Analysis Overview
SHA256
c78739f397f2a982726394db0557ba011c6a8724fdf0c11f22b25fe9788933dc
Threat Level: Known bad
The file 39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Remcos
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-12 11:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-12 11:58
Reported
2024-05-12 12:01
Platform
win7-20240221-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Remcos
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windty,gidowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98236438\\ttp.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\98236438\\AFM_BB~1" | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 540 set thread context of 2916 | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
"C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe" afm=bbr
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe C:\Users\Admin\AppData\Local\Temp\98236438\DMCAT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\M1k3594dll.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.apkupdatessl.co | udp |
| US | 8.8.8.8:53 | casillas.hicam.net | udp |
| US | 8.8.8.8:53 | casillasmx.chickenkiller.com | udp |
| US | 8.8.8.8:53 | casillas45.hopto.org | udp |
| US | 8.8.8.8:53 | casillas.libfoobar.so | udp |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| US | 8.8.8.8:53 | settings.wifizone.org | udp |
| US | 8.8.8.8:53 | wifi.con-ip.com | udp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
| US | 8.8.8.8:53 | rsaupdatr.jumpingcrab.com | udp |
| N/A | 127.0.0.2:2404 | tcp | |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
| N/A | 127.0.0.2:2404 | tcp | |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\98236438\wct.xl
| MD5 | b7eba7d7661204d2ec3cecea1cb271c1 |
| SHA1 | ea03ed00bebd30cc5315c11e1c46836de887c413 |
| SHA256 | 1d027338125b69c312c36a1b275558bf43c5b40240c4e822a5479abb84a23ab8 |
| SHA512 | 0d21f49ad973d075d24ca37db2f9d3f8d71901191d5c3ef8cff070bd822bb81dbca48bca7da7840d814a55eb4a1c6bde7fa83806842d1766804e9a69ef0577fd |
C:\Users\Admin\AppData\Local\Temp\98236438\xts.bmp
| MD5 | f1f2c88997a4c17cb819de78b4d3e289 |
| SHA1 | 1141f5ca5419e7cd5fe0a2eeceb9633378d5d32d |
| SHA256 | 28c340a5eec796627f8e5148bdec9d5e91293ad812c60b73852cef680f7a8223 |
| SHA512 | 99ce8c90eed22eab91baf0eac3132a4e37d1b07c6efecc95a83623b5d73b913dabba0ff1292cd2f8b579810a635c909a83e5d54d570631c9c20a1c4adb8423c3 |
C:\Users\Admin\AppData\Local\Temp\98236438\xes.ppt
| MD5 | d967480caec3af0893587c0130bf5e2a |
| SHA1 | 5aaabb9713e30e441023680903996824b4d599f2 |
| SHA256 | 4d5e2705f3f58263e979d43c23002c2c143ab2f152b4ee34b69dd93a9bea0dcf |
| SHA512 | dde3847b6f61d4c00b9966e8e207b7e5cd2236b92033963e85f7b71aa957287dc360bfa8f1babaab543be75b8856d994b231d9ee3dc386544e2cc41424105168 |
C:\Users\Admin\AppData\Local\Temp\98236438\xco.bmp
| MD5 | cb72eea9cf4403d853338ed2e480b4fe |
| SHA1 | ca50a90ebf696dee2666061737ba1018976c3859 |
