Malware Analysis Report

2025-03-15 06:03

Sample ID 240511-k5dajaaf3s
Target 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118
SHA256 eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
Tags
vmprotect spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab

Threat Level: Likely malicious

The file 33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect spyware stealer

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

VMProtect packed file

Loads dropped DLL

Checks computer location settings

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 09:10

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 09:10

Reported

2024-05-11 09:13

Platform

win7-20240508-en

Max time kernel

144s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2584 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2584 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2584 wrote to memory of 2548 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2636 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2636 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2636 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2636 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2548 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 2548 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 2548 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 2548 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 2548 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "

C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe

C:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 3

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:80 bitbucket.org tcp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1676-0-0x0000000000230000-0x0000000000BAA000-memory.dmp

memory/1676-11-0x0000000000230000-0x0000000000BAA000-memory.dmp

memory/1676-10-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1676-8-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1676-14-0x0000000000230000-0x0000000000BAA000-memory.dmp

memory/1676-6-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1676-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1676-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1676-1-0x00000000000F0000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

MD5 f87c56e8469034c3fdbac19e4828ef8f
SHA1 956d17bca9d30b60c852f4b52b2054457fa94403
SHA256 20acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368
SHA512 f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927

\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

MD5 33d509d70645f62cd3dee6ff59d52a91
SHA1 162276e5905f99d2c31268c67b9b06b578203cdf
SHA256 eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
SHA512 60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c

memory/1676-27-0x0000000000230000-0x0000000000BAA000-memory.dmp

memory/2548-39-0x0000000001350000-0x0000000001CCA000-memory.dmp

memory/2548-38-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2548-36-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2548-33-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2548-31-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2C40.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2C53.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe

MD5 21670cc3ebd12408f4e28eb15e238eec
SHA1 cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4
SHA256 10c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799
SHA512 80e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 847e8b2becaa66eb72cacabd458fa552
SHA1 1403d136d21bd3c8d04dcf2af472c9b0fa69fb50
SHA256 692dc2f395753805710130b0c9e5c40770c7533281db259e68070cfed186d117
SHA512 89fd33cf18d93be213356c6f50eaeb12a4c257aaa60b6366f35c311450f92d51ec4c2c980b94f0feeb210aaf5d479999a990ade887a2568def273b4b0a6a955f

\Users\Admin\AppData\Local\Temp\Browser\mozglue.dll

MD5 f5e0950aff26d65cf9e1789b7a013a94
SHA1 6d305e3da92afa3a188e9b63a55ff99b2a82e425
SHA256 55ab9f9667e5bdee16613fcb972cc89516b85ceaa4184a65da54deaf51b42de9
SHA512 7d752921900ca41b1ecc0e199f905d145d90a3068485b05f2fad351f457fc7b20957bfff738d082c64f92c276a55fad2863d1c2f365ca3307e7e1d7f01c70cec

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login1

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3.dll

MD5 c80f07348f1dad1044b18069d516b9b8
SHA1 ba6cff5f84219b0a64bfe8d25f7709708a881271
SHA256 62cab66de46e429c833a2fbeb8e3b97b4dcfb912a0e0d67f3c04c1bfd5a7146c
SHA512 f3151d15add4bc887c721366f178b3ee05dbdb612eb5be581ad4393389332cdcf6c58e5aa2dd530b7658946faf63f6a0c1ac94825e88c3b57e487e088073afc0

C:\Users\Admin\AppData\Local\Temp\archive77.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Temp\Browser\Log\Browsers\Passwords.txt

MD5 82b688a7b1ec263bbaa6cf1453c61ccd
SHA1 cbaf77f4d302ef5952df9ea056f103a8397d38cd
SHA256 7ff88f3df4a401ac9c57f3e1418d4225f933e107e5d19f4a8cca9cc3200244f2
SHA512 f7502830709cf1afdf41b08f433199dbacb15dd8eb60a127476993bb050762820058e80d334269c8ba7993f6663d452532c7f31fa6b1c17180e62d0d2deef412

