Malware Analysis Report

2024-11-30 02:46

Sample ID 240407-vprhbshe5v
Target e57024a5cb2053db8f31d62380714bc4_JaffaCakes118
SHA256 c3c180c20d40cbdb9402ac0616719ccdac01268776058e16883d5acd0784ad64
Tags
spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c3c180c20d40cbdb9402ac0616719ccdac01268776058e16883d5acd0784ad64

Threat Level: Shows suspicious behavior

The file e57024a5cb2053db8f31d62380714bc4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer upx

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:10

Reported

2024-04-07 17:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cpucool9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cpucool9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cpucool9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sysinfo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sysinfo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 1712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2652 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2652 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2652 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2736 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 2736 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 2736 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 2736 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2736 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\cpucool9.exe

"C:\Users\Admin\AppData\Local\Temp\cpucool9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\startit.bat"

C:\Users\Admin\AppData\Local\Temp\HideRun.exe

C:\Users\Admin\AppData\Local\Temp\hiderun.exe "C:\Users\Admin\AppData\Local\Temp\start.bat"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.bat""

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\gsar.exe

C:\Users\Admin\AppData\Local\Temp\gsar -s:x3a -r:x0d:x0a C:\Users\Admin\AppData\Local\Temp\tempa.txt -o

C:\Users\Admin\AppData\Local\Temp\sysinfo.exe

sysinfo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf.txt "

C:\Windows\SysWOW64\find.exe

find "FIXED"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s:x3a -r:x0d:x0a -o sysinf2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf2.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"Drive " -r"" -o current.txt

C:\Users\Admin\AppData\Local\Temp\sed.exe

sed 1d sysinf3.txt

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"C":x3a -r"999999999C":x3a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"C":x3a -r"999999999C":x3a -o sate2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o sate2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"Drive " -r"" -o current.txt

C:\Users\Admin\AppData\Local\Temp\sed.exe

sed 1d sysinf3.txt

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"F":x3a -r"999999999F":x3a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"F":x3a -r"999999999F":x3a -o sate2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o sate2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type maps.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type meps.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf.txt "

C:\Windows\SysWOW64\find.exe

find "Mac Address"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s" " -r"" -o mac.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s:x3a -r"" -o mac.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"MacAddress" -r"" -o mac.txt

C:\Windows\SysWOW64\ftp.exe

ftp -s:todo.txt -n

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\ftp.exe

ftp -s:todo.txt -n

C:\Windows\SysWOW64\attrib.exe

attrib -h *.*

Network

Country Destination Domain Proto
NL 62.166.34.66:21 tcp
NL 62.166.34.66:21 tcp

Files

memory/1712-2-0x0000000000400000-0x00000000005EB000-memory.dmp

\Users\Admin\AppData\Local\Temp\cpucool9.exe

MD5 c16fdb3f1c066d64fd5b04feabcf0565
SHA1 28099f6524a2160347459f4c2868aeb954056754
SHA256 c2250d8aba676419af654a20be5b28c16c65a7bb610b518079bdbbfc154ee20b
SHA512 98b056328588d258c5561a8806928f4545debc27b01b8c6c875c1ac9c527aaf17b5ce83481527da4804a2bb675dffc33878cb45b29bf69b6e9969328f5274935

C:\Users\Admin\AppData\Local\Temp\startit.bat

MD5 d9769f8b383d44982904a1a3f66bdc3d
SHA1 bdc960644dad62f7b976dc6e2e9c1a2645404eaa
SHA256 4fbaab072d56e5e1c26c4b6ddaf28f3f44c82ca5d3e3bb1d5bad2449b989f5d4
SHA512 43b5dd9fe84deede1b23094b9cf35bee17309fcb3b8669c717cadd50c11f03ace0f8593a9195cb030d8d81816dc7ea68a0e9932dc0f94f4b0df0b018b5ac0299

memory/1712-34-0x0000000000400000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HideRun.exe

