sality | cffe9ce252b2852f54dc5de2f6e929ae684021155d769e0583dd775c8c5ad587

Analysis

max time kernel
21s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Size

1.0MB
MD5

739114d339905349c6d01a7ae168df53
SHA1

a719fc985ad1a2f96410150fef8103a0b3650dba
SHA256

cffe9ce252b2852f54dc5de2f6e929ae684021155d769e0583dd775c8c5ad587
SHA512

c99e31950314c6b8357abbe0d51ffe9f8ae46552c75e1a46254cb179f3a735ab9d4f1f60446c1741e46c29d333bfe47d91f04b4b11dc05c22874b125b3630550
SSDEEP

6144:zkGnIEXdMUwNmSUwhwCydxs7Q2RMfHHgIIF:rN6Uw5Uwyfdxs7Q2RrvF

Score

10^/10

sality backdoor defense_evasion discovery trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
4788	Au_.exe

Loads dropped DLL 5 IoCs

pid	Process
4788	Au_.exe
4788	Au_.exe
4788	Au_.exe
4788	Au_.exe
4788	Au_.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2620-7-0x00000000023D0000-0x0000000003400000-memory.dmp	upx
behavioral2/memory/2620-10-0x00000000023D0000-0x0000000003400000-memory.dmp	upx
behavioral2/memory/2620-5-0x00000000023D0000-0x0000000003400000-memory.dmp	upx
behavioral2/memory/2116-128-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-132-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-139-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-142-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-144-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-148-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-289-0x0000000002770000-0x00000000037A0000-memory.dmp	upx
behavioral2/memory/2116-295-0x0000000002770000-0x00000000037A0000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\~7z.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File opened for modification	C:\Program Files\7-Zip\~7z.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File created	C:\Program Files\7-Zip\~7zFM.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File opened for modification	C:\Program Files\7-Zip\~7zFM.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000c000000023afd-2.dat	nsis_installer_1
behavioral2/files/0x000c000000023afd-2.dat	nsis_installer_2
behavioral2/files/0x000a000000023b63-42.dat	nsis_installer_1
behavioral2/files/0x000a000000023b63-42.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\inet.	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\inet.\Day = "1"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\inet.\Month = "2"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Token: SeDebugPrivilege	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	84
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	84
PID 2116 wrote to memory of 2620	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	84
PID 2620 wrote to memory of 760	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	8
PID 2620 wrote to memory of 764	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	9
PID 2620 wrote to memory of 1016	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	13
PID 2620 wrote to memory of 2956	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	50
PID 2620 wrote to memory of 684	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	51
PID 2620 wrote to memory of 3160	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	53
PID 2620 wrote to memory of 3448	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	56
PID 2620 wrote to memory of 3576	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	57
PID 2620 wrote to memory of 3772	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	58
PID 2620 wrote to memory of 3860	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	59
PID 2620 wrote to memory of 3948	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	60
PID 2620 wrote to memory of 4068	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	61
PID 2620 wrote to memory of 4108	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	62
PID 2620 wrote to memory of 3960	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	74
PID 2620 wrote to memory of 2000	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	76
PID 2620 wrote to memory of 1432	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	80
PID 2620 wrote to memory of 5012	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	81
PID 2620 wrote to memory of 2116	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	82
PID 2620 wrote to memory of 2116	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	82
PID 2620 wrote to memory of 4800	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	83
PID 2620 wrote to memory of 4788	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	85
PID 2620 wrote to memory of 4788	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	85
PID 2620 wrote to memory of 4788	2620	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	85
PID 2116 wrote to memory of 760	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	8
PID 2116 wrote to memory of 764	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	9
PID 2116 wrote to memory of 1016	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	13
PID 2116 wrote to memory of 2956	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	50
PID 2116 wrote to memory of 684	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	51
PID 2116 wrote to memory of 3160	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	53
PID 2116 wrote to memory of 3448	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	56
PID 2116 wrote to memory of 3576	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	57
PID 2116 wrote to memory of 3772	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	58
PID 2116 wrote to memory of 3860	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	59
PID 2116 wrote to memory of 3948	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	60
PID 2116 wrote to memory of 4068	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	61
PID 2116 wrote to memory of 4108	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	62
PID 2116 wrote to memory of 3960	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	74
PID 2116 wrote to memory of 2000	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	76
PID 2116 wrote to memory of 1432	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	80
PID 2116 wrote to memory of 4788	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	85
PID 2116 wrote to memory of 4788	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	85
PID 2116 wrote to memory of 4048	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	86
PID 2116 wrote to memory of 1832	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	87
PID 2116 wrote to memory of 760	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	8
PID 2116 wrote to memory of 764	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	9
PID 2116 wrote to memory of 1016	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	13
PID 2116 wrote to memory of 2956	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	50
PID 2116 wrote to memory of 684	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	51
PID 2116 wrote to memory of 3160	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	53
PID 2116 wrote to memory of 3448	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	56
PID 2116 wrote to memory of 3576	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	57
PID 2116 wrote to memory of 3772	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	58
PID 2116 wrote to memory of 3860	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	59
PID 2116 wrote to memory of 3948	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	60
PID 2116 wrote to memory of 4068	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	61
PID 2116 wrote to memory of 4108	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	62
PID 2116 wrote to memory of 3960	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	74
PID 2116 wrote to memory of 2000	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	76
PID 2116 wrote to memory of 1432	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	80
PID 2116 wrote to memory of 4048	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	86
PID 2116 wrote to memory of 1832	2116	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe	87

