Overview

overview

9

Static

static

3

2ffb2dc194...18.exe

windows7-x64

9

2ffb2dc194...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ffb2dc1947e351eebcafb5388b1b78d_JaffaCakes118.exe

  • Size

    130KB

  • MD5

    2ffb2dc1947e351eebcafb5388b1b78d

  • SHA1

    0694563b61bfa96f7b51e78ae62ee8fe4d3b7b1e

  • SHA256

    46264d841dc40c44d71e1973216c431c9786396aa9f368318c74a4b518cd14e0

  • SHA512

    78139cd9536ce9a0eb0718962aa0b03fe1624629f5ee841d2e4b7cc5eeecc21bca09df9083fbf09b1b3a30da41c6d980963b8567064fd7a99fe05f7be1e08e0e

  • SSDEEP

    1536:DmsuQJc7vZ1bZIgf8pC++5B3ZOk4EEJtlY463Q8asf74pIpJJR7EJTZ:DmQc7fbZh0pb+5L/3EJtlYdA8aS74goZ

Score
9/10
credential_accessdefense_evasiondiscoverypersistencespywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 5 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

    discovery
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

    discovery
  • Discovers systems in the same network 1 TTPs 4 IoCs
    discovery
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ffb2dc1947e351eebcafb5388b1b78d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ffb2dc1947e351eebcafb5388b1b78d_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\ProgramData\Application Data\wmimgmt.exe
      "C:\ProgramData\Application Data\wmimgmt.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Users\Admin\AppData\Local\Temp\avp.exe
        C:\Users\Admin\AppData\Local\Temp\avp.exe
        3⤵
        • Server Software Component: Terminal Services DLL
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2092
        • C:\Windows\SysWOW64\NotePAD.exe
          NotePAD.exe "C:\Users\Admin\AppData\Local\Temp\VMvareDnd.log"
          4⤵
          • System Location Discovery: System Language Discovery
          • Opens file in notepad (likely ransom note)
          PID:1816
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\system32\EventSystem.dll",TStartUp 0x11
          4⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2036
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\avp.exe" /A /F /Q> nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\findstr.exe
          findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2608
        • C:\Windows\SysWOW64\chcp.com
          chcp
          4⤵
          • System Location Discovery: System Language Discovery
          PID:600
        • C:\Windows\SysWOW64\net.exe
          net user
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 user
            5⤵
            • System Location Discovery: System Language Discovery
            PID:712
        • C:\Windows\SysWOW64\net.exe
          net localgroup administrators
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:264
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1316
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:1212
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1108
        • C:\Windows\SysWOW64\find.exe
          find "REG_"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1132
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1208
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2492
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1060
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1804
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1548
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:716
        • C:\Windows\SysWOW64\reg.exe
          reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1752
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /all
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:1308
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -ano
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Connections Discovery
          • Gathers network information
          • Suspicious use of AdjustPrivilegeToken
          PID:2504
        • C:\Windows\SysWOW64\ARP.EXE
          arp -a
          4⤵
          • Network Service Discovery
          • System Location Discovery: System Language Discovery
          PID:1732
        • C:\Windows\SysWOW64\NETSTAT.EXE
          netstat -r
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:920
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2508
            • C:\Windows\SysWOW64\ROUTE.EXE
              C:\Windows\system32\route.exe print
              6⤵
              • System Location Discovery: System Language Discovery
              PID:552
        • C:\Windows\SysWOW64\net.exe
          net start
          4⤵
          • System Location Discovery: System Language Discovery
          PID:964
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 start
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3056
        • C:\Windows\SysWOW64\net.exe
          net use
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo n"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1796
        • C:\Windows\SysWOW64\net.exe
          net share
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1780
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 share
            5⤵
            • System Location Discovery: System Language Discovery
            PID:780
        • C:\Windows\SysWOW64\net.exe
          net view /domain
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:1996
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1952
        • C:\Windows\SysWOW64\find.exe
          find /i /v "------"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2272
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2212
        • C:\Windows\SysWOW64\find.exe
          find /i /v "domain"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2316
        • C:\Windows\SysWOW64\find.exe
          find /i /v "¬A╛╣"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1820
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2424
        • C:\Windows\SysWOW64\find.exe
          find /i /v "░⌡ªµª¿"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2236
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1872
        • C:\Windows\SysWOW64\find.exe
          find /i /v "├ⁿ┴ε"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2320
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1668
        • C:\Windows\SysWOW64\find.exe
          find /i /v "completed successfully"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1008
        • C:\Windows\SysWOW64\net.exe
          net view /domain:"WORKGROUP"
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:3052
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1016
        • C:\Windows\SysWOW64\find.exe
          find "\\"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2228
        • C:\Windows\SysWOW64\net.exe
          net view \\MUYDDIIS
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:2132
        • C:\Windows\SysWOW64\net.exe
          net view \\MUYDDIIS
          4⤵
          • System Location Discovery: System Language Discovery
          • Discovers systems in the same network
          PID:2688
        • C:\Windows\SysWOW64\find.exe
          find "Disk"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1608
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 1 MUYDDIIS
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2724
        • C:\Windows\SysWOW64\findstr.exe
          findstr /i "Pinging Reply Request Unknown"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Account Manipulation

1
T1098

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Account Manipulation

1
T1098

Defense Evasion

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

1
T1012

Remote System Discovery

2
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
    Filesize

    43B

    MD5

    ca637e7477447b4e4c0716ebed1ac913

    SHA1

    104a46119a6660f5a9b7fdd5343e4912210f2769

    SHA256

    0fc5a5db4d3c561dacad7d8809fd81eef73fe89f4a12b499e0ccd01e7c0719ad

    SHA512

    b19fb6e7934319bbd07cb78da87b7122adbcf60d9e7f8c8190dfb55beb06ea13d1f1d2614d3ab5b3041d901a1e98655e74735d318bd02880fcae62dfa312fdc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
    Filesize