MD5 2c97fdad8806303dab753addc2cf00cb
SHA1 b5e2b4b5ef84781525b89074f27d185266846115
SHA256 f22803b8c72f6406ed10dab5b0ad5a21ba82d340b6ac2e1e0f33824016e8edf5
SHA512 cf4539dcfdd17fc4dfaa725b532cd3cd0148305d70c24afad82de0df34b231bd760a424459f01fea85c16a08220f7248c9b2eabd2ba60377719438548df5da4c

memory/2652-41-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2652-38-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2900-42-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\start.bat

MD5 684a9d1a49c650dd53a4a85380f0461f
SHA1 1eb88b03839aa332baee308fc932a90eae907b9f
SHA256 68f155e8524400527352ceb19749ab7e2b5d9c2f32700bcb803ef206e98290b1
SHA512 95f48bbcd3e6e3ca41d28762190fc0f2d539fd038a2fe80b72b47906d3163f40ba3fd7a88057035e332945b12a7fc05035583d98bbd18d4751cae13208db2619

memory/2900-45-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2900-43-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gsar.exe

MD5 5f874eb116bcd1d1e4731f021a53bebb
SHA1 a580bc4108a087fd3370e50cea413deb637f1313
SHA256 c00be5bc6e4730693b476df4644b1e7b6f6896194f62c549e4012950fb191584
SHA512 a6d6d7cc387b1eb1b966d0db43cb691c9cbea0836f76c2eb57c3d07ddc0e28dff53991a16163f44c8aa95a7f5c325c27875bc082fe9943d7a8687e4d99613fb2

memory/2736-51-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-52-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2432-53-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempa.txt

MD5 f0d77ff34694f66fa41eab0f98efa362
SHA1 2ecc80e3560b66e79b6653b0652a9f05bee30d9b
SHA256 99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d
SHA512 7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

memory/2432-57-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempa.txt

MD5 76711914cbc0b5fc2da8e55412ae4cb1
SHA1 94b1523fd794225eefb2ee8897832e90e6d9dff1
SHA256 af4322a2d9072634ebaf7d0dcd1acfdd26ceba31c6c27bcca701cd75ddeba134
SHA512 020de938b595b47fe0db436b18db37171fb18e7615c9f02ff70754f966128b777f5f50f6151ea0db7120a04ff1b2f06d2daef9781264e1cbf632cced72e0f160

\Users\Admin\AppData\Local\Temp\sysinfo.exe

MD5 c8c81fb000d5970432c6f8f06c339b3f
SHA1 3f1a864740c4f6f0f72df4c39a6ae85aa8cdddd1
SHA256 7dee20c0ae8bc6871b76a538301a4adafda679896d5efc01fc7bacc26113844e
SHA512 2707c35836d945c5d30e6e704bdbaf51c79fa905e13ad38cd47dd4e43589f0ecaa8705df8902580088bb123d5441ce05cb0a2f77a8e354b1ed8272f206187cd2

memory/2736-61-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-64-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2980-65-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf.txt

MD5 9c7a81fae4f6c7a1a3b21d60a7d020cb
SHA1 a66ad0b6c43668d37c54622ec1c9f83fc336d38a
SHA256 c88b7e4c739314ebc6bbd809edb6bf11f05f5dc7c593c8bd892e1387e28b9a7b
SHA512 4ab8addca57695386d2570f24875e426d25d05b1cc3c7737a8a9e985f4b6067c0669f6b710d088c00ee4d5ba4cb7dbac8c2f973c40882450078ccbcd53d24bde

C:\Users\Admin\AppData\Local\Temp\sysinf2.txt

MD5 5652f05e14211947348db973bc00f1c3
SHA1 4eace00daddae6638ddb3d4a2a4bbcd2ee761067
SHA256 aa67455f4c5a45ee995e893234e8280e885d0aa0812a7c0a7baf0a687817b6ea
SHA512 2efb6dac2efd66091af7f395ad78ebd027e4526a5403f8be81ed86e4e142949ba2de7433ed2b49e4f8807e9c3f525435cc9b3a07338ab9c97d0bdb49e05e13fd

memory/2736-69-0x0000000000170000-0x000000000017B000-memory.dmp

memory/1648-76-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-77-0x0000000000170000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf2.txt