C:\Users\Admin\AppData\Local\Temp\archive77.zip

MD5 23e746ed80c005ce32987bbcaadf6e0e
SHA1 2ca61e8244a9c30a321012c8ae1d6f32071dc46e
SHA256 9fd3924c19447444c11388df8665c58b9846223a81dd9df8e22b7bdd67fc1a37
SHA512 937c2c15552e5cdc6bfda9e9b24949437a4ac58f0087044e249207bb49db551450d742707140b9bc0d25acb04404ffdf508845256b8ed4b59cf4061bc4d4c1ea

C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

MD5 a2994a53852aade4eab4692c48c0dc8b
SHA1 22dc78669238e064967fc843866c9797c41d5be1
SHA256 d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f
SHA512 b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 09:10

Reported

2024-05-11 09:13

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A bitbucket.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4024 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4024 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4024 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2892 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2892 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 2892 wrote to memory of 4544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe
PID 4544 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 4544 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe
PID 4544 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 628 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 628 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 628 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 628 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "

C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\33d509d70645f62cd3dee6ff59d52a91_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe

C:\Users\Admin\AppData\Local\Temp//Browser//Mozillla.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login Data" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Default\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Default\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 1\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 2\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 3\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 4\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Profile 5\Login1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C copy "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Cookies" "%AppData%\..\Local\Google\Chrome\User Data\Guest Profile\Login1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat" "

C:\Windows\SysWOW64\timeout.exe

TIMEOUT 3

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:80 bitbucket.org tcp
AU 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:80 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4416-0-0x000000000087F000-0x0000000000BB8000-memory.dmp

memory/4416-1-0x00000000007E0000-0x000000000115A000-memory.dmp

memory/4416-3-0x00000000014D0000-0x00000000014D1000-memory.dmp

memory/4416-2-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/4416-7-0x00000000007E0000-0x000000000115A000-memory.dmp

memory/4416-12-0x000000000087F000-0x0000000000BB8000-memory.dmp

memory/4416-13-0x00000000007E0000-0x000000000115A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

MD5 f87c56e8469034c3fdbac19e4828ef8f
SHA1 956d17bca9d30b60c852f4b52b2054457fa94403
SHA256 20acbf4d96b5fc518ebb265aca79254a7c0685d5efc4ef3ccacb595620bfb368
SHA512 f00f56a4ddd250f08284304f5d0aa8c57eb5d88ab3d1ce4611d4bf83b9721209f274d5aa4ce8d8e54a38b5dff1f29d6105231acb9d9138848bc77c8ee523e927

C:\Users\Admin\AppData\Local\Temp\Browser\BrowserWorker.exe

MD5 33d509d70645f62cd3dee6ff59d52a91
SHA1 162276e5905f99d2c31268c67b9b06b578203cdf
SHA256 eac7ae70b5f3519eebef0d2a61c8390295c74bd798774bb75dfc0fcda73a7bab
SHA512 60222959003b2b9a96433042f5bcf71a1039a6a7a839e8f4a640c475193f1d4bedb937cb9fa166c570cd29dc61d9ae149da4ebc7af0760223316d060fcd74e1c

memory/4544-18-0x0000000000EDF000-0x0000000001218000-memory.dmp

memory/4544-19-0x0000000000E40000-0x00000000017BA000-memory.dmp

memory/4544-21-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4544-25-0x0000000000E40000-0x00000000017BA000-memory.dmp

memory/4544-20-0x00000000001F0000-0x00000000001F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Browser\Mozillla.exe

MD5 21670cc3ebd12408f4e28eb15e238eec
SHA1 cef1b5bb121fd851d1711b7fe68a7822d9d1c5d4
SHA256 10c5422be39fe19e7d5d5ccade4280236b26aef63247223a50ab5f3b34e01799
SHA512 80e60c5e62b57c4823e4a775c85ac67804306a7e67c8c79c8986822d04ae660f94a0816f5c9204f7b1a992dc6d9107452bacd9e72c7508a451fe24e36a19700a

