Analysis Overview
SHA256
eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
Threat Level: Likely malicious
The file 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
VMProtect packed file
Loads dropped DLL
Checks computer location settings
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 09:10
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 09:10
Reported
2024-05-11 09:13
Platform
win7-20240508-en
Max time kernel
144s
Max time network
145s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
C:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
C:\Windows\SysWOW64\timeout.exe
TIMEOUT 3
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:80 | bitbucket.org | tcp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1676-0-0x0000000000230000-0x0000000000BAA000-memory.dmp
memory/1676-11-0x0000000000230000-0x0000000000BAA000-memory.dmp
memory/1676-10-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1676-8-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1676-14-0x0000000000230000-0x0000000000BAA000-memory.dmp
memory/1676-6-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1676-5-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1676-3-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1676-1-0x00000000000F0000-0x00000000000F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat
| MD5 | f87c56e8469034c3fdbac19e4828ef8f |
| SHA1 | 956d17bca9d30b60c852f4b52b2054457fa94403 |
| SHA256 | 20acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368 |
| SHA512 | f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927 |
\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
| MD5 | 33d509d70645f62cd3dee6ff59d52a91 |
| SHA1 | 162276e5905f99d2c31268c67b9b06b578203cdf |
| SHA256 | eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab |
| SHA512 | 60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c |
memory/1676-27-0x0000000000230000-0x0000000000BAA000-memory.dmp
memory/2548-39-0x0000000001350000-0x0000000001CCA000-memory.dmp
memory/2548-38-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2548-36-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2548-33-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2548-31-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2C40.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2C53.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
| MD5 | 21670cc3ebd12408f4e28eb15e238eec |
| SHA1 | cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4 |
| SHA256 | 10c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799 |
| SHA512 | 80e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 847e8b2becaa66eb72cacabd458fa552 |
| SHA1 | 1403d136d21bd3c8d04dcf2af472c9b0fa69fb50 |
| SHA256 | 692dc2f395753805710130b0c9e5c40770c7533281db259e68070cfed186d117 |
| SHA512 | 89fd33cf18d93be213356c6f50eaeb12a4c257aaa60b6366f35c311450f92d51ec4c2c980b94f0feeb210aaf5d479999a990ade887a2568def273b4b0a6a955f |
\Users\Admin\AppData\Local\Temp\Browser\mozglue.dll
| MD5 | f5e0950aff26d65cf9e1789b7a013a94 |
| SHA1 | 6d305e3da92afa3a188e9b63a55ff99b2a82e425 |
| SHA256 | 55ab9f9667e5bdee16613fcb972cc89516b85ceaa4184a65da54deaf51b42de9 |
| SHA512 | 7d752921900ca41b1ecc0e199f905d145d90a3068485b05f2fad351f457fc7b20957bfff738d082c64f92c276a55fad2863d1c2f365ca3307e7e1d7f01c70cec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login1
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3.dll
| MD5 | c80f07348f1dad1044b18069d516b9b8 |
| SHA1 | ba6cff5f84219b0a64bfe8d25f7709708a881271 |
| SHA256 | 62cab66de46e429c833a2fbeb8e3b97b4dcfb912a0e0d67f3c04c1bfd5a7146c |
| SHA512 | f3151d15add4bc887c721366f178b3ee05dbdb612eb5be581ad4393389332cdcf6c58e5aa2dd530b7658946faf63f6a0c1ac94825e88c3b57e487e088073afc0 |
C:\Users\Admin\AppData\Local\Temp\archive77.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\Users\Admin\AppData\Local\Temp\Browser\Log\Browsers\Passwords.txt
| MD5 | 82b688a7b1ec263bbaa6cf1453c61ccd |
| SHA1 | cbaf77f4d302ef5952df9ea056f103a8397d38cd |
| SHA256 | 7ff88f3df4a401ac9c57f3e1418d4225f933e107e5d19f4a8cca9cc3200244f2 |
| SHA512 | f7502830709cf1afdf41b08f433199dbacb15dd8eb60a127476993bb050762820058e80d334269c8ba7993f6663d452532c7f31fa6b1c17180e62d0d2deef412 |
C:\Users\Admin\AppData\Local\Temp\archive77.zip
| MD5 | 23e746ed80c005ce32987bbcaadf6e0e |
| SHA1 | 2ca61e8244a9c30a321012c8ae1d6f32071dc46e |
| SHA256 | 9fd3924c19447444c11388df8665c58b9846223a81dd9df8e22b7bdd67fc1a37 |
| SHA512 | 937c2c15552e5cdc6bfda9e9b24949437a4ac58f0087044e249207bb49db551450d742707140b9bc0d25acb04404ffdf508845256b8ed4b59cf4061bc4d4c1ea |
C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat
| MD5 | a2994a53852aade4eab4692c48c0dc8b |
| SHA1 | 22dc78669238e064967fc843866c9797c41d5be1 |
| SHA256 | d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f |
| SHA512 | b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 09:10