MD5 054ddbc3ec84d6c0e162ff8bbaa521c1
SHA1 2636f33b87d62204e6e0056c1dbe1774c028940a
SHA256 0d8c657b144c3f0fcdc0b00e2e871b475e779ac673a89b489d3af5e53007e2b8
SHA512 7fb5c969497d2ae92950e0ef6567c7964418494f16c2411f13fdb89d511c8d0a3d36aa4407489caa988b60ff255fbf5909841762b2f71bf3503e2348772bad51

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 60f72d39bce80a6690156455b4f7417d
SHA1 c9364748b41c2f492c554a1dc6d1564ff4d41789
SHA256 9ffb302a3407e11703df247885639ebf9ffc723b89c1ce0e5c03d0b1ba80a268
SHA512 bb40ab7f590b5bcba2c12d4fcd7d2368dd205c104fc125a38ffa3875edd0eb99a8f11910f19cfed3a0ce01e848d8be748012f8971b073388e0d4a8b5aa4d4733

memory/2736-85-0x0000000000170000-0x000000000017B000-memory.dmp

memory/1620-88-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-89-0x0000000000170000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 c1dd9039da472b93f1293e09878a9500
SHA1 cf26dacd601b93590985524a34dbf2652761d415
SHA256 f75932f229e0053bba95001b349211efe87dee071dbe2098a87550f9278a4c03
SHA512 6a72952aa39ac6f140a96e4f763e3f00dc221e11e38bb4b16ef227a22e72f5ec23041434045c4dde4f3d89a69f065f231227ecb71b7f58850bdadc8e2b049ad5

C:\Users\Admin\AppData\Local\Temp\sed.exe

MD5 3a34d017aa4e5c11f2a329ab04da17f4
SHA1 c9b6d3da1c296d6827345367f866fcdf2154bb95
SHA256 21a9d5eee6ca1b6d3aa1fc64b3b53d0846edf8a698ad7924d1321857f708001f
SHA512 1c9a2639bbb334a4cc9085d81f85fe580ea165784fb6add5b3397502afe42f48308b5c80f2ad32a1e1a17d5fd252e284112537e2cd1bb624ad75fec6c7427f9f

C:\Users\Admin\AppData\Local\Temp\sysinf3.txt

MD5 d103cc5b3cc7382d62ecb37ed826797b
SHA1 88d9aee06035d5b2b693fc2afdf96b12fc8c338f
SHA256 700c83e37f732e25140c95ff7f7b35cfc836c0d5c7b4468b52077ea30570d1b8
SHA512 bf6319ffeaf84fcc5f4b2b1903564c4a4b60ec37a83f988a89d41f917d84d88aed42e8eccdc94e9d2cdd9e55627f0038938e1a83b452704d4c908850bc371ca9

memory/2164-97-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf3.txt

MD5 46ff5b704fe4e17fc9b9094f48c6e4d9
SHA1 66628f5f2cecdcae0c887eb8c1a32d5e0f18e725
SHA256 cdb76368120f7bbb9555f87e0edbbdad316f1013b49ebe82e0656be0a2164604
SHA512 c7bc7f4e91f5fda7768e32f475d385a5d8a4d13ada53209c8a16bf3a96fe409f44dd2e3896cac530c254021e1a7130271ec5a7c640b980abf5cefc512b3fe00e

memory/2736-106-0x0000000000170000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\site.txt