    7KB

    MD5

    cb1eb2d63f2fa9719ffc9a181b276a22

    SHA1

    bfa7bcf1300892aeaa70bb3803103a0f359cad7e

    SHA256

    a7d990d44a9782f65e62b8f8e777a32a45d6c7629e706021b0471135c71dc26b

    SHA512

    1bfd988d45cf0e40a0e0bf5bb36fa0f4b6f9c227d8e1c18dd29ac70abb96c0fe2563fc20a5f2a472a4edfccb50f184cd98680c00a0f1d82213a0373267873f99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
    Filesize

    15KB

    MD5

    d3ca12463c2df887766d9d6d211abb9a

    SHA1

    580e4c9949b77d3fd3f348cef8241813ed59bd42

    SHA256

    31d591909d5e33850a88f25e3019da00d59cd240289106fab7d6894875ed5c01

    SHA512

    6c6aec75050129b82ca050dec7a484b01dd47b2550908ba5746f95588b5efaedc4686f1862e1a547b65befa2337dc31454c284276877360db3f8f6d36660e98c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\INFO.TXT
    Filesize

    24.9MB

    MD5

    1c8a34757bd202387080fbd162349887

    SHA1

    93dda7d897afa563896fd46d50b0d4011b3299d7

    SHA256

    8afee45e321b14244aa5f0c2a9dd124c4f79dd3f66b88bb8e56cdf88a40a501d

    SHA512

    b07de3db74932db4cdb88d4f14e9253e2846a5dedfb3f0d5c4f56eb1e488ef992f17f3ea22586a093f55ac88795e36c81963c57dfb89178359ae87b5603c9586

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\drivers.p
    Filesize

    15B

    MD5

    4ff8e80638f36abd8fb131c19425317b

    SHA1

    358665afaf5f88dfebcdb7c56e963693c520c136

    SHA256

    6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

    SHA512

    d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ghi.bat
    Filesize

    3KB

    MD5

    b98e8fcde49a1caee295a6bd3d264e56

    SHA1

    71c82391a8617212ad48c8d79755e71be2e20be9

    SHA256

    e369c7e2e7ac0280882693038b213be0309c910df62f35a5159a125ecd18fb9a

    SHA512

    fb5fa414449e7dd4ce1fedcb92487f59ed18d7fbd3146eb59ec8f7256d68551adebb7d35e859fe7b6bce5a0b042b0de1e9ee56369a8686976dd121b44ff46742

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s.log
    Filesize

    153B

    MD5

    b256c8a481b065860c2812e742f50250

    SHA1

    51ddf02764fb12d88822450e8a27f9deac85fe54

    SHA256

    b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

    SHA512

    f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s.log
    Filesize

    64B

    MD5

    e29f80bf6f6a756e0bc6d7f5189a9bb2

    SHA1

    acdd1032b7dc189f8e68b390fe6fd964618acd72

    SHA256

    8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

    SHA512

    f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\t.log
    Filesize

    72B

    MD5

    59f2768506355d8bc50979f6d64ded26

    SHA1

    b2d315b3857bec8335c526a08d08d6a1b5f5c151

    SHA256

    7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

    SHA512

    e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\workgrp.tmp
    Filesize

    234B

    MD5

    9849feb6ad812a7e1ac909738b31da9a

    SHA1

    cf01ec9aece21ffdd610f9c6e29bd9fcc9466114

    SHA256

    d547e4e9b3633d74b9c05f4d394955fa691739bcaa6f80ca9854e3d296555612

    SHA512

    a19058ecfb5e37473f7cef9c0958de2c83ac48c810d57473bd106801101bd24a04f1702cbcde9a64db5a22e9b70f23c68748f601d954e0dde2692e915221ce7e

    Download Submit

  • C:\Windows\SysWOW64\EventSystem.dll
    Filesize

    60KB

    MD5

    66619fc139964fa43428cf904f62cf32

    SHA1

    b91a5969f241e73476595f52d5b976026ef32edf

    SHA256

    c5344560b0add73121b5d082f972781408e029a24924ca8d4afbb02e7a5e4119

    SHA512

    984a021438c8f236b2e0c267b89953a541897b1e53c09b03982eef83030d5370f19e05d2163fc364e5b5745562946a935fd9eea0c488529cc038b32174c3dfe0

    Download Submit

  • \ProgramData\wmimgmt.exe
    Filesize

    130KB

    MD5

    2ffb2dc1947e351eebcafb5388b1b78d

    SHA1

    0694563b61bfa96f7b51e78ae62ee8fe4d3b7b1e

    SHA256

    46264d841dc40c44d71e1973216c431c9786396aa9f368318c74a4b518cd14e0

    SHA512

    78139cd9536ce9a0eb0718962aa0b03fe1624629f5ee841d2e4b7cc5eeecc21bca09df9083fbf09b1b3a30da41c6d980963b8567064fd7a99fe05f7be1e08e0e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\avp.exe
    Filesize

    72KB

    MD5

    ec888fb39c475f42e61b646e0b072ad4

    SHA1

    5b66e53fe6eb11f7ab98f8a3e3ba7476b40438c4

    SHA256

    e766d53429ae9a4898f2f74edcce2b7c9e34bbf4aed7091f591c246eaf0af844

    SHA512

    9801940c2641109674cce96a7de6573ef18e28b695d9b8a6433c538c3efb4a11921f9d53c235bb22c844c49baad0f3544c425d1840f3dc416b06a07dfeedd2ff

    Download Submit

  • memory/2076-22-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2668-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2668-5-0x0000000000270000-0x000000000029A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2668-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download