C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3x64.dll

MD5 2230cab0b28edf3d91418d6d89ab25a7
SHA1 6e61ca405a5025889f27c5968547cd35a2c846d9
SHA256 e988d9dea747c96c615a132b53038b1c2f088ce47bd94b971fe95d37290ac14d
SHA512 578f67465fd262a74149cbef1989148117eb6c8e7a98add74810bb60530a68e51528eb58f59a2a47f1061e6c4c026510c5c5364bbfd98139151851471b967fcf

C:\Users\Admin\AppData\Local\Temp\Browser\Log\Browsers\Cookies.txt

MD5 aef8a2d7cf247798b52afc55fd34056f
SHA1 7ffbc153ff09077a51cbcfa6fa48d7881cf697f1
SHA256 78f35f126954284d4f8dfe2832d34c2577e6cdc9426012565bcd6297c25607ba
SHA512 1f2e4da54efd4da3f0ab673f49610c3d2d4f282ce4c75402b2249db20b75b072f354264ece293082f9ac9bc06c72362ab9b3ed6ce08c9b4cc639666be7d66e13

C:\Users\Admin\AppData\Local\Temp\Browser\mozglue.dll

MD5 6657e7eabb71db0e926bf07d797a976a
SHA1 88589af17bf1ccff9cbed59985a99aee430d0e16
SHA256 53a6b58da55137f9dacd8215c7f2314e34b7a5fdf9fb79b88d170c7bd123fd31
SHA512 bedd5f0830f1d3f090f2e40f78fae44fe61d1296f63c126bb8f8f7ff326c93c4de97aaccb39149ad3d60caadca45609c829484f482aa0ba984bd61235c6357de

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login1

MD5 8f5942354d3809f865f9767eddf51314
SHA1 20be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512 fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

memory/4544-64-0x0000000000EDF000-0x0000000001218000-memory.dmp

memory/4544-65-0x0000000000E40000-0x00000000017BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Browser\sqlite3.dll

MD5 79b7f44f6be4ab86a802e91f4abe43e7
SHA1 2d8af3481533ba11f113705dc8bf077141d70d67
SHA256 d81a0117edc18ff8215ee4f7a844f954a7275be9727d560f8464befe3359818e
SHA512 bcb0b6e1e0ab465a9c7ed87526c397fcd605f48c46ae0038dd4bc4b80972b468a8a215a79b4cc86b6afa17bd2ebed4c2273f841f9eb9679d9146ab69dce9abd2

C:\Users\Admin\AppData\Local\Temp\archive77.zip

MD5 76cdb2bad9582d23c1f6f4d868218d6c
SHA1 b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA256 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA512 5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

C:\Users\Admin\AppData\Local\Temp\archive77.zip

MD5 dd1a41b5e8d5fedf735de21c5a514f58
SHA1 b5786255c6e90057cb356e1b98e20db34c7de9fe
SHA256 5c282e6010b64a7b0bd5f5401bb388cd4926d05721ca407d8f2a4785a50ff303
SHA512 77eef40ed689954cd945e222847ac6d793e1a92097187c83d2d1e9ec134cf2d0aeee44c4a5c0395a174508760ca7c5b1bc4522f6ee6c2a7d041ac5db33f52af2

memory/4544-142-0x0000000000EDF000-0x0000000001218000-memory.dmp

memory/4544-143-0x0000000000E40000-0x00000000017BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ipconfig.bat

MD5 a2994a53852aade4eab4692c48c0dc8b
SHA1 22dc78669238e064967fc843866c9797c41d5be1
SHA256 d0dc12322b5f629a3b17dc79102beb57aa67c0a414f537a01b53da0dc9efdd5f
SHA512 b976cae09f0d287557f87c5eec3f69671551b64d3bf2c52c46a7c0ad4d41d0a3cd5440c4300943647979280cd14827c3d1c263c0d5399d59c7916298de934fb5