Malware Analysis Report

2024-10-23 22:21

Sample ID 240508-y1p1esdd8z
Target 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118
SHA256 5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c
Tags
formbook pony to collection discovery rat spyware stealer trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c

Threat Level: Known bad

The file 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook pony to collection discovery rat spyware stealer trojan persistence

Formbook

Pony,Fareit

Formbook payload

Deletes itself

Executes dropped EXE

Reads data files stored by FTP clients

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Accesses Microsoft Outlook accounts

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 20:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 20:15

Reported

2024-05-08 20:17

Platform

win7-20240215-en

Max time kernel

147s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Pony,Fareit

rat spyware stealer pony

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 2320 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 2320 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 2320 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 2320 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 1156 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1156 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1156 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1156 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1560 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1560 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1560 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1560 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe

"C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"

C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\259407838.bat" "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe" "

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 myp0nysite.ru udp

Files

memory/2320-4-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2320-5-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/2320-7-0x0000000077741000-0x0000000077842000-memory.dmp

memory/2320-8-0x0000000077740000-0x00000000778E9000-memory.dmp

\Users\Admin\AppData\Local\Temp\TOLAbin.exe

MD5 3903702822dd3f972ad6f23c855ebaea
SHA1 677a7b1e5a5b71f6f492c57a21dd1149cff95302
SHA256 e6c547ff98f9f695304185cc6b39567ae0bc64c63be6a21d1c97dbb941b378c3
SHA512 2f5844301a43176f5607dbf9406b97c9ad2220631499b3644b95faa5a2d9b3dc3ab4d18bcbaf01c37aea9defc5e067a71d0bf11d865c121a6c955d0d1df740b0

memory/2672-17-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2672-20-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/2672-19-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2548-21-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/1156-23-0x0000000004400000-0x00000000044B9000-memory.dmp

memory/1156-22-0x0000000003B70000-0x0000000003C70000-memory.dmp

C:\Windows\win.ini

MD5 8e6100faa270f8b935ebba91ae814491
SHA1 1b5d16ec7d3f2ed289fc4c079fed992275578257
SHA256 293b109535400cdd3eb36c8a47dcdda245e8f48200aa59bfddb21d105923e93b
SHA512 78b36ef3fd77d991d7ef9aa4f900f653edb1df5ab6ddbc369e0b3b3430fba9074673bf67d208cbb885b41afd3a9cd26ae9c2b392c70df7d08f055a41318469e7

memory/2548-26-0x0000000000D70000-0x0000000000D9A000-memory.dmp

memory/1156-27-0x0000000008C50000-0x0000000008DD9000-memory.dmp

memory/2548-25-0x0000000000D8B000-0x0000000000D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259407838.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

memory/2672-36-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2388-39-0x00000000000F0000-0x0000000000371000-memory.dmp

memory/1156-43-0x0000000004400000-0x00000000044B9000-memory.dmp

memory/1156-45-0x0000000008C50000-0x0000000008DD9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 20:15

Reported

2024-05-08 20:17

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Pony,Fareit

rat spyware stealer pony

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\V6A8FTBPKH = "C:\\Program Files (x86)\\Pc6ql\\autochk_zq4.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Pc6ql\autochk_zq4.exe C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\win.ini C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 3532 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 3532 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3532 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
PID 3500 wrote to memory of 4720 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 4720 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3500 wrote to memory of 4720 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\rundll32.exe
PID 3800 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3800 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5744 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5848 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5848 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 5848 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\cmd.exe

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe

"C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"

C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240605343.bat" "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe" "

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 myp0nysite.ru udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 112.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 www.mudscript.com udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.1212dl.com udp
US 8.8.8.8:53 www.cravastudios.com udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.160:443 www.bing.com tcp
BE 2.17.196.160:443 www.bing.com tcp
US 8.8.8.8:53 160.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.bf1tdesign.com udp
US 8.8.8.8:53 www.servejam.com udp
US 54.209.32.212:80 www.servejam.com tcp
US 8.8.8.8:53 212.32.209.54.in-addr.arpa udp
US 8.8.8.8:53 www.mortgagebrokerservice.com udp
GB 85.233.160.215:80 www.mortgagebrokerservice.com tcp
US 8.8.8.8:53 udp
GB 85.233.160.215:80 tcp
GB 85.233.160.215:80 tcp

Files

memory/3532-5-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/3532-4-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/3532-7-0x0000000077671000-0x0000000077791000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe

MD5 3903702822dd3f972ad6f23c855ebaea
SHA1 677a7b1e5a5b71f6f492c57a21dd1149cff95302
SHA256 e6c547ff98f9f695304185cc6b39567ae0bc64c63be6a21d1c97dbb941b378c3
SHA512 2f5844301a43176f5607dbf9406b97c9ad2220631499b3644b95faa5a2d9b3dc3ab4d18bcbaf01c37aea9defc5e067a71d0bf11d865c121a6c955d0d1df740b0

memory/3800-15-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3800-17-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3800-18-0x0000000000400000-0x0000000000419000-memory.dmp

memory/3256-19-0x0000000000EC0000-0x000000000120A000-memory.dmp

memory/3500-22-0x0000000002480000-0x0000000002541000-memory.dmp

memory/3256-21-0x0000000000E90000-0x0000000000EBA000-memory.dmp

C:\Windows\win.ini

MD5 fe0c4d84684551dc6429860c8e769578
SHA1 f181d3731695af4873cb9ccd41098b0bd7e7a98d
SHA256 e5aeb321c075f20134653784a42065464384b29690205bb2333446ade115f690
SHA512 74781dbc7d17392e43679b3f138885fa38bd040d9abbe676994df785877011d7dc75a9066f00c06d5020cdae461b76fa562888484fc53ef79414c54e035971c2

memory/3256-20-0x0000000000EAB000-0x0000000000EAC000-memory.dmp

memory/3800-27-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240605343.bat

MD5 3880eeb1c736d853eb13b44898b718ab
SHA1 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA512 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

memory/4720-30-0x0000000000D70000-0x0000000000D84000-memory.dmp

memory/4720-32-0x0000000000D70000-0x0000000000D84000-memory.dmp

memory/3500-35-0x0000000002480000-0x0000000002541000-memory.dmp

memory/3500-37-0x0000000003C20000-0x0000000003CDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

C:\Users\Admin\AppData\Roaming\K0PPRPEE\K0Plogrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

C:\Users\Admin\AppData\Roaming\K0PPRPEE\K0Plogrg.ini

MD5 4aadf49fed30e4c9b3fe4a3dd6445ebe
SHA1 1e332822167c6f351b99615eada2c30a538ff037
SHA256 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512 eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

C:\Users\Admin\AppData\Roaming\K0PPRPEE\K0Plogri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\K0PPRPEE\K0Plogim.jpeg

MD5 a54265dac9c2d2a994bbbec561f09dbb
SHA1 2b895be1d3af4c52bb9b22bcd8b3b662c7b8a783
SHA256 2b71f295f1792bc34d278e3de6c66a4673353cb7ef81fe16b5d640927618c85d
SHA512 7831ff9ffa79e1a3f2f994ca0c2a689654266c14f1fcc69c81ade341bd0931dbe39d633fa67c70afe059ff23c05ba076fb0f2e33bc4abdcca8447ca40da4fc19