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:764

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:684

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_739114d339905349c6d01a7ae168df53.exe"
  2⤵
  - UAC bypass
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_739114d339905349c6d01a7ae168df53.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_739114d339905349c6d01a7ae168df53.exe "
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4788
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:796
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE"
    3⤵
    PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3772

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2000

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1432

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5012

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\~7z.exe

Filesize
1.4MB

MD5
035f8fd87fae5f799a60b400a012ec2a

SHA1
f1eab0bf3ee3659beaf13672ebc850faf6aafb74

SHA256
4fb3791ce7159b5e81dedabcf394bb53a0881a0fc765c33834c6887e79359795

SHA512
aff97f7b1a648d5b36c52c9c6185c530714bae9f4e4031f24581f87ab735beaebe485ed234baea911a9ee04d2167a1b893747e4f7ebea9528dded2f5e0bd30d0

Download Submit
C:\RCX6F7D.tmp

Filesize
73KB

MD5
de43d6556df9536da1f9fa5d5e6e9ea3

SHA1
c54ba841e6c0ce515426af9df58207bac9256412

SHA256
7267f462fa5286295feba40dca1206e41a3149f5d9a8a3014792a198d9b9041b

SHA512
590b34f5adab333b01c1eec3820ba3e21ac0a8ec74bb96e307cfb44d5a69fd1f48c3ffe1995af2b081eb54c7702a301c3a20f7d8c580fe40b49fb47605fbb14d

Download Submit
C:\RCX789.tmp

Filesize
74KB

MD5
8b373859da71f0347bfdf8c01cd3b2bb

SHA1
890cbce7de250d72ae6a2ec7e12c87fca03420a2

SHA256
d392e4fae2d3d5ca8a085051f121a70a8ec6dd14e628ec6fc56db2f34076cc17

SHA512
6cd065760f5f45091eb64e0ec6c27254583b6855db150c2424569f87c2a429a4d940e584d627b030557e35cf6d8c7814be0ff627af18f9f8922a73d63d82a5f2

Download Submit
C:\RCX78A.tmp

Filesize
79KB

MD5
16e12f3fd6aa4b4bf3afe94f4c43229c

SHA1
0babd6d384a120af5ef64271daf714335817d6d0

SHA256
5a1d60ca8a899f61124ca012fe1ab6f8946cc4efec951e99247800ec9798fd91

SHA512
1ed24a3c894aa19595a075ddd42c0606e73d65bb3859235070c8a1e626795fbaa0f7caa9a45db787a59f380b49136ffdd6f9a5d91ac7adaa824a837148dd1ee3