MD5 1a4f7a2440d28127e3b5a2ef68baa9c1
SHA1 db0124797c9bd96c37f3f8735aaf061615990ac0
SHA256 2d6de67b2fd3409d000fc4e1f980c93ff7368590d62a74e68a742f9158056ee2
SHA512 f41f8c2a62d6e6757814a74c0b16a5ed550125bd05d6fd98ced1f4786d0ff01e668a2fd22c5c0125dfad01f2e962c55a76d132ae8a8fc6d60bee5614cd1baeb6

memory/2736-112-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2176-115-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-119-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2460-121-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2868-125-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1128-130-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-129-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-139-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-138-0x0000000000170000-0x000000000017B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 687b8f60257cb7859feefeeddc6168b4
SHA1 e2ea669265c7d040591a6bcff1549c545d6575b1
SHA256 44f37de39ad466d51e9752ded4c42fd0212be3ed470335f278ad9944671b41fe
SHA512 1ac70dc72db99e364359d594cb1a239714ffc595e22be183203b4be134777dcffa1a13bee263256c99cf8dbc839255645c33c8bb74f6bbf3c60abeeacb62f744

memory/1728-142-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1080-149-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\site.txt

MD5 14a5dcbb8c1209c5898de1c02a0ce3e6
SHA1 8d30ee19411564565da59fa793ba256c7b6049ee
SHA256 7ad000b0e3ec02cc018a75be79572c8df3322001ab8756fae43a9fe99092bb0c
SHA512 5c294d3c60caa92900373b52889060c113168c30c9020c229ab93c75253bb7d3773d89005faae37ad3cc726351cc44675fc6789005345083d2dee24a7add8413

memory/2736-162-0x0000000000170000-0x000000000017B000-memory.dmp

memory/1828-161-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-160-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2132-164-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2132-163-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-165-0x0000000000170000-0x000000000017B000-memory.dmp

memory/1588-166-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2944-167-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-168-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-169-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-172-0x0000000000170000-0x000000000017B000-memory.dmp

memory/1712-173-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1712-176-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2548-184-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-185-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-186-0x0000000000170000-0x000000000017B000-memory.dmp

memory/3060-181-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2736-177-0x0000000000170000-0x000000000017B000-memory.dmp

memory/2736-196-0x0000000000170000-0x000000000017B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:10

Reported

2024-04-07 17:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sysinfo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sysinfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 3948 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 3948 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cpucool9.exe
PID 3948 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2348 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 2348 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\HideRun.exe
PID 1704 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\HideRun.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 3104 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 3104 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sysinfo.exe
PID 3104 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 964 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 1800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 4812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 4620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\gsar.exe
PID 3104 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sed.exe
PID 3104 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sed.exe
PID 3104 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sed.exe
PID 3104 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 2436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 3104 wrote to memory of 3528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e57024a5cb2053db8f31d62380714bc4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\cpucool9.exe

"C:\Users\Admin\AppData\Local\Temp\cpucool9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\startit.bat"

C:\Users\Admin\AppData\Local\Temp\HideRun.exe

C:\Users\Admin\AppData\Local\Temp\hiderun.exe "C:\Users\Admin\AppData\Local\Temp\start.bat"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.bat""

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\gsar.exe

C:\Users\Admin\AppData\Local\Temp\gsar -s:x3a -r:x0d:x0a C:\Users\Admin\AppData\Local\Temp\tempa.txt -o

C:\Users\Admin\AppData\Local\Temp\sysinfo.exe

sysinfo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf.txt "

C:\Windows\SysWOW64\find.exe

find "FIXED"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s:x3a -r:x0d:x0a -o sysinf2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf2.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"Drive " -r"" -o current.txt

C:\Users\Admin\AppData\Local\Temp\sed.exe

sed 1d sysinf3.txt

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"C":x3a -r"999999999C":x3a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"C":x3a -r"999999999C":x3a -o sate2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o sate2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"Drive " -r"" -o current.txt

C:\Users\Admin\AppData\Local\Temp\sed.exe

sed 1d sysinf3.txt

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"F":x3a -r"999999999F":x3a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"F":x3a -r"999999999F":x3a -o sate2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o site2.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"999999999" -r:x0d:x0a -o sate2.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sate2.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type current.txt "

C:\Windows\SysWOW64\find.exe

find "Drive"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type maps.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type meps.txt "

C:\Windows\SysWOW64\find.exe

find "\"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type sysinf.txt "

C:\Windows\SysWOW64\find.exe

find "Mac Address"

