cryptbot | 57fd9194f07f05c74a6cc39978fbcc9e68eac67779d047de5df8afa19e567064

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Size

4.4MB
MD5

e8dc2f1287e54db1661563f05ebd1535
SHA1

14d2a586dab1c48197d3298f648d82d507ebe28a
SHA256

57fd9194f07f05c74a6cc39978fbcc9e68eac67779d047de5df8afa19e567064
SHA512

c59d33501a5f65066a22d38a3133a530e17d765c32b1487eaba605b275d480b72a870b80ef1ac2a83a8fca71a70a6ae549497f9e796034a4e26947ade6417693
SSDEEP

98304:5v/TdEIfWt/9rGvP3Ia5BTT+mky9RK7NIOCttTYZ9:5DdEH1rGvPpBGu944Q9

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

otteppp11.top

doorres03.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1820-132-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-377-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-380-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-382-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-449-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-476-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-481-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-483-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-486-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-488-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-490-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-493-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-495-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-498-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-500-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot
behavioral1/memory/1820-502-0x0000000000F90000-0x00000000014B4000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	epqntpjwxn.exe

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

4 2676 WScript.exe
6 2676 WScript.exe
8 2676 WScript.exe
11 2676 WScript.exe
13 2676 WScript.exe

flow	pid	process
4	2676	WScript.exe
6	2676	WScript.exe
8	2676	WScript.exe
11	2676	WScript.exe
13	2676	WScript.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	epqntpjwxn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	epqntpjwxn.exe

Executes dropped EXE 1 IoCs

Processes:

epqntpjwxn.exe

pid process

1820 epqntpjwxn.exe

pid	process
1820	epqntpjwxn.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	epqntpjwxn.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1112 cmd.exe
1112 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

21 bitbucket.org
26 bitbucket.org
3 iplogger.org
4 iplogger.org
20 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

pid process

2240 e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
1820 epqntpjwxn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1112	cmd.exe
1112	cmd.exe

flow	ioc
21	bitbucket.org
26	bitbucket.org
3	iplogger.org
4	iplogger.org
20	bitbucket.org

flow	ioc
18	ip-api.com

pid	process
2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
1820	epqntpjwxn.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	epqntpjwxn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	epqntpjwxn.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WScript.exee8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exeepqntpjwxn.exe

pid process

2240 e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
1820 epqntpjwxn.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

epqntpjwxn.exe

pid process

1820 epqntpjwxn.exe
1820 epqntpjwxn.exe

pid	process
2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
1820	epqntpjwxn.exe

pid	process
1820	epqntpjwxn.exe
1820	epqntpjwxn.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.execmd.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2728	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2728	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2728	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 2728	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2728 wrote to memory of 2676	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2676	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2676	2728	cmd.exe	WScript.exe
PID 2728 wrote to memory of 2676	2728	cmd.exe	WScript.exe
PID 2240 wrote to memory of 1112	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1112	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1112	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1112	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 1112 wrote to memory of 1820	1112	cmd.exe	epqntpjwxn.exe
PID 1112 wrote to memory of 1820	1112	cmd.exe	epqntpjwxn.exe
PID 1112 wrote to memory of 1820	1112	cmd.exe	epqntpjwxn.exe
PID 1112 wrote to memory of 1820	1112	cmd.exe	epqntpjwxn.exe
PID 2240 wrote to memory of 1536	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1536	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1536	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1536	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1036	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1036	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1036	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe
PID 2240 wrote to memory of 1036	2240	e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8dc2f1287e54db1661563f05ebd1535_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\bhlkvsjpne.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bhlkvsjpne.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\epqntpjwxn.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\epqntpjwxn.exe
"C:\Users\Admin\AppData\Local\Temp\epqntpjwxn.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\vmwnvcpa.exe"
2⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gjkfoattxll.exe"
2⤵
PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9592fc7f10e6011bd47b63c38b4e2741

SHA1
646cd30e53054683c728b712fcb6738045979e83

SHA256
acd84eef8ff86d1a2c6f290b9689fbb5445588dcd81d569007bcbe78b48b6b15

SHA512
63e7034103051995d757fdc8fa82f0c1463eb0854a58be5ce7816dd33561988df7f567da0396f1cb4a134c1d1f79ba1e21010be6260b4ddc6a799ad881199dca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ba8a7e659e3d585c88f7cfb73bc9b8b2

SHA1
2d1906bb2d1f8fa1e4f809325b48f982114d9d98

SHA256
c329898650e28c4db68799d67e29d685cc6b1529eda7e47c894883f72fbca5aa

SHA512
19d7cbd23ce2daf80042dd1de444b9665f2b11ddf9bc69fc86f22170d1962cd3aa458259e2f8c4d918e75f3f69d9bbeee75a2a5181da8e77ebedd876a4a9774c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1CA7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\_Files\_Information.txt
Filesize
8KB

MD5
1d7fce754b29e1f833270a0c4b72c73a

SHA1
2bc74a43a0c3efb4ce942390435b0d6c4f601a53

SHA256
b11f9453437e39583b3c3f726c9cf36c130fc53ee2f6b31d677d322df0780422

SHA512
c6d9277cab1be845a9f7db01bbf293c15b536366d8fd2f89578872d8995bdb4d628bc8cfd7c9f514fda79c18c38a56c6cee189755b3b0ecf66f4b9884dd89262

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\_Files\_Screen_Desktop.jpeg
Filesize
41KB

MD5
1808bca4f34300b18ed5c7b975cdfef6

SHA1
88784b3f662943a9917d6bb86daf5f08d95e992c

SHA256
b5fcdef7175255f5fbb40cc291364efed83f2a8995d600cd72a3cad10220d8e3

SHA512
2e330839eed988ab8d195af713c22af9a086519946c0d204a0c5d48999633b681ef3368c21550b8f1bed5e42c259a6c34c160d70024a55aded1ec8f05671a3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\files_\system_info.txt
Filesize
1KB