Download Submit
C:\RCX801B.tmp

Filesize
83KB

MD5
19b5332707268155806ea56128b0e55c

SHA1
6428d6d4419b5492e108de43e83df362f5212cbe

SHA256
a5b050eb416b00f50236bf2168a1af60c7add35d7c7cc6e81a8fc3aea65497d3

SHA512
4e95434b9df60de11aba9aac84041c6690ca0d943232353d2e43b79edb005ea347d30c141ba42f422db2fa7b7cd185058f00580b649d13334068a082dff11e13

Download Submit
C:\RCX8043.tmp

Filesize
84KB

MD5
91597ea4829b6f5a8f54805b3eb1dcd0

SHA1
5c24345e1144685d39d01b7b704f0cb7560d46b9

SHA256
688c3e72555d4586ff0baa8243a571b0ce6d34e8caa07d5bab1d4765ca25f73c

SHA512
cab986ebb8fdb6e829ba9be2883dc0a1639e953d27686f45293af458c5293c15b666abe1fb0f683406b28f23d2caaff64fbbd2bb6c80a8871fdde71929aa0768

Download Submit
C:\RCX8069.tmp

Filesize
83KB

MD5
dd672f7754b67d993071eefd9895bd36

SHA1
789517f3aafa94d1948bf7bb661edf6b81502812

SHA256
f886eaa6efec4a1be549a8910c73fa4cee6b33764bc113e80199126eaf078c94

SHA512
d4a54d71c0fd69f15c408caa957755f5fb606847825ba3a101c3068ef00cb6975b2567ad1bc947e1d6ed15fc7ac84547e745356d82771704e89b9a69d222a1af

Download Submit
C:\RCX80B6.tmp

Filesize
84KB

MD5
96227ed4002010a50cc4dca6cf72bded

SHA1
5da1ec18d750db4b16e92772ae578ea6d73b38c1

SHA256
5730197d47e59464827edc25283fcb01adefb9a38efd9013be525f4f09412c4d

SHA512
f2055eb3979f97f4d034f80fa5fbd296c1855f4c70cabad40c77e45de4e2ac1236c2f9d33b17bd43349f91686f373e94907a0ec32463ae6c72acf6a8e99cdefc

Download Submit
C:\RCX80B7.tmp

Filesize
87KB

MD5
4efa078ce64e55a32bf5397f51a2b087

SHA1
8e7e8b691a4e583b09e14622e9621faf3e56b675

SHA256
27615f9ff2e591b0d68f5185fb9371097cbb4108b5e6c9345e13d5753321de4b

SHA512
5459149a2b91b8219f6a1c33b4638e3b29e16b573c2fad040213079ff8bad3f3f42c3c1c6ba05f4eba916677b499bb723a8b03a31b1c0e40cca0e7c6e08acd12

Download Submit
C:\RCX80B8.tmp

Filesize
85KB

MD5
897b3a0fdd186f5fdb64b5b1f6492ac8

SHA1
46eeeb40c6b89fda39bd314ffca367c73fd11e93

SHA256
417f15e7bfa79a3bc022c95b47851526c6d747e453ec6a2d891411a7a47107de

SHA512
78a3d0581cfd07e762c2b1b892ff7475a53d87a3c9f353837d28cf7881ad8f38456e2fbe914ba01b96204aa708d9a2b711397f35405b6c0bc545a39166707886

Download Submit
C:\RCX80B9.tmp

Filesize
84KB

MD5
9264443cbfb3f19f1e3c893e7ffdbad2

SHA1
a2a39ea74a7b45d93f56ad3898cd7667a1bc2603

SHA256
954c2202ac05290fc6be43bb2ec3a1aee00e073277db0bb0ce1d8bec80267e9f

SHA512
710a604d45831324c060d4191b295df4a6f016e4a34f9cb765699839194e0287bdf50f1f7bb72ffc2a39bf7b37d319f93c6508373cf11014bc43c7fa9e02b0f8

