Analysis

  • max time kernel
    123s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/01/2025, 07:59 UTC

General

  • Target

    JaffaCakes118_68288c29d8546aadc301eda4436def32.exe

  • Size

    2.4MB

  • MD5

    68288c29d8546aadc301eda4436def32

  • SHA1

    b2f25aa72549ab250213e20850aa3e5beab1928f

  • SHA256

    a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

  • SHA512

    d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369

  • SSDEEP

    49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Ardamax main executable 1 IoCs
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Darkcomet family
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
      "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3160
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4660
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:3688
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4936
        • C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
          "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\SysWOW64\JHPMIJ\FQO.exe
            "C:\Windows\system32\JHPMIJ\FQO.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:540
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\system32\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:380
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3884
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58DAAB7F001085031BBD043AE4147EDD --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3668
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F56128D45C28008B65F6EADA717F43F8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F56128D45C28008B65F6EADA717F43F8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1868
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B4322355B4FF7939B3DAA50488E53E8 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4076
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4BE7F4DF333B7EF39FDDA2DD680B37B --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:264
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2788
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1024CB97477349511771CA06A48E26D2 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1116
  • C:\Windows\System32\CompPkgSrv.exe
    C:\Windows\System32\CompPkgSrv.exe -Embedding
    1⤵
      PID:3768

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      13.153.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.153.16.2.in-addr.arpa
      IN PTR
      Response
      13.153.16.2.in-addr.arpa
      IN PTR
      a2-16-153-13deploystaticakamaitechnologiescom
    • flag-us
      DNS
      65.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      65.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.58.199.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.58.199.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      135.244.100.95.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      135.244.100.95.in-addr.arpa
      IN PTR
      Response
      135.244.100.95.in-addr.arpa
      IN PTR
      a95-100-244-135deploystaticakamaitechnologiescom
    • flag-us
      DNS
      179.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      179.190.18.2.in-addr.arpa
      IN PTR
      Response
      179.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-179deploystaticakamaitechnologiescom
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      13.153.16.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      13.153.16.2.in-addr.arpa

    • 8.8.8.8:53
      65.160.190.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      65.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      43.58.199.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      43.58.199.20.in-addr.arpa

    • 8.8.8.8:53
      135.244.100.95.in-addr.arpa
      dns
      73 B
      139 B
      1
      1

      DNS Request

      135.244.100.95.in-addr.arpa

    • 8.8.8.8:53
      179.190.18.2.in-addr.arpa
      dns
      71 B
      135 B
      1
      1

      DNS Request

      179.190.18.2.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
      160 B
      1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      36KB

      MD5

      b30d3becc8731792523d599d949e63f5

      SHA1

      19350257e42d7aee17fb3bf139a9d3adb330fad4

      SHA256

      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

      SHA512

      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      56KB

      MD5

      752a1f26b18748311b691c7d8fc20633

      SHA1

      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

      SHA256

      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

      SHA512

      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

      Filesize

      64KB

      MD5

      e2953ed0cafd081ae7a33508a97c7468

      SHA1

      e7a8b9d42ffc5e7e54fbe9f28c2abcac18cfadd7

      SHA256

      3bf8ab2f77eb02278c107e9b5d4223f1a9bbc40e133155cd7a1ba0d8dc95d06e

      SHA512

      36680a23df341b6332d9b13d78036a6c74638f1842d7a4fec7743dc06406e9fee601f1b72bab5410129f7cc3348a53361aa9746734aec277d9435b1a421a52f0

    • C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

      Filesize

      1.1MB

      MD5

      4766452f3b2d1952a671143d9b813585

      SHA1

      169ba313c0ccc234e2a227a97c05976f968ad3e6

      SHA256

      064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160

      SHA512

      0a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8

    • C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

      Filesize

      2.2MB

      MD5

      9a540f97fb137ff20426f30e8db62dc8

      SHA1

      1cd77f98dc2797cceb083e6b949261e2ea49fe4e

      SHA256

      d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59

      SHA512

      467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d

    • C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

      Filesize

      194KB

      MD5

      8764991d86c925a5f8bbe847cd0f3cb3

      SHA1

      19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e

      SHA256

      5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79

      SHA512

      f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc

    • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

      Filesize

      62B

      MD5

      c6abd7a109bb37ab773b9e79b91b7741

      SHA1

      7933b8795914b27483d2afed35b3830e8bf5bdb6

      SHA256

      8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

      SHA512

      35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

      Filesize

      1.1MB

      MD5

      d881de17aa8f2e2c08cbb7b265f928f9

      SHA1

      08936aebc87decf0af6e8eada191062b5e65ac2a

      SHA256

      b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

      SHA512

      5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

    • C:\Windows\SysWOW64\JHPMIJ\AKV.exe

      Filesize

      456KB

      MD5

      51507d91d43683b9c4b8fafeb4d888f8

      SHA1

      ead2f68338da7af4720378cd46133589fc9405ba

      SHA256

      71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b

      SHA512

      a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c

    • C:\Windows\SysWOW64\JHPMIJ\FQO.001

      Filesize

      61KB

      MD5

      383d5f5d4240d590e7dec3f7312a4ac7

      SHA1

      f6bcade8d37afb80cf52a89b3e84683f4643fbce

      SHA256

      7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

      SHA512

      e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

    • C:\Windows\SysWOW64\JHPMIJ\FQO.002

      Filesize

      43KB

      MD5

      93df156c4bd9d7341f4c4a4847616a69

      SHA1

      c7663b32c3c8e247bc16b51aff87b45484652dc1

      SHA256

      e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

      SHA512

      ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

    • C:\Windows\SysWOW64\JHPMIJ\FQO.004

      Filesize

      1KB

      MD5

      c419eadafd70c55f88b6235ccf3d14a0

      SHA1

      e04856391e275bfe54fdc6dfabdfe798f80d2afb

      SHA256

      76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968

      SHA512

      4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683

    • C:\Windows\SysWOW64\JHPMIJ\FQO.exe

      Filesize

      1.7MB

      MD5

      3cd29c0df98a7aeb69a9692843ca3edb

      SHA1

      7c86aea093f1979d18901bd1b89a2b02a60ac3e2

      SHA256

      5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

      SHA512

      e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

    • C:\Windows\system32\drivers\etc\hosts

      Filesize

      1KB

      MD5

      ea1a1fb9ccfd94175ac7949b7c0937fd

      SHA1

      19f49e082f0bfbe697a30a283a8d96e5f2c96f97

      SHA256

      2f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904

      SHA512

      b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8

    • memory/1116-24-0x0000000073D90000-0x0000000074341000-memory.dmp

      Filesize

      5.7MB

    • memory/1116-15-0x0000000073D90000-0x0000000074341000-memory.dmp

      Filesize

      5.7MB

    • memory/1116-14-0x0000000073D90000-0x0000000074341000-memory.dmp

      Filesize

      5.7MB

    • memory/1116-13-0x0000000073D92000-0x0000000073D93000-memory.dmp

      Filesize

      4KB

    • memory/2832-111-0x0000000007C30000-0x0000000007C45000-memory.dmp

      Filesize

      84KB

    • memory/3160-22-0x0000000000400000-0x000000000062F000-memory.dmp

      Filesize

      2.2MB

    • memory/3160-18-0x0000000000400000-0x000000000062F000-memory.dmp

      Filesize

      2.2MB

    • memory/3160-121-0x0000000000400000-0x000000000062F000-memory.dmp

      Filesize

      2.2MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.