Reported
2024-05-11 09:13
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
133s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
C:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "
C:\Windows\SysWOW64\timeout.exe
TIMEOUT 3
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| AU | 104.192.141.1:80 | bitbucket.org | tcp |
| AU | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:80 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4416-0-0x000000000087F000-0x0000000000BB8000-memory.dmp
memory/4416-1-0x00000000007E0000-0x000000000115A000-memory.dmp
memory/4416-3-0x00000000014D0000-0x00000000014D1000-memory.dmp
memory/4416-2-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/4416-7-0x00000000007E0000-0x000000000115A000-memory.dmp
memory/4416-12-0x000000000087F000-0x0000000000BB8000-memory.dmp
memory/4416-13-0x00000000007E0000-0x000000000115A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat
| MD5 | f87c56e8469034c3fdbac19e4828ef8f |
| SHA1 | 956d17bca9d30b60c852f4b52b2054457fa94403 |
| SHA256 | 20acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368 |
| SHA512 | f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927 |
C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
| MD5 | 33d509d70645f62cd3dee6ff59d52a91 |
| SHA1 | 162276e5905f99d2c31268c67b9b06b578203cdf |
| SHA256 | eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab |
| SHA512 | 60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c |
memory/4544-18-0x0000000000EDF000-0x0000000001218000-memory.dmp
memory/4544-19-0x0000000000E40000-0x00000000017BA000-memory.dmp
memory/4544-21-0x0000000000610000-0x0000000000611000-memory.dmp
memory/4544-25-0x0000000000E40000-0x00000000017BA000-memory.dmp
memory/4544-20-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
| MD5 | 21670cc3ebd12408f4e28eb15e238eec |
| SHA1 | cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4 |
| SHA256 | 10c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799 |
| SHA512 | 80e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a |
C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3x64.dll
| MD5 | 2230cab0b28edf3d91418d6d89ab25a7 |
| SHA1 | 6e61ca405a5025889f27c5968547cd35a2c846d9 |
| SHA256 | e988d9dea747c96c615a132b53038b1c2f088ce47bd94b971fe95d37290ac14d |
| SHA512 | 578f67465fd262a74149cbef1989148117eb6c8e7a98add74810bb60530a68e51528eb58f59a2a47f1061e6c4c026510c5c5364bbfd98139151851471b967fcf |
C:\Users\Admin\AppData\Local\Temp\Browser\Log\Browsers\Cookies.txt
| MD5 | aef8a2d7cf247798b52afc55fd34056f |
| SHA1 | 7ffbc153ff09077a51cbcfa6fa48d7881cf697f1 |
| SHA256 | 78f35f126954284d4f8dfe2832d34c2577e6cdc9426012565bcd6297c25607ba |
| SHA512 | 1f2e4da54efd4da3f0ab673f49610c3d2d4f282ce4c75402b2249db20b75b072f354264ece293082f9ac9bc06c72362ab9b3ed6ce08c9b4cc639666be7d66e13 |
C:\Users\Admin\AppData\Local\Temp\Browser\mozglue.dll
| MD5 | 6657e7eabb71db0e926bf07d797a976a |
| SHA1 | 88589af17bf1ccff9cbed59985a99aee430d0e16 |
| SHA256 | 53a6b58da55137f9dacd8215c7f2314e34b7a5fdf9fb79b88d170c7bd123fd31 |
| SHA512 | bedd5f0830f1d3f090f2e40f78fae44fe61d1296f63c126bb8f8f7ff326c93c4de97aaccb39149ad3d60caadca45609c829484f482aa0ba984bd61235c6357de |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login1
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
memory/4544-64-0x0000000000EDF000-0x0000000001218000-memory.dmp
memory/4544-65-0x0000000000E40000-0x00000000017BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3.dll
| MD5 | 79b7f44f6be4ab86a802e91f4abe43e7 |
| SHA1 | 2d8af3481533ba11f113705dc8bf077141d70d67 |
| SHA256 | d81a0117edc18ff8215ee4f7a844f954a7275be9727d560f8464befe3359818e |
| SHA512 | bcb0b6e1e0ab465a9c7ed87526c397fcd605f48c46ae0038dd4bc4b80972b468a8a215a79b4cc86b6afa17bd2ebed4c2273f841f9eb9679d9146ab69dce9abd2 |
C:\Users\Admin\AppData\Local\Temp\archive77.zip
| MD5 | 76cdb2bad9582d23c1f6f4d868218d6c |
| SHA1 | b04f3ee8f5e43fa3b162981b50bb72fe1acabb33 |
| SHA256 | 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85 |
| SHA512 | 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f |
C:\Users\Admin\AppData\Local\Temp\archive77.zip
| MD5 | dd1a41b5e8d5fedf735de21c5a514f58 |
| SHA1 | b5786255c6e90057cb356e1b98e20db34c7de9fe |
| SHA256 | 5c282e6010b64a7b0bd5f5401bb388cd4926d05721ca407d8f2a4785a50ff303 |
| SHA512 | 77eef40ed689954cd945e222847ac6d793e1a92097187c83d2d1e9ec134cf2d0aeee44c4a5c0395a174508760ca7c5b1bc4522f6ee6c2a7d041ac5db33f52af2 |
memory/4544-142-0x0000000000EDF000-0x0000000001218000-memory.dmp
memory/4544-143-0x0000000000E40000-0x00000000017BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat
| MD5 | a2994a53852aade4eab4692c48c0dc8b |
| SHA1 | 22dc78669238e064967fc843866c9797c41d5be1 |
| SHA256 | d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f |
| SHA512 | b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5 |