Download Submit
C:\RCX80BB.tmp

Filesize
92KB

MD5
0a953a2be1756d6cf895bf80de9fe8fd

SHA1
f2ce1131fd5e05da80a53ac404db2b1456e17c75

SHA256
0685afd63979bfba49ab754c463615b0428a7ab7b993593c680b699a882e7caa

SHA512
3f6befebc784073d9d9756701e7cd01ed19212ee107e0a97ee971618af75f2e9b3cd45b99c53327a6ad5d4f6ca3b20cb024621f5dcfa62880eb7e517c07fb703

Download Submit
C:\RCX80CB.tmp

Filesize
87KB

MD5
0b0a6c893101724b3dbda656df339ffb

SHA1
a96633e0593f0fbc5c2ed7b739ae32d6f6d7a65c

SHA256
d2380bc858e2973fffa8f71fe0694ab8abdc2dc37c06003ae986ec4abc902d17

SHA512
c09ee2a19f82258db653061beccf81c6b1c2e04a8f3b74489e372219be57ceb0ba9c50916ac78ee6ceb00fd29d30cc2906224d2495744b80a059b917788feb06

Download Submit
C:\RCXA4DF.tmp

Filesize
85KB

MD5
936516f97be086e7d0f84e36bbd9d65c

SHA1
da3dd220e35840e8241694b787231179ab27b082

SHA256
39d2f53881fd331b600915168516536a1898f08b3ed8cf1177d63867c3a29731

SHA512
0e4cae4c88e732385229ce5fa095137e5871d68cda2c4afd5fd63cbd3798864a3655928722fc8a1064d77df1181880ece0ae8e170b66d7727b60e7d513dda728

Download Submit
C:\RCXA640.tmp

Filesize
85KB

MD5
1814f3c06f98dbe10137459093ef37ea

SHA1
00487e631401e5bb4bded894410afdfd5adce620

SHA256
b0f0091838637f8b085f7954bf92b14f2cc1b3911bf565521564060b9feb0ac9

SHA512
11ed6b691e72b2eaa1629cf4934bd97fd94ff3f9059d79d52ce175bd646deefe23fa03c1d66fccf95e9d87e22abafdf1c4e52431a7932bc04764fae22120d125

Download Submit
C:\RCXA642.tmp

Filesize
134KB

MD5
1aa5a6e76f925344d04647574cda881f

SHA1
df81683a331b3ae79392a2f709ee49bb692d9adf

SHA256
5320404455dd9f84fba3be7f226b1e0af0459a8db5cf554bd41b3a4d0c3035cf

SHA512
e9608ba4e37974bd389eee6e218bbc323498bb3b1ce7e70759b1164a704a3b2ef762fd5a51460fdcea6c2306afd7ada2bd85766f919d8215163caee8000b2cb5

Download Submit
C:\RCXA653.tmp

Filesize
149KB

MD5
e14b19693f40c1e80de80a8ce21b45cd

SHA1
6a036e9969d1f9313f7753c6c79b486496ee1e3f

SHA256
1559dbd2f33ec1116159eb53baeb95b425bc6b5558441a7c6f7aa671e8cd1f85

SHA512
5f3b46932ebbb6c150c5748d6da493f8ff6de74a459172c41396e4fce6771227d1a3a431e78348cae60db9c87c00792c716c73d144a28e4db5f95fcb0aa40c74

Download Submit
C:\RCXA654.tmp

Filesize
120KB

MD5
f1a26d069ff9e7f2760b7a26b941a08b

SHA1
ba3b310d266fc81b8b50cf6ee3bd33eee48c902b

SHA256
ec456b86205ce9e6f2422f2764bf2614df1198e6ff8e0687db7be286dee1fb0e

SHA512
d5f89e414d241868a5cf69df09d01bea2b786918bcfd67b9459ec039f41bece08f9620614a8c2a80ca9fb9ecc15e553c5d5d6ade217c8b978af3d5144a41732c

