865e33fcc9b37a6996eafba738453bf597e8c981288cc00607a64de222cce501

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

438b904a47606eb7014625cafce93402_JaffaCakes118.exe
Size

941KB
MD5

438b904a47606eb7014625cafce93402
SHA1

064b7d60d5599d11a2594bf375722b0eb928810c
SHA256

865e33fcc9b37a6996eafba738453bf597e8c981288cc00607a64de222cce501
SHA512

4fcdce0301dde956c96d0f6b2034d75c00bae15e542384282ebad379039a7d7edf79563ea76b2f3c0ab6340cb45976730344226daa30283fead5e438aecdf4ca
SSDEEP

24576:KoCO4OOw/MZSu9hGJFo9IyaDnGSFJ/nUmqUta5ct9nmU4:KDO4Od/k4bdyaievTZt9m

Score

7^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	438b904a47606eb7014625cafce93402_JaffaCakes118.exe

Executes dropped EXE 12 IoCs

pid	Process
2972	spools.exe
2092	lqbzse.exe
2200	syseter.exe
2992	svehost.exe
3500	selvice.exe
1416	explor.exe
5020	llly99.exe
4156	setup.exe
820	zwtpm.exe
3012	adgkn.exe
4940	adgkn.exe
1536	zwtpm.exe

