neshta | 8e952b9b081951b91be45d32e7b3c9ce3539d84f0f05b74e9733475c0c84627f

Analysis

max time kernel
149s
max time network
27s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
Size

1.8MB
MD5

33755670455badf5c6826866db99c9ef
SHA1

3fe0d62b164a5cf3bcd3d9fb971172a1599d7205
SHA256

8e952b9b081951b91be45d32e7b3c9ce3539d84f0f05b74e9733475c0c84627f
SHA512

aa76df546525fbf52cc6f0e498437bc8edb6171641201ed42d339ca6009989c14eeaf7d14e076543caff42dc20b0ca808b8608c8b70f6a66b5e6a47cd9db2dfe
SSDEEP

49152:YA7zo44O1fJwS7x3LN7PdwZ20VXv7NwLKjXMh2QbaSxdTTtay3BXhv:YAwdO/N3BlwZ20VjNwLKjXMIQbaSxdFd

Score

10^/10

neshta credential_access discovery persistence spyware stealer

Malware Config

Signatures

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Neshta family
neshta

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe

Executes dropped EXE 3 IoCs

pid	Process
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2816	svchost.com
2796	WallHack.exe

Loads dropped DLL 5 IoCs

pid	Process
2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2816	svchost.com
2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2816	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WallHack.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe
2796	WallHack.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	WallHack.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1620	2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	30
PID 2440 wrote to memory of 1620	2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	30
PID 2440 wrote to memory of 1620	2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	30
PID 2440 wrote to memory of 1620	2440	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	30
PID 1620 wrote to memory of 2816	1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	31
PID 1620 wrote to memory of 2816	1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	31
PID 1620 wrote to memory of 2816	1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	31
PID 1620 wrote to memory of 2816	1620	JaffaCakes118_33755670455badf5c6826866db99c9ef.exe	31
PID 2816 wrote to memory of 2796	2816	svchost.com	32
PID 2816 wrote to memory of 2796	2816	svchost.com	32
PID 2816 wrote to memory of 2796	2816	svchost.com	32
PID 2816 wrote to memory of 2796	2816	svchost.com	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_33755670455badf5c6826866db99c9ef.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_33755670455badf5c6826866db99c9ef.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_33755670455badf5c6826866db99c9ef.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WallHack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\WallHack.exe
      C:\Users\Admin\AppData\Local\Temp\WallHack.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
754309b7b83050a50768236ee966224f

SHA1
10ed7efc2e594417ddeb00a42deb8fd9f804ed53

SHA256
acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6

SHA512
e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
ad98b20199243808cde0b5f0fd14b98f

SHA1
f95ce4c4c1bb507da8ed379503b7f597ee2016cd

SHA256
214f478e94658fa2bd7f0bc17022831baee707756798addb41d9c5bee050e70b

SHA512
ee1251c62530b3027e2cd5669533c633577ffbcf854e137a551148fc0de3ee6cc34253a0bdefdbd4843929843b0790f1de893aa6fbae1c969f057b9f8486afef

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
248a8df8e662dfca1db4f7160e1a972b

SHA1
dca22df5bca069f90d84d59988abe73a24704304

SHA256
6c7abeebd50487ca33315f5e507c9a5346e6e7a4b732103b35b8006ed58d7bb2

SHA512
0042e806d50c938fb1f08506327c87cd99e4f5f9520636b20695d94a696bb8b3f500f6d9507cb46fdba27c60cc0cb9e3c1e7c35dcfb7fcf4dadac3270e654f75

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
dc6114cf663ccdb1e55d37e6501c54cc

SHA1
8007df78476f6e723ddcb3ad6d515e558dcb97c9

SHA256
d566164c874ef66149b493e3220616cdb9090a8cebb4a1325c48c705aea5c348

SHA512
677464e6dab367f9158655533cade6e1ec4b39c4e64b05395e72e4099ca7f8fa82b8e49846932956da5fef760cc109a348e1c599d986166998e4d2623022a28c