Download Submit
C:\RCXA655.tmp

Filesize
99KB

MD5
2e7b0dbdc5ca7385b21636d2db4b6da0

SHA1
7b0a3b41898917c7de6b29c592cd056d1f1debce

SHA256
e1ea16b309edae62bc41e86a8b2f2bbec0defa34b8fb61004510596185c22d80

SHA512
ba7e064652af1dcdb5f9863cf966728417a39540a311336b8ef489aecb9b96cca104a8887e227c17b5b28f9e862eefa5bf965ff32272c7e187b3672bf2fac881

Download Submit
C:\RCXA747.tmp

Filesize
83KB

MD5
23261d8922670430b25c354f21fb2f3e

SHA1
aa86b3742adedccd31905c6dc0624b470f7bbba8

SHA256
0eb26af57bd56f5fa4a82bc6dba9377e449d2fdd4ad4770a1d8699418316ee0a

SHA512
a57c92e37134d2a1b5a412b3df36c1fc5e79efe33d99bac30dcaa93e822d409200e7d92137131d28703e0db09d5610275091ef59054761fc92e0cd7b2ef93215

Download Submit
C:\RCXA77E.tmp

Filesize
83KB

MD5
551d22380c36bedbf39174873a64f274

SHA1
4be6a810d61d88573fa7aa6832f02d1c2a7b0b82

SHA256
67aa095c086957d5efeddf58123be6f1bc70e6cd454ba425ce2710fe06f5cd4c

SHA512
9f752c3d7b312935569373ca35ee74c89ed3a3729aa5d9856367de3818e436551d5776cc1e6dff774b63cab3e76ed7e36fc3e0e226c0707bc4826b9ee686ea89

Download Submit
C:\RCXA780.tmp

Filesize
83KB

MD5
8672621cea9bc3eeedf821d561235929

SHA1
fa95c62436b3b2f2ae00fc09a6b0221297199aec

SHA256
abf35a42f20b39e48c1b4fff6c86f1ee0b49dc07efdcc681a6274e1916c56e85

SHA512
af5b2a44d6f8eddbb224b94f2686940887b65f94081e20522ea825cdc0516ab99a6e20a902980aaa0a6e36b49f70bc2a7556bd4ed905aa1f8c3b28b0b04a8bd2

Download Submit
C:\RCXA795.tmp

Filesize
83KB

MD5
8b15598b75365f7cbe4386c5be127216

SHA1
acfaba27e919e391ceae9ce53fefd5ec6bf3e8bf

SHA256
418e1e07adc61e67cef327883bb473300eb08cb410ad16eb0073d8aaf6072725

SHA512
411428996eb1d76f310ef3c7eb9aceca25a0ffe6263f874d38d9dc2936d6726ce8f1f9917f63e85d17ac26dfdc1c0e5993e4413e1d747c8ebc58d3b7cca4bba1

Download Submit
C:\RCXA7AD.tmp

Filesize
75KB

MD5
d8b1e6473fa7a74978cfe3c885a69445

SHA1
e6eafd5b38994ff6f4db1a39dca461cb19cbc0c4

SHA256
ab3856e23fed6f4a78d506a9891db3b0ffd2ff87c5077162e99ece194c387750

SHA512
ef2e01285f3ba15b673dce416d638465fa0240dbe7f852b4d31aa3e113d9977f258cff8155fd41505c7061c0b7afca71a059515b32d555823df3bab15b043dc5

Download Submit
C:\RCXA7AE.tmp

Filesize
79KB

MD5
904c0c4e086b53444366154962e8da93

SHA1
9c7a0e973223473f617c3c432fd1f65d802a2faa

SHA256
525cc3855de65c7c3e51a193563661d52aad820c9b2ed763c1db1da0c788f6bd

SHA512
93d9da5eb18b0ab85a81341a0041efa5eb94e096476880cdc3aa300fd36fb9b6ab6441a5951b89bee7446139d42604fbe7bf396c290ddba40c4b4a7848b78f17