Loads dropped DLL 3 IoCs

pid	Process
2812	regsvr32.exe
4972	regsvr32.exe
1864	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Messenger = "c:\\windows\\messenger\\messenger.exe"	syseter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JSsetup = "c:\\windows\\system\\jssetup\\JSsetup.exe"	syseter.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{451B9F14-A525-45BB-A6EE-4B5A61323B35}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\ = "WebSafeCenter Class"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	zwtpm.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kimjup.bat	selvice.exe
File opened for modification	C:\Windows\SysWOW64\s3d332.dat	explor.exe
File opened for modification	C:\Windows\SysWOW64\mssrcid.ini	adgkn.exe
File created	C:\Windows\SysWOW64\mavbglmhd.bat	selvice.exe
File created	C:\Windows\SysWOW64\dllcache\try5831.dll	spools.exe
File created	C:\Windows\SysWOW64\ffcifile.dll	spools.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	adgkn.exe
File opened for modification	C:\Windows\SysWOW64\mssrcid.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\mssrcid.ini	zwtpm.exe
File created	C:\Windows\SysWOW64\Windows.ime	explor.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	adgkn.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	adgkn.exe
File opened for modification	\??\c:\windows\SysWOW64\temp.dll	syseter.exe
File created	C:\Windows\SysWOW64\try5831.dll	spools.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	adgkn.exe
File opened for modification	C:\Windows\SysWOW64\Web.ini	rundll32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c96-11.dat	upx
behavioral2/memory/2972-20-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-46.dat	upx
behavioral2/memory/3500-56-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3500-87-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2972-118-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/2972-131-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\messenger\messenger.exe	syseter.exe
File created	\??\c:\windows\messenger\messenger.exe	syseter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2436	2992	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adgkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svehost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	selvice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwtpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqbzse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syseter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	llly99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adgkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwtpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	438b904a47606eb7014625cafce93402_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3820	cmd.exe
5048	PING.EXE
4784	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	adgkn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	adgkn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	adgkn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	adgkn.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	adgkn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	adgkn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	adgkn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	adgkn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderSif.WebSafeCenter\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Messenger\\ThunderSafe.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderSif.WebSafeCenter.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderSif.WebSafeCenter\CurVer\ = "ThunderSif.WebSafeCenter.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\HELPDIR	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\adgkn.exe"	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ = "C:\\Windows\\SysWow64\\ffcifile.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\FLAGS\ = "0"	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F45A535-2293-46A2-99A8-C8EA8DD22BC2}\ServiceParameters = "-Service"	adgkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\ = "testAtl 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ = "IWebSafeCenter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderSif.WebSafeCenter\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F45A535-2293-46A2-99A8-C8EA8DD22BC2}	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\ = "wssvr 1.0 Type Library"	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\"	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\ = "IWebSafeCenter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}\1.0\FLAGS	adgkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8A5AC234-9C15-4A34-919B-28D58785F7D8}	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21BC973C-66FC-4B79-B00E-51D69E7DBF8E}\TypeLib\ = "{6C3433B1-83EB-4941-998B-06C918733770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\TypeLib\ = "{6C3433B1-83EB-4941-998B-06C918733770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\wssvr.EXE\AppID = "{7F45A535-2293-46A2-99A8-C8EA8DD22BC2}"	adgkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6C3433B1-83EB-4941-998B-06C918733770}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Messenger\\ThunderSafe.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7F45A535-2293-46A2-99A8-C8EA8DD22BC2}\ = "wssvr"	adgkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{451B9F14-A525-45BB-A6EE-4B5A61323B35}\VersionIndependentProgID	regsvr32.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5048	PING.EXE
4784	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2200	syseter.exe
2200	syseter.exe
2200	syseter.exe
2200	syseter.exe
1416	explor.exe
1416	explor.exe
4940	adgkn.exe
4940	adgkn.exe
4940	adgkn.exe
4940	adgkn.exe
1864	rundll32.exe
1864	rundll32.exe
4940	adgkn.exe
4940	adgkn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe
Token: 33	820	zwtpm.exe
Token: SeIncBasePriorityPrivilege	820	zwtpm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2972	spools.exe
2200	syseter.exe
2200	syseter.exe
820	zwtpm.exe
820	zwtpm.exe
820	zwtpm.exe
1536	zwtpm.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2972	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	87
PID 1544 wrote to memory of 2972	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	87
PID 1544 wrote to memory of 2972	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	87
PID 1544 wrote to memory of 2092	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	88
PID 1544 wrote to memory of 2092	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	88
PID 1544 wrote to memory of 2092	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	88
PID 1544 wrote to memory of 2200	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	89
PID 1544 wrote to memory of 2200	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	89
PID 1544 wrote to memory of 2200	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	89
PID 2092 wrote to memory of 3820	2092	lqbzse.exe	90
PID 2092 wrote to memory of 3820	2092	lqbzse.exe	90
PID 2092 wrote to memory of 3820	2092	lqbzse.exe	90
PID 1544 wrote to memory of 2992	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	92
PID 1544 wrote to memory of 2992	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	92
PID 1544 wrote to memory of 2992	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	92
PID 1544 wrote to memory of 3500	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	94
PID 1544 wrote to memory of 3500	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	94
PID 1544 wrote to memory of 3500	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	94
PID 1544 wrote to memory of 1416	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	95
PID 1544 wrote to memory of 1416	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	95
PID 1544 wrote to memory of 1416	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	95
PID 1544 wrote to memory of 5020	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	97
PID 1544 wrote to memory of 5020	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	97
PID 1544 wrote to memory of 5020	1544	438b904a47606eb7014625cafce93402_JaffaCakes118.exe	97
PID 3820 wrote to memory of 5048	3820	cmd.exe	98
PID 3820 wrote to memory of 5048	3820	cmd.exe	98
PID 3820 wrote to memory of 5048	3820	cmd.exe	98
PID 5020 wrote to memory of 4156	5020	llly99.exe	99
PID 5020 wrote to memory of 4156	5020	llly99.exe	99
PID 5020 wrote to memory of 4156	5020	llly99.exe	99
PID 5020 wrote to memory of 2812	5020	llly99.exe	101
PID 5020 wrote to memory of 2812	5020	llly99.exe	101
PID 5020 wrote to memory of 2812	5020	llly99.exe	101
PID 3500 wrote to memory of 1388	3500	selvice.exe	102
PID 3500 wrote to memory of 1388	3500	selvice.exe	102
PID 3500 wrote to memory of 1388	3500	selvice.exe	102
PID 1388 wrote to memory of 4784	1388	cmd.exe	104
PID 1388 wrote to memory of 4784	1388	cmd.exe	104
PID 1388 wrote to memory of 4784	1388	cmd.exe	104
PID 2972 wrote to memory of 4972	2972	spools.exe	105
PID 2972 wrote to memory of 4972	2972	spools.exe	105
PID 2972 wrote to memory of 4972	2972	spools.exe	105
PID 2972 wrote to memory of 1864	2972	spools.exe	106
PID 2972 wrote to memory of 1864	2972	spools.exe	106
PID 2972 wrote to memory of 1864	2972	spools.exe	106
PID 4156 wrote to memory of 820	4156	setup.exe	107
PID 4156 wrote to memory of 820	4156	setup.exe	107
PID 4156 wrote to memory of 820	4156	setup.exe	107
PID 4156 wrote to memory of 3012	4156	setup.exe	118
PID 4156 wrote to memory of 3012	4156	setup.exe	118
PID 4156 wrote to memory of 3012	4156	setup.exe	118
PID 4156 wrote to memory of 4776	4156	setup.exe	119
PID 4156 wrote to memory of 4776	4156	setup.exe	119
PID 4156 wrote to memory of 4776	4156	setup.exe	119
PID 4776 wrote to memory of 4424	4776	net.exe	121
PID 4776 wrote to memory of 4424	4776	net.exe	121
PID 4776 wrote to memory of 4424	4776	net.exe	121
PID 2972 wrote to memory of 3600	2972	spools.exe	124
PID 2972 wrote to memory of 3600	2972	spools.exe	124
PID 2972 wrote to memory of 3600	2972	spools.exe	124
PID 4940 wrote to memory of 1536	4940	adgkn.exe	126
PID 4940 wrote to memory of 1536	4940	adgkn.exe	126
PID 4940 wrote to memory of 1536	4940	adgkn.exe	126