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe

Filesize
381KB

MD5
2352318f01171370a31048e3ef80a4a9

SHA1
aeca009b93c80a3a51eaefa035b09f8a5aa6d252

SHA256
88b241c269c0b657ed4a2b09b0835f15f4dee77d0bb8fec3240bb14d93ba0b62

SHA512
7783abcc2a0e448ea476c53d70b8d04f4c90c3b30b72a1b89310fb6f9f05efcc7e511276cc045c3e3f476e932874c3aef30366872b408fa257561aba2d907b3b

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
fdf02b51e6dd28873c21c55e22d276a0

SHA1
435ee11bd78ab2946ba1da65fa0e478135d87ce3

SHA256
7232825710bfe15014cbc196ccbbfe69c1a649fb00abcf16104dfd071dfc510f

SHA512
cdf5e8d55f07c3c9410f698604e3fb8f5cd9462319a936a5be29aa7e439e6dcdfbcd2174eb268d23927996074b0f574d4a4b52c47ad6259743c0741ee9683a12

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
155KB

MD5
156aa268fa5236c9f16110863dc383d1

SHA1
4d1a29a4a5b74716cb9a4a0c945aee511ef3cbf5

SHA256
0537d77d6e447a2ec34321c61828e9f3690a9b846995b6da5de6729692f7a31f

SHA512
2c7f5d2465f483a0cdfc01bc3962c6a31f46b04c91f3db6164e3a24504c76dba035fbbd0a6b0c959af505872395c77f9db614df2cf898850a3663ec97b2e06ad

Download Submit
C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
305a058b877a365b75083d6cea874702

SHA1
20f9dc6d97a1abdf4b80e78befa3b64891235e17

SHA256
bffa5127f52bb966b109a07dfeb1bb40a76d606e96837c80ac5ff276447fe181

SHA512
23b1540d4dc1c062579ee9a3231140ae250f2df7b28c376f34effd255ae1115e875a5fcdafc8d15b5b39ff977ebfb7cd03dbf6ce91a83b94ea235eadce8e12b4

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
485KB

MD5
048da0aced67fe14cbc1801a057b8cef

SHA1
9ddac6ad86b54d0b7e1d22fbc1ff75ccfa9c17ea

SHA256
2f37cac4a1dbf7944d43f1154ce293311c3f9d44317276a06b49cd41123d9d96

SHA512
1d2b23dc25ea03002a3ccbcdf08a7ebf47ee2158bf9211b71830a92dfa4bef584529c1804148ebe2cb662e579cc97e9f702a6a42071f2600a129c642a6b92c16

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
6686e6b195120668e21177aff058e81e

SHA1
a56f0d0e942b2b657e0dd7848e78d53c6740880e

SHA256
ca99df46bb3b85ee7be086eaf3b10eee8abc4c8dbeef690ca8c0bfc9eec845d9

SHA512
de1b827b645740f6d7895e6333fa73b2b0b4af500a5457740d810580a67f327e5bdd98ccf1e1cce44a64869b0ef3c52b224dd148fe37976d58f66e0823215559

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
715KB

MD5
cae0de78406fc6f338b31e2ac61855bb

SHA1
61d3298793b62b79b451737d84e4d9ec75552004

SHA256
f5026860d382f9b005ff6cb2f3c9d8ccb8ec1c71cfcc593292387e87654d9c77

SHA512
f7265d07427a91b809199916eda2e29fee485943f6ee4e9851540d16e72d392d00f0de40ed0f8568441d08f9babb052b11d7fee2be7febafe396cf8b453dba47

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
495KB

MD5
96c338591ac8ea4483337c8371cfbab9

SHA1
21bed3f86db1c33912390db397678631c876f431

SHA256
7237de120dcf61936d33394b8e211d4af88a7e4c6ee53cf053a54b8b60c23a1e

SHA512
44e44c466ca812a1ce21f5ba8e3e57434ae7ff1549b0315d3887cd467da40e1604ec9a69f07d7e3c834aa1d96c8206628ce173ae8a8a59a9d713b516f58e9455

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
485KB

MD5
f8090e8496b322fd6dd512c484f10b3c

SHA1
4ca215ba4ffe3dc657081da15e66f1494378e1bc

SHA256
9625759a71f257480d6c5956adaf86eb178ecbe62521ed91d2ad2a45813d1e00

SHA512
9c2eae3b34504dc2e4fafc3e08cce8ed240de871a6d47d57ac84da2e0fb7a4d445a9f2bbb4f2844eb4112a8e9b4ac9c226daeadfc14fe568bafe2d7659560a2b