Download Submit
C:\RCXA7AF.tmp

Filesize
81KB

MD5
804ffbef6e6cd3f9419ddd1a13fe8ca1

SHA1
acf3ffc0d0ab47e4e9016716f57bacb51bc54d46

SHA256
adbb24cac1cbc54dae9c1c1fa09866da7356e9b9636247ab90305b6392998ef3

SHA512
9d8dcbfc59b95c4bd03a2c64738e50f0d13005d092025bdf0e55e619cf63ea7419855f795976740cab9d448b22cd6d38aad8b23066b4cc2d3d77ec5ac68e2b65

Download Submit
C:\RCXA7CF.tmp

Filesize
82KB

MD5
d9da7f380532965cba6b389e159d3bfe

SHA1
74d3503284eefb3302d653db9e34612adc8d66e8

SHA256
c2c69747f2d6a234d26de6f48c5ad1420bf473b05e67ea4e0dab781f9663ca7e

SHA512
badab6f40002f5798dbcc6d48ae4e60bee012da957f7822d033a56065cdfd39ebe80d533dd85fc2c4a5563d4b463ca732277b8fb695ca9e14b30faf44e426fed

Download Submit
C:\RCXA7D0.tmp

Filesize
85KB

MD5
65a942ed57e81a85bde5adbcf9e0de19

SHA1
2735c495a2563ced42f12a5b3f4b705479635f26

SHA256
c536e193b171ec9bf21d965b5c0ba2ad9b1eaf3cb4811b8e6f9a150ef53ce4bf

SHA512
8e45baa908b7c7a459b975c17cfc2044b68d372aa0140c0d6a2d1173a0a828c55588661a7a3da5ab3818978a8cc65d48c79c8b6141a0eaa0cf6735550bad8f83

Download Submit
C:\RCXA7D1.tmp

Filesize
84KB

MD5
4ca4b2a05ff965aec55c5aa1fa517244

SHA1
aa0809c8ebe968b745ce9a744b071b5e3d3ae130

SHA256
2bba429ea8019286b881a77e026c64183c6e59d0f10cb1a3b90b077e0d58ecde

SHA512
a982cf3d963d0f78fc36838e35543f85500dd7b9f8a26d3ca1f3a2571c82f1c26fcc31f64c3ece44b30d54cce2e1e54a8eb8af2dcae4908ad7b536136fe0a5ae

Download Submit
C:\RCXA854.tmp

Filesize
84KB

MD5
f29034772a0358e447239a385a97ea4a

SHA1
cafc7f8e6cd4b64dc650804a41cc99f00a544ba1

SHA256
91d3d445a7a4517843fbf288e9d8445a5b9edeeb82b15e3ff2c91ef5a60a5c36

SHA512
0ebef7b7d70923782b032b8aebbc729bbdab030bd9345a3da4bb0433976eb11f1bdf617ac07b30dd42aabaf6e873ad251ab06486c2120ddff51f4705cab6177a

Download Submit
C:\RCXA868.tmp

Filesize
83KB

MD5
dbfeeab2b8588043bd8ce81899aea9e3

SHA1
2b896a2adf6cc87a3b430783793320ad07576648

SHA256
e2e98e158e33b0751529d21b50f862544ebc1503bd59ccd5b30552418df7ddb4

SHA512
9a033e5f42658d743567a1391ec9ce860523035b2dc3f1db10f941a3e248a7bb390f1b65680a6c56633728f2b60ba8f32448581234e8bd9b477453445b90ea98

Download Submit
C:\RCXA917.tmp

Filesize
85KB

MD5
d93a1bac8e1768ca28a1464a682497d1

SHA1
220401d0d8cdaaf460ec9f92b99e825ff45b84fc

SHA256
fc9b6c53f9accd7b11bb6ca27e97f22376498e3fdf584d8bcfdd8c852859f2b3

SHA512
57747dcfd7fd085f5627a6e2cc96d4a8183c4159acb0085f60d8ceeb0076a6eab57bed2a26da8fb8b66515a6f0da74bf9447d0dc875bc0a2436379e622d6def3

