe99

SHA512
f301aaeb96aa848eb6823830397c9fb12086db558663235c8b0882cefe2ae105cc75e2cc70315ce2fdfa17d3538427f4afa6a9cf24834a884a10cb4cb87652aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
132B

MD5
97cc4c6dda23b9631b8c9185859ad061

SHA1
5f912a6c094bd918afe5e9f0c70cd45b36dff722

SHA256
55b728e4cc0974b19641d1dc77df0f381f244b254d39e2566dcf525b9d106cd8

SHA512
cf82517f44425d402305129821cff7668c5db27d5427b8a8886e99146a1a56ef43b8055e6c62929fbfdf293a88664a760e49443ac89453fa3163ed1ebfb8469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
130B

MD5
0cbb771b9f9523adb96d5bae77154a05

SHA1
528330a335047039ab012b01bb7a3f585e6f5a8d

SHA256
4b6e256fc13fdb04ac97e583dda99f6ade2356f9c692f5150b262d3e464bd71e

SHA512
41f44acafb84b24e15ebee4a18c2ae39c06ad401db2272939ad1d650c27e1a219d7c05df63a7ec2ab0676c7ed34ca5c7ed1d4cfaa143998e90ce12f13875f0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
122B

MD5
b921f2f9f97a642d513e1307f7685e0f

SHA1
3489b63a484a6114f1828100908bbbc622b07ed1

SHA256
953998031a5ac3582232545f923b32f02587fb233791a0326b889f28af4cfabc

SHA512
1da42e0ed2dca9f2a559739c6a0c6b28a54e0d8d0617bec542729a362dd0f36f9287bcd4433c9cabd7db7430e7295f6879c7777a86035c4f3c86b3b05847ae0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
126B

MD5
b35e8ab65e7f8a4edb3663885f775681

SHA1
49b66b2e3cff64dd7d8315c53d852c19a46e8609

SHA256
9b78165c2b44ba6675654f776e34815c19482a84c87e6a7dc9d1a68d3d5a5e53

SHA512
3ec1fad817117f00f620103666b1caa2ece51b9cc1a9b3fb2142d57aedc745e9bc69608e0cb2a2eff1879c7ad6741b66751049020620bac8659598080404adcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
118B

MD5
f1b6aae3dcd94b94aee326517e3dc583

SHA1
3418fdda1ad30df64d7bac068e1a0c4e305cfd75

SHA256
a02aa2b143a8e126b1a044e1f036a912a0ac134e8e1f56836805b15819e43f6b

SHA512
dae27c24d2ef685e4f968dcd91cda18bfa605fd924b1bf928307107630bd671d6623e78451d3f397dfc93cc4e1c0f74c25e962b5669e2350a79b72ec061ec1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
120B

MD5
d93cc818d32f755945cddfc02b29fb89

SHA1
fc564e791326d269d005c894cfca674352dae814

SHA256
c3fabcab01d67640320ce0a5354e4fc6a7832beebe2e9a7610f43614eefce32c

SHA512
62c20691da188a45b59c468826706ed47ad285d9e23996b714c03b4c639d87d93b57e22f9e4504be42a742ee4c64657d87565f9ce65b677d05f66d0bbef0e0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
122B

MD5
660d266764b1952b43431d6c7dc0dfa9

SHA1
809794738d6ca580d6ec14e77a717e831b0d0e5c

SHA256
e3c86ead8667eac8c9ea88e2ee5f5f14f0f0be59a54864f99cbee17d554f74e5

SHA512
6fc27ec6f453c2791aa9d0c38817128ed8e2fff26748fbe0cfee6411d8a120970494b3504078a3079c90d409434f22b35974efd5cbbaf14ce3657715fc18f4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
122B

MD5
59a8010aab7eb203cd9fda8f6be1beca

SHA1
b9a07636b921183c88880320294e279c935cddd7

SHA256
2a5b80a6a1522b75fda6e7f99ceb912bc7db1bd6be11995fdcbde1ab7d836dba

SHA512
26ae700f89e827f9d5f8d29c7f393eb3e5885d32266591d61b20ffd7ba1d08dfbc0e6e9368c94288185a01960cbd0a8ce96b063187396465e640e963e9b3666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
122B

MD5
a59dd0f9883ea39c5119831b0eed46cc

SHA1
8c9354051f7d92310636f0f17e5770aede9d1ad3

SHA256
ff1f1293c860b0709d0244a8c6a29294543efdc698a70469e1cd388c0db84493

SHA512
4a07eac5507fc174879eb960becf19b3a20b224232f74dfeb28d393bed3f181a0d4020efb9b656000d4ce756491c44f4f5a86dec184feca593c9bf6bd8700dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
122B

MD5
32b997a9d994996a4369a580e6541b7d

SHA1
d61b48404dd6f6dd43d90858ffb7ddb967ecb1f1

SHA256
39863141871b63880b4282066451321a902a7e6b97264c9ffdfd8128ac8293b8

SHA512
f3ff262b5986436671b4cf970d2ab4eb0dfd3d70651e7e84c8ae38788ef12032db825b81e6e1d8c4f20f0aa5a8067e6e7943b7e3e3c9817e97f0ab227f3fbe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
146B

