Overview

overview

10

Static

static

3

3678809488...18.exe

windows7-x64

10

3678809488...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    367880948831b247358728239d1c18ee_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    367880948831b247358728239d1c18ee

  • SHA1

    9c75b5d6ce4857511aeef26a2705f11cc75942ab

  • SHA256

    0ec21ae549555594cf9d4876cf39f955fb298c52a85a88c99c5c91f20a799b10

  • SHA512

    11642f0cbd19c47e3edeb5c3d2cb1c9e84d39e7eddbdb563996c80e5ad5410b42e949c55a969e65fdbf67cf902e514aeb08f15e21a9fc559d19a56e38fe623e6

  • SSDEEP

    24576:QJORhY9rll/P+K9FMVhgoQ2W1VqCREEAU4t75foAo4j6JnmAqm6kQXi8nV:1hM7Pl9FMVKoU1VFIt75f1ooCUQQX

Score
10/10
ardamaxdiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Disables service(s) 3 TTPs
    evasionexecution
  • Modifies Windows Firewall 2 TTPs 4 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 53 IoCs
    evasion
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\367880948831b247358728239d1c18ee_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\367880948831b247358728239d1c18ee_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4108
    • C:\Windows\install.exe
      "C:\Windows\install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:592
      • C:\Windows\SysWOW64\28463\EJTJ.exe
        "C:\Windows\system32\28463\EJTJ.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\avkiller.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\net.exe
        net stop wscsvc
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3220
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop wscsvc
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2392
      • C:\Windows\SysWOW64\sc.exe
        sc config wscsvc start= disabled
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:2352
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall set opmode mode=disable
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4756
      • C:\Windows\SysWOW64\net.exe
        net stop SharedAccess
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop SharedAccess
          4⤵
            PID:1312
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgcc.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3996
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgcc.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgamsvr.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4636
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgupsvc.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3440
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgw.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3028
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgcc32.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4580
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgctrl.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1100
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgserv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4092
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgserv9.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3848
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgserv9schedapp.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:408
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgw.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2848
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgemc.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4188
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ashwebsv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ashdisp.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ashmaisv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4344
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ashserv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5044
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im aswUpdSv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:640
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ashwebsv.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3176
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im nod32krn.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3908
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im nod32kui.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3224
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avcenter.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3468
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avcmd.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4564
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avconfig.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4516
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avguard.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1620
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avgnt.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4332
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avnotify.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4336
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im avscan.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3920
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im guardgui.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im licmgr.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1000
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im sched.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2128
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im preupd.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4372
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable
          3⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:772
        • C:\Windows\SysWOW64\net.exe
          net stop SharedAccess
          3⤵
            PID:1708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop SharedAccess
              4⤵
              • System Location Discovery: System Language Discovery
              PID:5004
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im clamscan.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:852
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im clamTray.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:592
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im clamWin.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:5108
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im freshclam.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4844
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im oladdin.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1392
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im sigtool.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3568
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im w9xpopen.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im Wclose.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4896
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2888
          • C:\Windows\SysWOW64\net.exe
            net stop SharedAccess
            3⤵
            • System Location Discovery: System Language Discovery
            PID:4708
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop SharedAccess
              4⤵
              • System Location Discovery: System Language Discovery
              PID:4156
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im cmgrdian.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im alogserv.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3472
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im mcshield.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4088
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im vshwin32.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avconsol.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im vsstat.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1420
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avsynmgr.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:3160
          • C:\Windows\SysWOW64\net.exe
            net stop SharedAccess
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1196
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop SharedAccess
              4⤵
              • System Location Discovery: System Language Discovery
              PID:912
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avadmin.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3228
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avcenter.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avgnt.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avguard.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2912
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avnotify.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2696
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im avscan.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2036
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im guardgui.exe
            3⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1824

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Network Share Discovery

      1
      T1135

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\@7FAF.tmp
        Filesize

        4KB

        MD5

        c3679c3ff636d1a6b8c65323540da371

        SHA1

        d184758721a426467b687bec2a4acc80fe44c6f8

        SHA256

        d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

        SHA512

        494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

        Download Submit

      • C:\Windows\SysWOW64\28463\AKV.exe
        Filesize

        395KB

        MD5

        b8fa30233794772b8b76b4b1d91c7321

        SHA1

        0cf9561be2528944285e536f41d502be24c3aa87

        SHA256

        14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

        SHA512

        10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

        Download Submit

      • C:\Windows\SysWOW64\28463\EJTJ.001
        Filesize

        504B

        MD5

        86d2e4a71854895574ede8d194a395de

        SHA1

        31a219bdd135539d7a1c2207ca4d0f1842b1fa73

        SHA256

        7839e00aedf6bf3ca811d7745a84919c5289f602b90544d2e36a78b08504c052

        SHA512

        93a95163b31cee98f9b352b7b3b0edc6927086d2f22a62608b0e650d246e41f15a786ead5aa7c9d72a21ffd640829fc3ac376e698b4affbc4d86197e480d32f9

        Download Submit

      • C:\Windows\SysWOW64\28463\EJTJ.006
        Filesize

        8KB

        MD5

        43f02e9974b1477c1e6388882f233db0

        SHA1

        f3e27b231193f8d5b2e1b09d05ae3a62795cf339

        SHA256

        3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

        SHA512

        e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

        Download Submit

      • C:\Windows\SysWOW64\28463\EJTJ.007
        Filesize

        5KB

        MD5

        b5a87d630436f958c6e1d82d15f98f96

        SHA1

        d3ff5e92198d4df0f98a918071aca53550bf1cff

        SHA256

        a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

        SHA512

        fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

        Download Submit

      • C:\Windows\SysWOW64\28463\EJTJ.exe
        Filesize

        473KB

        MD5

        17535dddecf8cb1efdba1f1952126547

        SHA1

        a862a9a3eb6c201751be1038537522a5281ea6cb

        SHA256

        1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

        SHA512

        b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

        Download Submit

      • C:\Windows\avkiller.bat
        Filesize

        2KB

        MD5

        12f353124b1b8ca1f2ee819225eea695

        SHA1

        dcbad7089dd8feab3ec174e1abefbe9cdb1e80b3

        SHA256

        a8e07b45f252eee1867178042d5eafad184839e653061e57feceadca9dc5ac3f

        SHA512

        1687074ffe3ca9cc827fd6a2d9fd3187a7d3168b8d2d69638e2fe316a31cd45c5984a0a3d207462a7d162d74989518e6cc0b5bbdae763ff06c21015bf301aca0

        Download Submit

      • C:\Windows\install.exe
        Filesize

        1021KB

        MD5

        f5251f451889e8e2f1a3f32e2f1306a6

        SHA1

        60fb6487538240f54baa8188dedb7df2c069970d

        SHA256

        3975c8da657856cdc07d368c9940bb819bce5f6cb9bb61ea682742d69b855959

        SHA512

        ed6c1a9946960a7c7bcb5bb47c572f28a82089a5ee27e83ac481b561384e46f80bd65910c386a1b50393df0eaf3d14fa8515c2f1384f2fd4b1a1a71081b14e1a

        Download Submit

      • memory/4108-14-0x0000000000400000-0x0000000000594000-memory.dmp

        Filesize

        1.6MB

        Download