Download Submit
C:\RCXAA60.tmp

Filesize
83KB

MD5
14b5cfe991866463e47e303d19cefc5c

SHA1
385cfd46746047a848a084cac2c8b7b87710c91d

SHA256
603d6b722a85240a535231dc2b29ffdfe371fc4e31c3edb1b81017f474f9abbb

SHA512
6b0b4671d5a3baca493e5282ce0c7dcccdbd7af63d016608970b847055131366d51513efe10be9713ae4a873f8bde75938bb166408f57ed325bbd0f717604e40

Download Submit
C:\RCXAB4B.tmp

Filesize
134KB

MD5
d24cf33ce95c916afa8c09d21bbd37cf

SHA1
b96317d954aca8db6b4ca3a9b8f9b3646879aa55

SHA256
448fe32d4a2849431b617d24c0dcd9d488c3b34a0e73ecf5b1ede9d19951a995

SHA512
cbe50d399afd75e7c97527055df82ef66bef6aa61b3e7879066ffe6a9eee7def517e2f1f9c1c7cac5570e0ff8142b25f541f623e4e543b8762fa3b0b28fc96fe

Download Submit
C:\RCXABA6.tmp

Filesize
121KB

MD5
d82865f6f127f3b8ca8b56947b16ec2e

SHA1
dea380ebec457ef2fa54af1d9bfcc55dde254ade

SHA256
b40ba493c30c6d2354512d6b384c3f2fb9d87e498ec5a0641d67e1570254d01f

SHA512
e13327ffe3e056116188c7d37a1743720db48fb8bf3a10924969b509a4f8938afa531ad0d61d8024d03538ca9094edafb3bc94d4ea9250ab3a65cf65f281bb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E579EB1_Rar\Au_.exe

Filesize
111KB

MD5
859602c0ddabeaeb8c15d92feddef16a

SHA1
6ed62e4a6eb46ed24f3b05c7a1acce06de5ac906

SHA256
9c02a8bcc2b99e31a951eb5efd9068ed06d54ead46c317469cb6e8c2045ef0d4

SHA512
186c81a7de2d3b0501aaf0daadc6af5e3f953760077b13965edf4afbf2679a6ca62a7eb8f6ecc0a68a3ac1213e79819ee7e26bd677b5515e7cd38dea3b5d17d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_739114d339905349c6d01a7ae168df53.exe

Filesize
187KB

MD5
bb4a7e8c53b2def54ed27fd75857ca56

SHA1
ecca241da636c16ec3e89807bc1d049ca0939476

SHA256
fae4f2c24ce613debe937f4ac92096d62bff06b0435244bda95b290403205e97

SHA512
4c7de3f943154c462c8014b09807a0f26f1e1cdb35f6321d1d3aebb4c0fd4a799ae62a3b152aa88fd25b7c6316c9d864beec2b1950191f19a7a5ac0d259eb98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\InstallOptions.dll

Filesize
14KB

MD5
d7b3f05ff44116b9080b5e69b2e86efd

SHA1
2535ecfa122041edb901ac667944e0f6814c4cd0

SHA256
40d66e085409445202dce1b5419449cc302d91be17614b521e3ccce473205db7

SHA512
414c6b410b35a8bb5a2c9fdd46dad63704484e1535155219b29a5bb886ded73f4b7ca3bafa726ce751e1c711a764938c9256106a90098263d6ff88bc017ec140

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\LangDLL.dll

Filesize
5KB

MD5
ddcf920168ecc52e70fd330ed8f28662

SHA1
9f38b8184d475d3a21dcc6c28c63e53d26a897d0

SHA256
60d2c0915c99aa83fc758a044511bfed3829ac81ace682a06ea21853acb78160

SHA512
69c92809f09aba03006b0b19908c394f473e67c6cc4aef56ab8656de3a5dee93a8ca0c5af220e9fbe18b5e3002830a2ef5f80fa1fb1a230abdb768efec357c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\System.dll