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s" " -r"" -o mac.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s:x3a -r"" -o mac.txt

C:\Users\Admin\AppData\Local\Temp\gsar.exe

gsar -s"MacAddress" -r"" -o mac.txt

C:\Windows\SysWOW64\ftp.exe

ftp -s:todo.txt -n

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\ftp.exe

ftp -s:todo.txt -n

C:\Windows\SysWOW64\attrib.exe

attrib -h *.*

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
NL 62.166.34.66:21 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 62.166.34.66:21 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3948-0-0x0000000000400000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cpucool9.exe

MD5 c16fdb3f1c066d64fd5b04feabcf0565
SHA1 28099f6524a2160347459f4c2868aeb954056754
SHA256 c2250d8aba676419af654a20be5b28c16c65a7bb610b518079bdbbfc154ee20b
SHA512 98b056328588d258c5561a8806928f4545debc27b01b8c6c875c1ac9c527aaf17b5ce83481527da4804a2bb675dffc33878cb45b29bf69b6e9969328f5274935

memory/3948-51-0x0000000000400000-0x00000000005EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HideRun.exe

MD5 2c97fdad8806303dab753addc2cf00cb
SHA1 b5e2b4b5ef84781525b89074f27d185266846115
SHA256 f22803b8c72f6406ed10dab5b0ad5a21ba82d340b6ac2e1e0f33824016e8edf5
SHA512 cf4539dcfdd17fc4dfaa725b532cd3cd0148305d70c24afad82de0df34b231bd760a424459f01fea85c16a08220f7248c9b2eabd2ba60377719438548df5da4c

memory/1704-58-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1704-59-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1704-56-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\startit.bat

MD5 d9769f8b383d44982904a1a3f66bdc3d
SHA1 bdc960644dad62f7b976dc6e2e9c1a2645404eaa
SHA256 4fbaab072d56e5e1c26c4b6ddaf28f3f44c82ca5d3e3bb1d5bad2449b989f5d4
SHA512 43b5dd9fe84deede1b23094b9cf35bee17309fcb3b8669c717cadd50c11f03ace0f8593a9195cb030d8d81816dc7ea68a0e9932dc0f94f4b0df0b018b5ac0299

C:\Users\Admin\AppData\Local\Temp\start.bat

MD5 684a9d1a49c650dd53a4a85380f0461f
SHA1 1eb88b03839aa332baee308fc932a90eae907b9f
SHA256 68f155e8524400527352ceb19749ab7e2b5d9c2f32700bcb803ef206e98290b1
SHA512 95f48bbcd3e6e3ca41d28762190fc0f2d539fd038a2fe80b72b47906d3163f40ba3fd7a88057035e332945b12a7fc05035583d98bbd18d4751cae13208db2619

C:\Users\Admin\AppData\Local\Temp\gsar.exe

MD5 5f874eb116bcd1d1e4731f021a53bebb
SHA1 a580bc4108a087fd3370e50cea413deb637f1313
SHA256 c00be5bc6e4730693b476df4644b1e7b6f6896194f62c549e4012950fb191584
SHA512 a6d6d7cc387b1eb1b966d0db43cb691c9cbea0836f76c2eb57c3d07ddc0e28dff53991a16163f44c8aa95a7f5c325c27875bc082fe9943d7a8687e4d99613fb2

C:\Users\Admin\AppData\Local\Temp\tempa.txt

MD5 f0d77ff34694f66fa41eab0f98efa362
SHA1 2ecc80e3560b66e79b6653b0652a9f05bee30d9b
SHA256 99bf1d0e1aff0d01d67b974154d05f07b2829c9ccd625105d6678301947d3c3d
SHA512 7e6f22fcb88f86e0c99bee650d6ab600540ddeca3301ac7c6594246a3a495edaedc7f850013f69d818f521dcf9d733ea97aaec1549be11b1abe3ee6719ec6dea

memory/4376-65-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4376-69-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempa.txt