C:\Users\Admin\AppData\Local\Temp\438b904a47606eb7014625cafce93402_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\438b904a47606eb7014625cafce93402_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\spools.exe
  "C:\Users\Admin\AppData\Local\Temp\spools.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\System32\ffcifile.dll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4972
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 try5831.dll , InstallMyDll
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 375519961O57540.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3600
- C:\Users\Admin\AppData\Local\Temp\lqbzse.exe
  "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping.exe 127.0.0.1 & del "C:\Users\Admin\AppData\Local\Temp\lqbzse.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\SysWOW64\PING.EXE
      ping.exe 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5048
- C:\Users\Admin\AppData\Local\Temp\syseter.exe
  "C:\Users\Admin\AppData\Local\Temp\syseter.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\svehost.exe
  "C:\Users\Admin\AppData\Local\Temp\svehost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 384
    3⤵
    - Program crash
    PID:2436
- C:\Users\Admin\AppData\Local\Temp\selvice.exe
  "C:\Users\Admin\AppData\Local\Temp\selvice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\mavbglmhd.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4784
- C:\Users\Admin\AppData\Local\Temp\explor.exe
  "C:\Users\Admin\AppData\Local\Temp\explor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\llly99.exe
  "C:\Users\Admin\AppData\Local\Temp\llly99.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\Messenger\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Messenger\setup.exe" llly
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\zwtpm.exe
      C:\Windows\system32\zwtpm.exe
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:820
  - - C:\Windows\SysWOW64\adgkn.exe
      "C:\Windows\system32\adgkn.exe" /service
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3012
  - - C:\Windows\SysWOW64\net.exe
      net start Comeventps
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Comeventps
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 "C:\Users\Admin\AppData\Local\Temp\Messenger\ThunderSafe.dll" /s
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2992 -ip 2992
1⤵
PID:3224

C:\Windows\SysWOW64\adgkn.exe
C:\Windows\SysWOW64\adgkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\zwtpm.exe
  "C:\Windows\SysWOW64\zwtpm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375519961O57540.bat

Filesize
2KB

MD5
940ca2e852210dd0872ab75bec1addd0

SHA1
0dbe38290db000c0a8b799d76757b08d93dd1a20

SHA256
a5b770b308595e60dc9d1bef309f7644a588acbbe58757ab1b0093f3cbd6b5fb

SHA512
ca1880398c17ae9208e98663a8a143035624700b57482b419e995526ace1d497f25383e75e3d2730d2a05d8ed0c3dbd2fc128df79266152f4d1d53f344295eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messenger\ThunderSafe.dll

Filesize
64KB

MD5
d81f3cbf6c783710fd329acaeb62c11e

SHA1
6c234055592ea63431b51a96d2604800b9a659a1

SHA256
9d5c34bda05603f6e283b76c0a55179ea548349117363ba719a10d19d930b819

SHA512
8a034efe5601e4c48000c2ff2ff14db95b0a1c748cb2ed2e2f06adcb21b5d43af92f613379da803c226c7ed2e15d9c6300f1b42f76ab041d12f8ed8b38d879fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messenger\nvsys.ini