Filesize
10KB

MD5
4fbb4a2cd711fc1fe84f3dc30c491dc9

SHA1
888e01ae6e64e7326f88df9a30587f699eab154a

SHA256
c3b05f4faf5e8903d5b4cb4a8ce4bbf2e8144725b98d8787d51c117b6efa9bc2

SHA512
92dcf99672a5935065df6492e27abb653679f1db6dcddfde87cd14260c94a870327826b23cc2f338381b3eb53d07c1a3867806f6ff94533db5195b895a856847

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\ioSpecial.ini

Filesize
567B

MD5
f046a77b67208cf5c54a02f8a4e5ec18

SHA1
1ceb3aff2ddec54d5804dfe0337d78a8d2b33989

SHA256
09fefe47201a0501328f661f74b5704b3d927b5d28ede2a53abcf515ba205d41

SHA512
fa0984fa8e85ee05ac8397b1f043bd2a19d45f76edc9119e0fe13e261ec0355c3f93ae95e9dac5d7e19a285293aba70c86a76f3b963ea8d3cb9373813e7a2a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\ioSpecial.ini

Filesize
566B

MD5
99945b27bbd0a25cc47ef54a56f630a0

SHA1
598cdb60ace38b62a71002f3ec571da8dcbf6035

SHA256
5bf007790eb6e930d00abb65e6c45831c2a391456158888f52649cd6becda2cb

SHA512
8a7bdfd4f474328fdda2df1de9cf78f7563420daba727b730f1609cd49cdfa8e83fb4d6b9be46bdd27d36a97e8e2367fe8050c89c4c46227f28a6b7adc12cb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9EC2.tmp\ioSpecial.ini

Filesize
601B

MD5
5036984308bff0f98eaa3d8792c00ce8

SHA1
28f0fd06ca275791a91653cecaf0aa62c71a210c

SHA256
1c5bc44855e35fed828d0bee623ff269e088c2e63a91891f380d5fadca5dd7fd

SHA512
ba6c0b808b4a61b40d965c7cfa177f99da7470c5ab91a5f5f6210110af9c9fcf08168c35b761508ce4cd5917df089217b810d644bb781f4cfd52d13a86dcfab0

Download Submit
C:\Windows\SYSTEM.INI

Filesize
258B

MD5
af40923e0e416b2ae65bd4a31cfd787e

SHA1
8f5695e56cf6884ab40c6cb5298e3383fe622ce9

SHA256
e45efba6d31cf0a5dfc95479be4cb38e0db96260943b07940070f1d24f592a28

SHA512
ecc0925a605085a789bdb339d38d1277ff1b455b59c5cd2ddc7e095e73bf76ab3ba665fea09c63c6c7f6930781d3236691189d20b4d9d2a77fbc0fe7465197e1

Download Submit
memory/2116-128-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-289-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-126-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/2116-283-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2116-148-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-144-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-142-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-17-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/2116-139-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-19-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/2116-13-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2116-132-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2116-127-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2116-12-0x0000000002320000-0x0000000002322000-memory.dmp

Filesize
8KB

Download
memory/2116-295-0x0000000002770000-0x00000000037A0000-memory.dmp

Filesize
16.2MB

Download
memory/2620-18-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2620-7-0x00000000023D0000-0x0000000003400000-memory.dmp

Filesize
16.2MB

Download
memory/2620-40-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2620-10-0x00000000023D0000-0x0000000003400000-memory.dmp

Filesize
16.2MB

Download
memory/2620-5-0x00000000023D0000-0x0000000003400000-memory.dmp

Filesize
16.2MB

Download
memory/2620-4-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2620-15-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2620-30-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2620-20-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/4788-338-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4788-138-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/4788-141-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/4788-140-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4788-39-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4788-334-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download