MD5 76711914cbc0b5fc2da8e55412ae4cb1
SHA1 94b1523fd794225eefb2ee8897832e90e6d9dff1
SHA256 af4322a2d9072634ebaf7d0dcd1acfdd26ceba31c6c27bcca701cd75ddeba134
SHA512 020de938b595b47fe0db436b18db37171fb18e7615c9f02ff70754f966128b777f5f50f6151ea0db7120a04ff1b2f06d2daef9781264e1cbf632cced72e0f160

C:\Users\Admin\AppData\Local\Temp\sysinfo.exe

MD5 c8c81fb000d5970432c6f8f06c339b3f
SHA1 3f1a864740c4f6f0f72df4c39a6ae85aa8cdddd1
SHA256 7dee20c0ae8bc6871b76a538301a4adafda679896d5efc01fc7bacc26113844e
SHA512 2707c35836d945c5d30e6e704bdbaf51c79fa905e13ad38cd47dd4e43589f0ecaa8705df8902580088bb123d5441ce05cb0a2f77a8e354b1ed8272f206187cd2

memory/4388-75-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4388-73-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf2.txt

MD5 8f8a9515b665f6020362484e5797d7bc
SHA1 57dce677af2aa9f37c815b72ebf3cfd65bd09a86
SHA256 25dd40d6d5f059fd41b29b9cf70e56d8d884f1c66044fa14fee6f4804a7b2927
SHA512 b8b3c67b0ccbca806ef55c1624d2500c2a91008a1a9361b37cbe9667fd0e0780d33963a69c1743d410fbb2745cc748b0b0bce2e88e4313722a2c5fdccb77c7c0

C:\Users\Admin\AppData\Local\Temp\sysinf.txt

MD5 5830aaf64df28c49ff59311ee047ea04
SHA1 ac2f1e1adeb50e7b8a91634db44e31f5f89e5f5b
SHA256 0fca0a8723e262bbaebaba810be842c310069a9d98911ba74b3d42dac66127f7
SHA512 91735ba199e1a0001abb8dc83b8c7d64c98efe8c50d65e2e2bd13be32a0b57debba3e7dd90f45c755004d66ebae12fe9913dbb4683ec3d0955e7ef96a366e806

memory/964-82-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf2.txt

MD5 41aba247454f17afcdfab68f76e36120
SHA1 5baf328979e8b4c4d90e486830124aad5f248733
SHA256 d4eea7d05ff50bcd9e4a49c67f788b1f669a21c4790daedf8f29de52dd2d74dd
SHA512 51640ed5438f8c0e8334502a6c131c52e244b66852cf69e4c6bebd0ee1ec3424cb36b106e0fa7175ed7e21ac564f89ab7c19980f4ac7caf064cfe9b7a5d91077

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 60f72d39bce80a6690156455b4f7417d
SHA1 c9364748b41c2f492c554a1dc6d1564ff4d41789
SHA256 9ffb302a3407e11703df247885639ebf9ffc723b89c1ce0e5c03d0b1ba80a268
SHA512 bb40ab7f590b5bcba2c12d4fcd7d2368dd205c104fc125a38ffa3875edd0eb99a8f11910f19cfed3a0ce01e848d8be748012f8971b073388e0d4a8b5aa4d4733

C:\Users\Admin\AppData\Local\Temp\sed.exe

MD5 3a34d017aa4e5c11f2a329ab04da17f4
SHA1 c9b6d3da1c296d6827345367f866fcdf2154bb95
SHA256 21a9d5eee6ca1b6d3aa1fc64b3b53d0846edf8a698ad7924d1321857f708001f
SHA512 1c9a2639bbb334a4cc9085d81f85fe580ea165784fb6add5b3397502afe42f48308b5c80f2ad32a1e1a17d5fd252e284112537e2cd1bb624ad75fec6c7427f9f

