Analysis Overview
SHA256
00c5f3b50be79e60bb88d8af3524b857beea53a9567c94da4296a00bab39e80b
Threat Level: Likely malicious
The file e5872e5bf47851558249b2528e39129b_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Nirsoft
NirSoft WebBrowserPassView
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Deletes itself
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:01
Reported
2024-04-07 18:04
Platform
win7-20240221-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4pGYXemLpwzcWX2iHpTKjlHSAQe9B27wSMdXd5VCHT/GUQMVPTKvaui3gAg/DbjaX1c4/pSDZmHdQ7aaYavB+X0c1UR+YqLQeCXAIMUAVEhHCLMyGXsu0TFVZ1iTE9jYE=
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/1724-0-0x0000000001090000-0x0000000001372000-memory.dmp
memory/1724-1-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/2684-9-0x0000000000B60000-0x0000000000E3A000-memory.dmp
memory/2684-10-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2684-11-0x000000001B390000-0x000000001B6D2000-memory.dmp
memory/2684-12-0x0000000000340000-0x0000000000346000-memory.dmp
memory/2684-13-0x000000001B140000-0x000000001B1C0000-memory.dmp
memory/2684-14-0x000000001B030000-0x000000001B0E0000-memory.dmp
memory/1724-45-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 5cf0b95f68c3304427f858db1cdde895 |
| SHA1 | a0c5c3872307e9497f8868b9b8b956b9736a9cdf |
| SHA256 | 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa |
| SHA512 | 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b |
memory/2684-47-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/2684-48-0x00000000004E0000-0x00000000004EC000-memory.dmp
memory/2684-49-0x0000000000B10000-0x0000000000B2A000-memory.dmp
memory/2684-50-0x0000000000B30000-0x0000000000B62000-memory.dmp
memory/2684-51-0x000000001BD90000-0x000000001BE32000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarF2EE.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2684-92-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | d90accebb3f79fe65cd938425c07b0ae |
| SHA1 | 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9 |
| SHA256 | aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e |
| SHA512 | 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 899d3ed011eb58459b8a4fc2b81f0924 |
| SHA1 | 80361f1e0b93143ec1ddfee156760f5938c85791 |
| SHA256 | 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954 |
| SHA512 | 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
| MD5 | 5242530a2b65089696f3cf8e5ee02ff7 |
| SHA1 | d604293148cdd953b3368c54920c043cffe9e1c1 |
| SHA256 | 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781 |
| SHA512 | 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a |
memory/2684-102-0x000000001B140000-0x000000001B1C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
memory/2068-124-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2068-122-0x0000000000400000-0x000000000045B000-memory.dmp
memory/2108-129-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2108-126-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |
memory/2684-172-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
memory/2108-173-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:01
Reported
2024-04-07 18:04
Platform
win10v2004-20231215-en
Max time kernel
91s
Max time network
149s
Command Line
Signatures
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4pGYXemLpwzcWX2iHpTKjlHSAQe9B27wSMdXd5VCHT/GUQMVPTKvaui3gAg/DbjaX1c4/pSDZmHdQ7aaYavB+X0c1UR+YqLQeCXAIMUAVEhHCLMyGXsu0TFVZ1iTE9jYE=
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e5872e5bf47851558249b2528e39129b_JaffaCakes118.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4832-0-0x00000249D8550000-0x00000249D8832000-memory.dmp
memory/4832-1-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/3772-16-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
memory/3772-15-0x00000168371D0000-0x00000168374AA000-memory.dmp
memory/3772-17-0x00000168519D0000-0x0000016851D12000-memory.dmp
memory/3772-18-0x0000016839000000-0x0000016839006000-memory.dmp
memory/3772-20-0x00000168519C0000-0x00000168519D0000-memory.dmp
memory/3772-19-0x0000016851D10000-0x0000016851D86000-memory.dmp
memory/3772-21-0x0000016851D90000-0x0000016851E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 5cf0b95f68c3304427f858db1cdde895 |
| SHA1 | a0c5c3872307e9497f8868b9b8b956b9736a9cdf |
| SHA256 | 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa |
| SHA512 | 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b |
memory/3772-53-0x0000016851990000-0x00000168519B2000-memory.dmp
memory/3772-54-0x0000016851940000-0x0000016851970000-memory.dmp
memory/3772-55-0x0000016851970000-0x000001685197C000-memory.dmp
memory/3772-56-0x00000168520A0000-0x00000168520BA000-memory.dmp
memory/3772-57-0x00000168520C0000-0x00000168520F2000-memory.dmp
memory/3772-58-0x00000168520F0000-0x0000016852192000-memory.dmp
memory/3772-59-0x0000016852090000-0x0000016852098000-memory.dmp
memory/3772-63-0x00000168524C0000-0x00000168524DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | d90accebb3f79fe65cd938425c07b0ae |
| SHA1 | 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9 |
| SHA256 | aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e |
| SHA512 | 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 899d3ed011eb58459b8a4fc2b81f0924 |
| SHA1 | 80361f1e0b93143ec1ddfee156760f5938c85791 |
| SHA256 | 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954 |
| SHA512 | 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
| MD5 | 5242530a2b65089696f3cf8e5ee02ff7 |
| SHA1 | d604293148cdd953b3368c54920c043cffe9e1c1 |
| SHA256 | 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781 |
| SHA512 | 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a |
memory/4832-75-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | 636c8230de66506aa2bdb3deee259503 |
| SHA1 | 244299ce9ed66e9bed0c458c28fa3c417eeabdee |
| SHA256 | 98e7ebb0441c43ba079892f7fd1e9c1360d9d0e6d37575e452944fa0b08638d4 |
| SHA512 | fb5756dc8c9726be7b7629230ca5cf12c59f7d01225b9b73f08953bd02087bef10e1d2cdb6ed717776d683bd5ce523a069a6ab081992839a238056d57fc4eb6e |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
memory/4912-105-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
memory/5112-110-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cookies3
| MD5 | b4147c71ac35a2a3f53962c45c9fc559 |
| SHA1 | 8196ec8b01dc53a18dcb7f407a18e7f14e51d399 |
| SHA256 | 6e640b8979317fe5fce22dcf962f2131e6e86f14d6e3f56c8fa018cff25142a8 |
| SHA512 | 3a0b092c9eaf03157897670fc74e4880439c4353e19816261da9f91db97aa84b317594121f9c1ac46c0313af10a7b95216c3be030f771435545eba2163e70e41 |
C:\Users\Admin\AppData\Local\Temp\Cookies1
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\bhv6503.tmp
| MD5 | d21a8f2d58ee425b2705f454efb79aaf |
| SHA1 | b31b7a31989506d5652ce4b5ba63d5ae78fba2fc |
| SHA256 | fcda07982f371a5eb602ab0820e7a978020e9a03d7b73667e3010b97fa936de1 |
| SHA512 | f10e049104b311407a4f7da1edab5b4038fbcd6d0e69f68204ea9563c7607863aa174283ca1c92e0dad012e62f2149bf831151960657026e83b9a842319fc260 |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |
memory/3772-164-0x00007FFCB7800000-0x00007FFCB82C1000-memory.dmp
memory/5112-165-0x0000000000400000-0x000000000041B000-memory.dmp