Filesize
36B

MD5
743cf214d78d889b694f6bee027b20f3

SHA1
3af8f2b33a1a5b7e6c09177dd901ae6208a136cf

SHA256
39d79336dc15a9788b3a940d73373a3cc3365ad0e2b30173ff1b7cd3ae6479ee

SHA512
f665f56a7596ceecbe2cae3658f7f073035d836b9792fa9d3ba04863fac8d2c3807fc2895240382f3982d4d8b98d9f60b40293a5564fe954a4dd71bb56aeb5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messenger\setup.exe

Filesize
20KB

MD5
c12683fd67e76a66d1ba39ac22168925

SHA1
71f94e7f54d81fba8ce6ca9b3a6a6522cf16509e

SHA256
bfbb15e180aea39014a0d272ebedb5d5a6d9c69d9984918a8c786de53c4b06f6

SHA512
f4369e9206c1a14fa804f62e8c072cc7c9ba4c3da7341d7b7da559175da314d8f0a60931cd7587cf5a83d5b67b66ef15022a400e0280dd8d861900318f5104b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messenger\sysmain.dat

Filesize
60KB

MD5
345c2b0ff686aca4a35fde212662d9ee

SHA1
b13e6c840502d8c10f61048b7da0cbb3f97a1b36

SHA256
7e114395087f3874b101817ff83f77ede86440d4c4d3e7caf8fa0e89957f6356

SHA512
ee415745093b35c5f7a3e4a0a69f16f002339541816e65295d1902ed8ab3e6ea7b348d57f5fff97946870167bded201cafd92d32fe5abdab817348598f04cd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Messenger\sysvc.dat

Filesize
44KB

MD5
3e7be80b52dcb8e7992b7e04255ded9e

SHA1
a5b585e1e78af6b01b1ea004f463b17d6653b788

SHA256
44e24179180c45444df06296561932c07d9fda9f756fffca58b3d42d14559a0d

SHA512
10db0e572c49bb1e831a329303d3c9414848f41c354aca43ced8bdda56d1e4f2d980dd1820efaa919e9110fe8ce8bab89f592e6ea2097a45a297a6076a94e0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\explor.exe

Filesize
132KB

MD5
cde45741b07efa0306ed1bfe449e4ef8

SHA1
0fa6a767e9e7a702597505e9c3df3704969f1147

SHA256
7b90a225985d188ff8592828b688580609f0107d39d5225b7111606d8226da1c

SHA512
ad98c6328f5d8d406090208a31483bd2a529aa4259a577d980a283d88868a0200060bc24d45a458a6d1a521e60504e782d7a37f101fda93a3fc9af5b144d76f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\llly99.exe

Filesize
132KB

MD5
a328e8d509296cf76a99ccf1034ed0ee

SHA1
7cb55bc2580fb0801e279134982c8ee8ed13df90

SHA256
7a69c78e0778963e59760a4b48ee87ebc7d70d2de528d0afa283b0123897b283

SHA512
20bba80316e4fd0bd300baa0d329bed4bb6ef75925a845c3309a73ed980ea3bf93ced57bcb111d6ae81edd548ded4a56ed1bdbb89f998939b690ee9fd21ed5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqbzse.exe

Filesize
68KB

MD5
12cf4395bf1f403eac6ee869a4ef2986

SHA1
3ff5e92318a07e7fadf2353034425fefcbdd1159

SHA256
1dc2d790e98851a12d32d6133beff8ec087d3cbc07b0671b4c1012a29632a294

SHA512
f61a798fd6325ab964d671dec7cf665aa84cc0798429abd1940888c34a045705ebfa572ec1b14a67f4bd5d3054d24ea1325e75601a02be46b8b59b9538325ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\selvice.exe