MD5
01a37905ca4988c60face19046af1c8f

SHA1
06ff400b5bc303cbcde0d0863f752c96fc5b2c50

SHA256
65e3344789534687963da3c21b38e1d6d541a7c90c60a9efc0957bb8af8044b7

SHA512
a5be7031a3ef94c4a37d84b8ae11e8840c900158be53b7a77e4e7fb185914ee5d6a31cfd4f52dbc198d96bf078c5a09d72623ae08bab87adaa41beccc8439b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\files_\system_info.txt
Filesize
3KB

MD5
06beca1e6ade6253fce9749e9975376c

SHA1
54cb90ba076c3c7b1ba4fe8938d1a0495e137928

SHA256
b38014290c3135ea641f447cc7f05c0bd080ed393cd527a1a8e009f82a68c544

SHA512
71cfddf4bbf1865a298410e4a0889eea6846eb03a48f9f52225be57e091a943af212a679f96feffdfb4152ea86210cc42ea56eda9ae92eb121c7fe34b26acd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\files_\system_info.txt
Filesize
3KB

MD5
1cc350c0d322e935eca1d97d3948d2a3

SHA1
c103b255015fff119b1ea9b2b1d12bf2f9a1b1ce

SHA256
fc4d8f06975a133b9eebf47df87ca42cd61d1c91321212c89fc553dd6c260b97

SHA512
9e0f7204eec59698591adee392f6f408adaccee132fc0c31863bdf112ba00a35005029518ad8baaba28a37b1f1c1c06aac51f666ba8b25ffb6a69e99ac3a9f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\files_\system_info.txt
Filesize
3KB

MD5
4e4b83f092545a8bce084599f8e1f432

SHA1
76fe37ec5096fcac431100c07d3c2e782fb83c6d

SHA256
91ab45d3934a983f95cfad74278cbced15f69bb9f5702479a1f80b8af1b94ce0

SHA512
6752961381cb15acfae7dfa7f8bd790b122497e6361d1454326165284a4cf39d02c903337675e772e84c032aedde4c15ca0a5d3198cddcb3be75d291a9de7f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\files_\system_info.txt
Filesize
4KB

MD5
8a821edfbecef92ae4e9d692850edf37

SHA1
875af48645289494f52805ec82e99c37b9adc84a

SHA256
c05d09e0dfe9a2438126fdf9476e1b57acf62317826ddf3e9a0447bbb4a03c01

SHA512
1d9366ca9fd2cf201a047ab2593f08d3e9da423aa2d12324dfaf814d76409258dd611d290c11a5b94924e47de829548d6775d5cb7349c5545de322e3cbab0d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\HkUcag4S\tfqfuofWfH0nU.zip
Filesize
34KB

MD5
ccd836995530b7e1bcb44c5a4c9ace2f

SHA1
10c1fa2055ec0366b29383ed000023dfb0cfde24

SHA256
e9bb88b4a9cf3751c36547dc58c59c238fdadf07aee5b094c15f800915a8a7d5

SHA512
2062d14d40a8946c80d72f55501efae26f25bb62aeefddd6165bd9799a09f53efb3962c50c8c315ea63a61872b16f45f3467ff1255a1d934b643b67b261ccf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DA7.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhlkvsjpne.vbs
Filesize
148B

MD5
5e4218c4de9614cb7eac4c871065f497

SHA1
1bfbad022bf64a2f446c31a65a54c809e862fb47

SHA256
f82f7970b4913d3e089d920af81fa93bbd060a77f9111d9946416a88c810e06e

SHA512
512ec3195a68e17161d247f06d3823fc7184c06751b1e08f25994bf730a07d0d8b6633f4458b4f3100a19067201d82a1f5092ff93e8889f6470b265b3958fa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\epqntpjwxn.exe
Filesize
2.2MB

MD5
5328b7379d636a677406363321cf566a

SHA1
ad8a0ec5442ed0e607cf95bc163be3e9b9a0fb4c

SHA256
560e45cf3ad6e3e922aa5509f52717a605fe65867222b3c878e49e2fff78fcf7

SHA512
9d73183e9e18c4c39531b37f9a810da60d40b61524ef2afdbaf3feed55d2a7ed626d6d69d42e0f9e4bc2f5bd167481b32d6bb5b8811972be2a546f26a188daab

Download Submit
memory/1036-467-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1112-90-0x0000000001FF0000-0x0000000002514000-memory.dmp

Filesize
5.1MB

Download
memory/1536-453-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1820-155-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/1820-500-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-129-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1820-128-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1820-127-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1820-126-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1820-148-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1820-151-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1820-147-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1820-146-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1820-136-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1820-132-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-153-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1820-152-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1820-154-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1820-502-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-131-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1820-449-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-265-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1820-266-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1820-102-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-498-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-495-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-493-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-490-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-130-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1820-488-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-486-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-377-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-483-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-380-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-382-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-383-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/1820-481-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/1820-476-0x0000000000F90000-0x00000000014B4000-memory.dmp

Filesize
5.1MB

Download
memory/2240-5-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2240-2-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-7-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2240-455-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-456-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x0000000077150000-0x0000000077152000-memory.dmp

Filesize
8KB

Download
memory/2240-385-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-6-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2240-379-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-376-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-375-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-8-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2240-4-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2240-3-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2240-264-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download
memory/2240-0-0x0000000000EA0000-0x000000000162D000-memory.dmp

Filesize
7.6MB

Download