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 c1dd9039da472b93f1293e09878a9500
SHA1 cf26dacd601b93590985524a34dbf2652761d415
SHA256 f75932f229e0053bba95001b349211efe87dee071dbe2098a87550f9278a4c03
SHA512 6a72952aa39ac6f140a96e4f763e3f00dc221e11e38bb4b16ef227a22e72f5ec23041434045c4dde4f3d89a69f065f231227ecb71b7f58850bdadc8e2b049ad5

memory/4620-90-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf3.txt

MD5 d103cc5b3cc7382d62ecb37ed826797b
SHA1 88d9aee06035d5b2b693fc2afdf96b12fc8c338f
SHA256 700c83e37f732e25140c95ff7f7b35cfc836c0d5c7b4468b52077ea30570d1b8
SHA512 bf6319ffeaf84fcc5f4b2b1903564c4a4b60ec37a83f988a89d41f917d84d88aed42e8eccdc94e9d2cdd9e55627f0038938e1a83b452704d4c908850bc371ca9

memory/3868-97-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sysinf3.txt

MD5 46ff5b704fe4e17fc9b9094f48c6e4d9
SHA1 66628f5f2cecdcae0c887eb8c1a32d5e0f18e725
SHA256 cdb76368120f7bbb9555f87e0edbbdad316f1013b49ebe82e0656be0a2164604
SHA512 c7bc7f4e91f5fda7768e32f475d385a5d8a4d13ada53209c8a16bf3a96fe409f44dd2e3896cac530c254021e1a7130271ec5a7c640b980abf5cefc512b3fe00e

memory/1704-107-0x00000000001C0000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\site.txt

MD5 8a25773e9a280ebd45cb972ba3335c5c
SHA1 7d47400d8341d8a86ad7204f417452474d2cce34
SHA256 7a5bc106ee117773e185ae5156e8b4bc6458186c2ae08825ffae7ea50218cca5
SHA512 bac133a6f13c4df81ba56e595d25fea72d9e7f3d09ca3214ffb59df09683ef8e0e794b4c2342cb3adaeb38ee15373524b37378afb9b6b6d7712301b3a454c795

memory/1948-115-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1264-113-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3552-117-0x0000000000400000-0x000000000040B000-memory.dmp

memory/392-119-0x0000000000400000-0x000000000040B000-memory.dmp

memory/4008-126-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\current.txt

MD5 687b8f60257cb7859feefeeddc6168b4
SHA1 e2ea669265c7d040591a6bcff1549c545d6575b1
SHA256 44f37de39ad466d51e9752ded4c42fd0212be3ed470335f278ad9944671b41fe
SHA512 1ac70dc72db99e364359d594cb1a239714ffc595e22be183203b4be134777dcffa1a13bee263256c99cf8dbc839255645c33c8bb74f6bbf3c60abeeacb62f744

memory/864-131-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\site.txt

MD5 4c985e393d250e423a94357538d3bed2
SHA1 512a3cbfaaa1212f5a472b35b95cde06cd01a278
SHA256 2d771713a0862606718b756291926ca05f68a8bc7d47c5c1dc6677921ae96838
SHA512 9860332446311239b8550b5e41f719ca4b0c601b99347238c4d2b1db104c9a91c1e9dffb29a050a1615de0ace141030d66f2bae7473f369eae1d5fc9d04cead0

memory/1800-143-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2744-145-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3284-147-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1716-149-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mac.txt

MD5 29a4b375dddc7d1593857dc57fc6b922
SHA1 aaeb28e768eff1ef24fdf45a9c844894c0fa22ae
SHA256 918406a9152acfd0f61cf59772e71c2f7b563f259f22b41a5989cb1208ea13a5
SHA512 edad3823f36cca0d1d8ec37f29a335892f0aaf9a323a37246c9b9bac4278b1bb440061f32dc522b30c0afa0314ce027bb75e55c50def04b8828486e4294282df

memory/2592-157-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mac.txt

MD5 692979dc4209a7cda37488c223603b1b
SHA1 6fa423c56dd375065ad4cde348b7d930494515eb
SHA256 15f5ac6d60f6a65d284f2782c69d370787c5acb6320aacddcee6f38c1bde3183
SHA512 edda7da627c6dbd2823117640de7da18a98db4491c65ad92bc295d9876d499933abc788ff0997c2578aaa6ee6202be21ddb25de4df3d4d146f0e73741ac760e9