Filesize
30KB

MD5
ecc341f2bf4f88c8fbf60ea10b5e4fed

SHA1
21a19153f5efa049ff24595dd296d718d7b93710

SHA256
99692573fdff86d6eb11ab4f9062b5b35be53dd74d2937a9faf12ce53d26acc1

SHA512
f82adbd04826941c741ee76f1b83425bda5edb9ad46de6d0950ce68a6dc166cfdc11b035547227dc1ee80eb0147450b9b3857cfc9471ea17b50767e10e8e3614

Download Submit
C:\Users\Admin\AppData\Local\Temp\spools.exe

Filesize
60KB

MD5
6dfd42c8451da8aa8d62dc052e962cf3

SHA1
976629d685068130c649dc2292d62c76a3cb15e4

SHA256
f8d7c5e80202dd022ce4e1cf4a7e6eb9e68411c1b362c733ac9ba61d8d4a7cdf

SHA512
894d2a0b8d16dfc51c9d11121e334975a600fdfa0e4813aee13ee8d12fa2c05a0cd71c3dc4fd1dab38a4c6eb37f0270f34f3ca5bffd02ed00f2ec8427ed0cdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svehost.exe

Filesize
162KB

MD5
05a44e8ed157637048677b18431b8e3d

SHA1
fd9793991710bb548b5f6b6f1346474334cdd69a

SHA256
f5cc755162c2ee5f2cb887b8dd3c0b0f316e7830932c1047b082e884c99c0252

SHA512
9af0ba8933b6365d366221c9a0b93c9a5fd7d530db61152220a651dfe97f527518d7e357b4049b441dba1fd3bf710a4165db9ba5fc9ee705b180e3c782bb4f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\syseter.exe

Filesize
312KB

MD5
3ad35857a12ece3594ffd2ccd2c078eb

SHA1
e65ba6692482a5d4119f22a22e671b8763fc801e

SHA256
9a643d34f71e6d78428361aa8ba7c4cca2393b65ce6bb3b278388512d11e8331

SHA512
cc6ab0e7e06b9ddb79d95cfd7d14bd3703cf8c47c8d6831dadfc4ce8df9ce68045282207cc50d9259e3a62ce9c719212108c3bccda9dfdf872022c9eae99a34a

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
1KB

MD5
dd1193ed070b14680e2e33df532fc683

SHA1
3631de58b145df00e674a64d476ad24c1fcf69d6

SHA256
c5aed44344a12db305877b28f0543cd7e937c4b8678a852fb0a7512c4f6b8850

SHA512
d7dab7a1970fb986892e0d77268d5a81e07936f788060cbb2e1c7af6aee07294c2992c0415c8c8b7987247a37580c621b7332fcb119efe130c334f76b5384575

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
1KB

MD5
218606333dfe9abd5da97ee50f82f9ab

SHA1
1bc98b020935679f5db774c33496c68fa2c8529e

SHA256
bac353ad3a72a4e7b591efcd4c923ef301c9b76183dca259c918d488d5b0d0e0

SHA512
2dcf7dd4b1d9b0638f8859bf2b238ccee35c7a754e2c59509eff6eecf2d87b7cf2e35f96d564eeba1afe643aae862578f0bf9b4f460e5fda7114f6eefac14120

Download Submit
C:\Windows\SysWOW64\Web.ini

Filesize
2KB

MD5
7ceafa7fc04e50a450a4541ad41f54c6

SHA1
c40fa60396aea7d101cab997bb0f457662553cda

SHA256
0c4b57a38b9c2944af47ce11a6e0fac75f015df5efc0d3e369109bb62dc73405

SHA512
05ebab1105a576925790f455ca07c35d522c9cb9718d65be6584eb747377f60399b1fb18a51dbb17c8248c7764b7a195869b88eff70b5e3fcc12f759af79a208

Download Submit
C:\Windows\SysWOW64\Windows.ime

Filesize
76KB

MD5
03eed954eb652553833bc37789eb7ea8

SHA1
81902061f69267aeaed071e6350d4175cc09efb2

SHA256
d431163e1e279add41454e1775224522bfc504ae8f48713d8ce339485b0418e3

SHA512
eee85107ee564b390f7532e17081e3ff41c59d3cdead5c3d7a276e509df4d7c81365727ac75ca637f14a3a63d048b6dcd3bcd1763fec4b1ff306e0b256e119b3