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
e2b4d2c7b6fa09e5bd3f6df9fc6e8655

SHA1
eca5d5cc3475a9628b504102f61e0bd9dac9ad02

SHA256
b00ec004498d598e10f285bb322b859cd57b640c500c804e7b15a212aaded5fa

SHA512
db02329122f67bb2241bbe91d5b0c2570782d643ba382e691cfa6ee306eb257b2f92c0920a34f2b56d656d8fb2c02e22cb933faa03884848d7b66028de05b1ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_26-01-2025_07-09-01-NCFK.bin

Filesize
1KB

MD5
93e4987c8ffb82879f3f1071f64131a8

SHA1
d7bdc7b888260d7eb6403bb2d0b491f2cf74e016

SHA256
1f8569eda7d670afa6b0d45ecd60624fd6e5fc19be2da3dc3e39aa35661dd111

SHA512
0d96b4bec5470ac0fe32021c54d8b45cef1b28ae7f1d7de1dd33072c63edca95cc58a13efa6a6f17fb6edf7e934d10d09ee5cc3caaf60f4b2ed0536323ee5b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\WallHack.exe

Filesize
2.3MB

MD5
0c7583a6ac1a1786d20b213479ae64c9

SHA1
921a00207c628161bd301ff098ddbcdc0eba68da

SHA256
933ce01b04ceee8714eb8eb28f0956763b6462279d5107dfda8d0f8e2dbcf503

SHA512
bcfa4fdafb30bc456dd81cf15aaff5687004616dc05c9cd5f021910ea8444bbd700ab1c5417e02f73a040c4bed4b21cababdf78e34ddee3fb9b0b10b7a2e7e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
8c339f64170596f8be18db9ddec4915d

SHA1
0093e8e2f5f0b532074e6bac0e5035ae3ce7110d

SHA256
577fc0bba2b2e4efa54394b768a8d2e4531fe57b6fe39216a5c8d2f3a3385c19

SHA512
6e9c67d87186de8b8868808ca1456fcc44af03390328e9e26c4d5ecd95ad0f751873698da5b6b8fa7ce043c68414c7fbcdd72ccaab88d67606b463696940798d

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
5d4055913ad7a6f20ec46695a41569c2

SHA1
ee9d1ad871394b6c11e81974c100aa7cf5deee4f

SHA256
82f2bfb27f7612f9febe39f90d5aa8756a3aded9bc795fd406e911b0b388637b

SHA512
e941b749fc477f11ec3a289e628a21bc9cbdb021ea4ddd07bcb19809df7f17156302c01893e14ccba15c43de4c9b097b695941d5ff588aba324e84c86e72527c

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_33755670455badf5c6826866db99c9ef.exe

Filesize
1.7MB

MD5
d9e8de6cc6e5012a8e500822f82654d4

SHA1
2daf54ae75aeb3ecedd70121ecfdd850f626012f

SHA256
583a3305f7407e78a80240c33ce545033ead5d6b010753695e6be54b0c88262a

SHA512
39ddc1287b1876cbeb118263f5ec10a02cb7426c0132a61406c4a0e36cc5d67b5d666d774337a7078b13c0e50ad9dbd725096e4ca7bb110d32fc9dd20b373cf2

Download Submit
memory/1620-134-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1620-149-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/1620-17-0x0000000000400000-0x00000000006B4000-memory.dmp

Filesize
2.7MB

Download
memory/2440-132-0x0000000002D40000-0x0000000002FF4000-memory.dmp

Filesize
2.7MB

Download
memory/2440-133-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-131-0x0000000002D40000-0x0000000002FF4000-memory.dmp

Filesize
2.7MB

Download
memory/2440-138-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-15-0x0000000002D40000-0x0000000002FF4000-memory.dmp

Filesize
2.7MB

Download
memory/2440-12-0x0000000002D40000-0x0000000002FF4000-memory.dmp

Filesize
2.7MB

Download
memory/2796-136-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2816-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2816-141-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download