memory/4160-162-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mac.txt

MD5 1a47a2bf291df06d2584320bd1c40e82
SHA1 b2ddb3c05349abd3da4a3b9eb4e34651f3cedc9d
SHA256 ff4870266f4762a35ea19f65208acc66cb9afd89cf9c10120fd11a6e227f41b9
SHA512 f948b2e9f2d3e96ec101840eaba57817767d7a0610f27f5c3211e61bb465ab2c5ee26a570bbd119fc030fc607558726aa0a1f9122a459b80100795ce033addf4

memory/4384-167-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mac.txt

MD5 7b2dfaad44cb5f02b96a0bf799310aac
SHA1 c3bfeeee8133cd4cb89bab87bbd434038bd72abf
SHA256 ffbd915a595f2d3a6f9ed2cebf0f47b1f57905a20a686b9c3e399bd140b3aed1
SHA512 e71dd1f0dcfb9bbca3584656f91789ea90872b4b48af1f979c0cef30f4ff178a1b51b20d1d13dfc70092066b4ede2e404d72f21aadfde55122482e8a9cfeb70a

C:\Users\Admin\AppData\Local\Temp\todo.txt

MD5 83094daed7511528c463eae4a1167538
SHA1 11a9e04ea330aad44929de0457c552d70e770475
SHA256 00e7db2f9b8b6efaa80551956adb8fe5a8025378cf0e30290318248e1c0055e0
SHA512 62e2b5038e548e84076a008774669147ec53598480a79ffab6a0445304efbdc111b4d75ef6747320bf7c4d624b21670de3a4f9845fc42da16a2aa595f99b638b

C:\Users\Admin\AppData\Local\Temp\todo.txt

MD5 586b39f65e0b51a0cac36fae69ff2f1c
SHA1 a7f83fbbfd52722e98a345a35c8271478e7ee714
SHA256 35f3f800d99552ce6f454f9527f2160dc0be0f7574e71e497e8dd4384709be34
SHA512 cd3e6801186467cfd92de2ace7b1edcb2f2d596fc05cefa889225d0133df9ae43c282c4cc800b6da52a07b271f936454b36e5ffe13fc05fd3b4949feac4c77ee

C:\Users\Admin\AppData\Local\Temp\nst3FE7.tmp

MD5 cade7a320e44bef3cfe156283d2c8d9f
SHA1 149c6c54ac642b3204316cca517f4703ee4f070a
SHA256 c886f45ce5c356ae45a799811416b626cbf41665d6d4c070aa3f55a0544de30e
SHA512 17e1769d7526003bb8c50c96c9ada9b22a6aeef5ba5dcfce380954bec1f9999ef628348f52dfb98a5c4c04a8ba183f801df38559e2960f97e757880843c4d9ab

C:\Users\Admin\AppData\Local\Temp\cal.exe

MD5 2c111f5c7c16c6280f46ba96d62a340e
SHA1 e848ab54da9bd1f06a02ddbe58333058b4a7e049
SHA256 fba8224de3b9b34f4b8501805edba790a96d8dfb7cb9b99d8dd2e41a310dc9d3
SHA512 33114a0a82dca7cbaefac4cdf492637ef004e8ab96c306f3ee58aa0f4e3c10cf4d0671b8243f4224febb2e033301d32eec422d76670893d9320dc993ddc0771a

C:\Users\Admin\AppData\Local\Temp\sysinf4.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\CHOP31.EXE

MD5 3e1e36cf28b9a6264bd8fde8f032077d
SHA1 8b55eb1c8322db1cae9c1d4e1bcaa042f13c45d1
SHA256 fe18e8f0fcdae5d16869d7056f894e63c5f3176c5815660cff403c277cd28415
SHA512 948cecca1a09a8cc37a2c1fe59c5c0b3c9a7fc29635cfb32cdecd3df6f47a1390975fa41d1b8aa5294c008bcfa4e8ad6b76b5715545b20097a6e0cd8d9a9728c