Download Submit
C:\Windows\SysWOW64\ffcifile.dll

Filesize
64KB

MD5
cc04edaa32516285bcf38748de8178d7

SHA1
ad6a0a6a3b2474f2a2e112c1cd1e6e423b89063d

SHA256
6b831bc318f65ad40e1167168b911eb287e54688ea490f2787cbcb2a37468aa2

SHA512
82b5e21c7d8f42231264c06d318913f51f742c2f9344aa4405b6d5880a379fe58e9828f6bebdf5fe014b9fac9ee6359f57c385a2e2e214a07d91ca398b9fd52b

Download Submit
C:\Windows\SysWOW64\kimjup.bat

Filesize
92B

MD5
5fdba6f872d7061d5211fedc9df3bb4f

SHA1
ea031c13ac9494225c4fa5c931e8897aa2b5af7a

SHA256
fc11c9c6599c5326b54ffd8f898035abd9d1dfe8ca86aafc0537448489ab141a

SHA512
01d4afca3a7fdc9082f649499a86f87c49bb33c08e1f9c5f344d6da52407db09f8f31bbb1e5ba48862fc5ab555db00bbc852eee67ec3652848bd18e5186d5aed

Download Submit
C:\Windows\SysWOW64\mavbglmhd.bat

Filesize
100B

MD5
c812c8a40a11c97e7faffa231c1a47c1

SHA1
b1f64e41e36e44ae8c0fa84b855830212c1d2594

SHA256
68df6389100e26066dfd25ded379f8a9197227829d5bba1d56f96673b83eb7b1

SHA512
49775123408dba758918aa774bc7bbe9bae29c3f3ad12065b17ee4745e1bdd716d6864419b7b6c4bd9a8ec05dd93e50a44448f806f452a6614407c1c9b9c858d

Download Submit
C:\Windows\SysWOW64\mssrcid.ini

Filesize
18B

MD5
bb31484ac2a1de0d851e28149dcc43d9

SHA1
8124d57bdeaf5a3d745951db7c9fa03af428c0d8

SHA256
46c57be25c2d7fe99877b0dce5e4649f5f28b816f208fe97bc93c58748e817d2

SHA512
719318dae24dc5d54ced6d8a700dd59b2433f848ccbf620955e9f70cf29e2a5150d0b4a3f1e57738788a4a07bd57e6e147247abbb180dac2dc673b1203ac374d

Download Submit
C:\Windows\SysWOW64\mssrcid.ini

Filesize
32B

MD5
22afe89b83332ff7f8e1422f59501ae2

SHA1
c49172ef5a3c370fafdfb1c9ec9313ba2c2640ca

SHA256
82b442c178af0035c3c1b70a6642ab430f1ee57192b587cbd3f97ca81fcf388b

SHA512
ddaae850cd87c865276768aa3da908ccd62b5bdd6e1926dbd5e7d0d50065c3783528bcae30c4e98d1705307d41b3fe696f17dda43892c91345ce3810e13b1394

Download Submit
C:\Windows\SysWOW64\s3d332.dat

Filesize
124B

MD5
601084dcd00cf19cda4c028fd05f893e

SHA1
f8bf40b53f13102e3b967cedc8bfa317833719c2

SHA256
3ad0dc663672f4855528fafe372b612d0e3287025ede534bfb2587ccc0fa26a1

SHA512
71c588ab1e00f5aa2c57fd15a9af2edc42f9c7ea07c01a4c0552103befd7519973ec356e64651f7b30741046b3a3a854d0bcdb81faf62eb1c53abf433db81d51

Download Submit
C:\Windows\SysWOW64\try5831.dll

Filesize
144KB

MD5
b52ef0c6f17c927ea91e238b5721a779

SHA1
6ce265c8f14028ff4bf37ddae7d618c4950c9d69

SHA256
ef1762a8391128692ce0b4f55104b3a733bbb9a0cedb59c210bed8dea85f8f6f

SHA512
17eeec9f8fb040fb3d6f04b09f288d5cedb188cdd48a35a10a398964d856b5a1b8d1563c278a16c87a9e6e487e75442afd1fcfe07c7bff76835ec0098ca58b94

Download Submit
memory/1416-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1416-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-118-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2972-131-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2972-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3500-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download