MD5
f0b99c1273d3787f7769feb4d56e6803

SHA1
6105232df9585072be8ca04712f8760812943cbf

SHA256
176a95493ca3bbfc9a68b4283b53a291faef0f9a7c413b43e1bdad86834a820d

SHA512
73b313c0046f6fcec974f2af64859c0af122e9f86503c7427519b7d2aaaf67e2f8cc68de17b93f24604aff815b843fce9a01571c1db48d3c12867e49daab0133

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\CheckProc.cmd

Filesize
138B

MD5
755c6764b8ecbb83798450705f51510f

SHA1
deb141c4fc3220f0ff5c16eabf1adf850bf55610

SHA256
cfe680c9896cade2f5163ee0a463a7f7dbae7ee4aadf8de15c6c119a1d582016

SHA512
a6292b9416cbbc4a407d143acd502b6a726abb5411309e292f6696a7e55ecb5b78b4bdc764dc3484e85a5a40f21d410018172544b00882759b251aa9dce5df89

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\av.txt

Filesize
24B

MD5
f8f8258012893e0a2c957d226bdd7587

SHA1
ed482b5f912ef2d31e2b231df6b6e3b64967390c

SHA256
c341965a331692b4f79eed856a7da98c550d74fdef27d1241893284f1b51c3d2

SHA512
6e563814e4347ffa1da1d4d26ab45430987d5224c22278e1ee41b207700eb263aaab1e69088a5eeb267fdd385f36a61c0c66415f5df0887162eefbcbec9d19d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\cmd.bat

Filesize
81B

MD5
c1a281bc192d835fb5039af1444e4495

SHA1
41986e235e2004d634ecac3690876cf0bda7083f

SHA256
97762769b307aaa4f23972f0a9cbb3f143195a868158c7981b58bbe80bf01cd9

SHA512
0872a60c2d5f9351e88485fb55e51171923c5f3a6af851f04334a849275aa395b5382e6351d6c096d99850b71fc60bad681db35cf4780ab81f54b63abca1121c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\ex.bat

Filesize
786B

MD5
ee9522d27f49ed7147090bf8df0e2523

SHA1
efde2595427165f15ec21db1cff9855ec4233204

SHA256
0e00f23568eec284372ef9dfc6b426f903b7d436e71037ef12cae76313c5a350

SHA512
bc206f483396674fd4973ae5b85c72bf3abc01d7ca639d52255e0464f75f2caf5386710f5d0fd1c2fdb21d5d13c583324e980c4946764156cc9461e95c892595

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\favicon.ico

Filesize
10B

MD5
f0b81e3ecd1b5d144558da07bece8803

SHA1
9ee5bf12a207859d89dc893b8d02bd5c739edb52

SHA256
dd7aaa38192189cbf2adfc9416289be6ea3c2e10f2ca08bae453cb1df66babc1

SHA512
774a7485d316be62ca6a2303cf0e8f59611b804eb2d518dd76bcdbf755544818032be367d9c2d5ad778059b0c2da2d5a0e46e2a5420d6fd2da3cc0b2bcbe34a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8b6af927c2382693c72a0cdfada13697

SHA1
1e1475132b56e71d45e108f28fff39d8d73233c6

SHA256
8fc3646aa6d6aec5874004005a7e6e2c423517f46662a0e6a0aa15f0052415a8

SHA512
af17135e38537dc71e4a4ca11e87e68d7c6da2313d83feec7f695f37b0e41319c0ed8baada5c5ecf0cb58b404f0ffb622fdb995822d671eb767c90edec67ba5e

Download Submit
\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\isskin.dll

Filesize
385KB

MD5
92c2e247392e0e02261dea67e1bb1a5e

SHA1
db72fed8771364bf8039b2bc83ed01dda2908554

SHA256
25fdb94e386f8a41f10aba00ed092a91b878339f8e256a7252b11169122b0a68

SHA512
e938d2a1870ccb437d818b5301e6ecffaa6efbf4f0122e1a1ae0981057d7d0376039ea927c6fd326456da2d6904803fca26b87245367a4c5de2aebc47bdcd4b5

Download Submit
\Users\Admin\AppData\Local\Temp\is-BH6H4.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-HSI9Q.tmp\fe196add855b16dc1b8e80729610a4e0_JaffaCakes118.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-JDNI7.tmp\gentlemjmp_irow.exe

Filesize
3.1MB

MD5
73c268bbbcf0210b4d1934f7825cac9e

SHA1
3fda7eaf519a812cff0dd096237791a54287ba57

SHA256
5ccf34bc8359ab18d938a4deada58b03138849340e9f30424d578b2b2bdc2e54

SHA512
ecb28b96b032581a69b7738b1a9531a2a0409d35f39a422bfcbb62912cb30538372bc698c3603889a6bf884e3c63d021db896d60b7e2fc12abd2b362b1a6bc37

Download Submit
memory/1260-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1260-108-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1644-109-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1644-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2420-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2420-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2420-111-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3036-106-0x0000000001ED0000-0x0000000001EE5000-memory.dmp

Filesize
84KB

Download
memory/3036-105-0x0000000003940000-0x000000000397C000-memory.dmp

Filesize
240KB

Download
memory/3036-104-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3036-93-0x0000000001ED0000-0x0000000001EE5000-memory.dmp

Filesize
84KB

Download
memory/3036-89-0x0000000003940000-0x000000000397C000-memory.dmp

Filesize
240KB

Download