| SHA256 | ff7d45b253a8884ce809a169a73b0f648cc8b182ba2bdc91ee0a7df36cb1b415 |
| SHA512 | 87b30e5478aa4976d8757095bb8f65773555a3218948649270894185a7cc4e57c37b94e99030b1f783da5258c245311dde59c6377ac7c84ee224345c0b6b61c5 |
C:\Users\Admin\AppData\Local\Temp\98236438\vbl.docx
| MD5 | 9fe25513ac3e6940124e4fcf791287d7 |
| SHA1 | f635cded7d038fe249907545d8c555f95ee23908 |
| SHA256 | f770a592dbac1cceeca005c5ef408c90ec2ab95d97f71da1dbf0d3e9789a06f5 |
| SHA512 | f09ed37cf80cb36cb3ad83890997b0a3ba53910e6d78efe278ad4d6e9978b9a12a54a2ca2e3d2c0be23f3297caab0cb23316a425108084e9cf703532111c7a82 |
C:\Users\Admin\AppData\Local\Temp\98236438\uvq.xl
| MD5 | 7d7bccbda0a68e45367bc7bb3dfebc56 |
| SHA1 | bc43f4700a77108a1f1aa9cae53c521f6bd4cb48 |
| SHA256 | 81ab20e443fc4a984487f0c1ecd430f7f1d4ed00251d74b5468119b9b53c2e05 |
| SHA512 | afc8ff01a5dbac8eaa636615b3cb71b6d98beeebd447c70f443eccf0f279b1cfb5641252daff3cdbdc9dce87a5ea91837cfd7935e05cd1291e22252e0f4fc1d0 |
C:\Users\Admin\AppData\Local\Temp\98236438\uvk.jpg
| MD5 | 8f4c187eb758ace563d305b565d7b0e4 |
| SHA1 | 63e31f2ac43b5e860b03e82717e8796d4443e8c4 |
| SHA256 | acc69c7db61e13b5937bf007c572ac8026a216ca12a0b33392290e171670df66 |
| SHA512 | 9893b821a25a5a73fa38c0dfaa24b221ef63f0d5fd2707c1b88d5a29abee03e6bf9aa34ae639a0b3d5ae02cae3a7e2dcbabba69977be8b10b575ad1612156787 |
C:\Users\Admin\AppData\Local\Temp\98236438\urb.icm
| MD5 | 02f79ebf87134edf1fec0e955f6724f0 |
| SHA1 | b667c6af7b550dd9d023a8b5c1e5b42de3d7533d |
| SHA256 | 23ae91df10ef5fe10bff4c89f7fe790e8326e128e860d3a42d6f60196b9a4dae |
| SHA512 | 97b20ac762d196e710510356f4239f3d28e0d1870df83896661bfd73cb036ed6623369d64ea9dd991e0e854b756fada060ad317ee4e726e6dba638481f72fe83 |
C:\Users\Admin\AppData\Local\Temp\98236438\ulp.mp3
| MD5 | 847ed99b965d2fdc093abc393d499fab |
| SHA1 | 441a23cb3e2c18d13278d0d988f0c011eacdb4ed |
| SHA256 | d5ace5968ca69d68f519a3f9ec77be593d15c45c3f56d2b3319c614bdc13e631 |
| SHA512 | 5114839104e3432b4bd8f174f784c38e1a1ab7b11f087a2cf3483e0bbc7a47a58ae809de755458a78cead18798fa7d4b82ab8e8e47d591bc8f3937e8aad480dc |
C:\Users\Admin\AppData\Local\Temp\98236438\uej.dat
| MD5 | 6d72b88f32d5c5a0ee3dcd6bc779e3bc |
| SHA1 | 85d138d5040be8a9ac0240e1ecc73daf761a324d |
| SHA256 | 02df6f16f32269fa37745d2b31dd74f57c4171b0a76ba9e41b457a76f2169fd9 |
| SHA512 | abe3dca6fa14c626336cfef344b36f996a7289f6b26030b7c6d2d36155016d3932f70a66da2241970678b5c3301b55ff81f31d4ec113b83aebf2490d54101ea8 |
C:\Users\Admin\AppData\Local\Temp\98236438\tvw.ppt
| MD5 | 5a7211bc1920e1ce4725e3eed98ff5d7 |
| SHA1 | bb7c4320939d04f6ebef21153d76d0161b5c7f58 |
| SHA256 | 75597dcb2bf0561304c183b468a13ae243595f0f759e2643f4f17bf9b5d5a7b7 |
| SHA512 | eeaf607f505014c22b160894623ec930bc4800dbeb142487e032df1c6762ccea23f61a2eb1b4486b117f81d14187a4ee616299713cd582f4c8e836b5ea3af1a9 |
C:\Users\Admin\AppData\Local\Temp\98236438\tof.pdf
| MD5 | 7c97e3e7bac987efff3cc3b52b7f2af1 |
| SHA1 | b5656475f8900d94db13627a210c1d340777f2c2 |
| SHA256 | c111e99f72de1f0ec459a7cf1de2c2b2b1cd0bcc7136da8d89fdfd4236b9b1b5 |
| SHA512 | 9d4f89c5ab4ab7316af5b3eba519c9849258cce8e74528e1387b04d4f5bb6bd417ee280978d71ff79acd5d5c99093c851328d32c8c44502c24157f1a54e4e618 |
C:\Users\Admin\AppData\Local\Temp\98236438\sjc.dat
| MD5 | bd8bed068b45a9a95c896b5af056e184 |
| SHA1 | bab131973be6da5fd94e53389241e55101365fea |
| SHA256 | 8db416eaa44b0444d8863186d1f676db922b92b4b653f16190038de048bd0c6d |
| SHA512 | 2bef1a282302332c9238becfdae1d6b35c6987143892bc8227af8128c31e8a042a62ef0b9ebd8b02d2bdbccdef0ec48242863de16b94a52c9bb97318fa2fc82c |
C:\Users\Admin\AppData\Local\Temp\98236438\sdd.docx
| MD5 | f110900c7c1808b239d477d3ee7ca594 |
| SHA1 | 8034e93a2d33d8fb71ecd712fd108dfc68de2358 |
| SHA256 | ee543bc6a79691e9f4fa11ce2b0823088771275f56e3df4ee0d2ab670d3c8ad4 |
| SHA512 | 6a88bfb257af40dcfc15c7d8defdcde54f11c287fed0ac4fbbd462e352c1b3179cf60865d2e18146caba113119fc042395bf37abca5e8131050e6918159274ed |
C:\Users\Admin\AppData\Local\Temp\98236438\rvv.mp4
| MD5 | 72e7917a38011d920de3ea0d3286c9cc |
| SHA1 | e4d477bdd2678b5d33d4044e54485def224ef7e3 |
| SHA256 | f0835d199103f7fb854f7cf54b4905c3311a95acf299f2e6cd34077243bd4994 |
| SHA512 | 4c94db58ed7ba2ec1249bfdfb90c3212eab1ef32239758ebb4bdf205c36f4bdb7a4b36abb1b366126725cf60b23d4032abd0cba3c583360bcdd30ccb1e74263a |
C:\Users\Admin\AppData\Local\Temp\98236438\rpo.xl
| MD5 | 661ed976e8546caf908b114108e6e93f |
| SHA1 | 944b548688f19fdc08b521bf933a087a1bad18b8 |
| SHA256 | 10800ea73209130a00bf4a7f72b3d2348af46ef5f6dcf3fa9a7a2fcca7206b83 |
| SHA512 | de5fc35d9cfafadc5a579f3a2d9f1f62de7529b8643accc512278334caf96c6c281cb98d63c54f20b626a8fa4adcd20269208d81c317fa040449c9a58a330bdd |
C:\Users\Admin\AppData\Local\Temp\98236438\rfp.icm
| MD5 | df3d6d25ed6c9576bb1f222682839502 |
| SHA1 | 88009905ee951b224c6729246a0ad24795c65906 |
| SHA256 | b698a63d31bbfca7a7b6c0a48e0a87b2911ff2146dd3158fdf0d3c2cd7d10ece |
| SHA512 | 8eaa45bf3a82098762c73bfdca830aed28f6d8f20d74377546e60e94835baf43dfcba631e46ee81c7ecd2ff9617c369b617bc2d35db07b6b3b2ca7eb56c31076 |
C:\Users\Admin\AppData\Local\Temp\98236438\qqq.bmp
| MD5 | 366cc8ad481c4736ebe25490ab902158 |
| SHA1 | c9a5a09ef87b88d3637fabe814b681dfdade3c21 |
| SHA256 | 7e8e27d641dc8c84237ef2c41dc97e6cab15e8d49eea1856651eb2df56b034b6 |
| SHA512 | 79c2eb224afb547475b33638ef46f267300ba313f19f82f98ced2441c3908c70f03cbe2f6dd483d64f06229c0a52d730eef5a3ab1f8dd7a33e1dd55594112218 |
C:\Users\Admin\AppData\Local\Temp\98236438\qia.icm
| MD5 | 2a759d67ca2b2844862c02ac2273f934 |
| SHA1 | d6e38bb3ccec31064d084b6665c5e4ae365bb713 |
| SHA256 | 59ddd5ba46b53ae680e1feafb5eae8725cc2eebc39c680d7fec93cb840ff9547 |
| SHA512 | e0d0b382096c12d25f8dbe3923b68daaf94ab2f1c20bf09bba509b9ea5f0f168b8bd16429b2a8f6b269208e84a49a8293bb82c8670ad2ccde713bafeada440e8 |
C:\Users\Admin\AppData\Local\Temp\98236438\ppw.mp3
| MD5 | 8861185d6a2daebc74b3ea81ac037a1d |
| SHA1 | 4426e432073f401da76407dcab458485b7799d87 |
| SHA256 | 9ccb476c33e870c8b4bf6ccdf0ae62a0c11c4c1b08016099452d52d8710a6e5f |
| SHA512 | 3aa42348ecb679450db616fcdd6e3a632ec4e9154144f3e3d5efd0737ca361fa438a1c4a6711398080c1142b38e0853b219989d2f67b227b5a7a1804d564341f |
C:\Users\Admin\AppData\Local\Temp\98236438\pjl.mp4
| MD5 | f56be69a1cdfbabbd85402ed8a7cb893 |
| SHA1 | 10e040188699f2c23d2e18e0e767087697956e39 |
| SHA256 | e0ad156268ac2484aa6dcec6cf12522d76b86ebbda4a94c6e5c0716ecc180e7c |
| SHA512 | 7147c850efa02a021cda72de6a9d339b880b5594a40d2efb5798a2301b9aed78947daa1509a8de01b4e140119e14eafcb2c4b7909b84b94eb5b7ffa7aaa20270 |
C:\Users\Admin\AppData\Local\Temp\98236438\oxv.jpg
| MD5 | e9a81450269ba154c3c99b1de117923f |
| SHA1 | 55761cc4db22ffa692863e8b74f8481d9b27eb28 |
| SHA256 | 9b055d17320879d184b152b82b9ff50be77a07ae79cff3e13a294bc63479c9ac |
| SHA512 | 812e16aac034b02b6aeb3c2b02f6f1e51a8ee5b40aee60aa5f9e4c875e61639f21c652b0beb009f7290a11e2e26306a6fe2ab1d651390839ec8a63134970307e |
C:\Users\Admin\AppData\Local\Temp\98236438\oso.dat
| MD5 | e53b6ab5d813db435f2b93dca1acbca0 |
| SHA1 | ffa3d2dc5c4a8dd3df9c21dd3683f6cd54741def |
| SHA256 | afe7a18e7f8a18aa763867d0006b076fb926315671890e6a45f142b76a3bf827 |
| SHA512 | 10c9e5dea4fba724b04a679c83543efcbea87c88abf29323177ad989aac2c1e12bdea4f462d5e3964f27a66beaaf78317669e2e4df3debbc28c074b3313257e1 |
C:\Users\Admin\AppData\Local\Temp\98236438\oof.ico
| MD5 | 8ce1e80b17909a607afb829944acd586 |
| SHA1 | 594167c4a50388eafce029b48206dc8051b8dc40 |
| SHA256 | f542b26a8f5ac88d75a0b0432b27a98d58491436205609ef34f2909c2de8b37d |
| SHA512 | e0f5f31b4d50ae19d1a1f679953747813548b4409d3594605b6a4c57d72cb0dd0243e263cc3b802d721f9af0c52cecd97f16963773f911da4dadf522ec236511 |
C:\Users\Admin\AppData\Local\Temp\98236438\omh.dat
| MD5 | 9c509a0cda3e9689f80da424bddeabed |
| SHA1 | 9d8b862dd593e43f704863376b00fcf1c8c6bad0 |
| SHA256 | e81993bb83aaa5d40d0939a9f2b5826e0ffed8f04344466653cc27629d454bd2 |
| SHA512 | 75d34083752aa99d1c798f822a9ca81724fbca9b72f3f57d4cdf3c982d075f309d235cb903a4a3317b0255cee03dea95891a242e9bfb4488c687cd1d7a8f4aa7 |
C:\Users\Admin\AppData\Local\Temp\98236438\ojr.jpg
| MD5 | ed6adacff435d18031a5a03e9b1714f0 |
| SHA1 | 2341a85c37a6fc2968a2b6932da2df07ad542487 |
| SHA256 | c4234c46eca8dd80fbb58439bf0222790f3ad1a88d3c9f7d0a05e2f5aa59dc89 |
| SHA512 | 8d21c8857c1759fcb0bf5d75fe03ec03754616565aaac6140b958bf0fa04a15eaa9d0e1e9f2f190060075a63828002b4370ba16079133997b68c14c1c3998794 |
C:\Users\Admin\AppData\Local\Temp\98236438\msn.txt
| MD5 | a7c3050a69ceb711e2c3cbe404ae52d9 |
| SHA1 | f7bfe2c6b9a01ece96eefe77fa6156e1aa7a8149 |
| SHA256 | 29200b6b0699d3adcde2dcb88fe700a9ab9515053c7ecb254d0192e402fa56a0 |
| SHA512 | 531d59c0cc5555b913fe0d778e8923b0952efdca9baeb6c7e42157c3294bc2db03ca01340376cfc180deb72f5ecb328c6ceb215fb0554c2d3a512a606f101c8c |
C:\Users\Admin\AppData\Local\Temp\98236438\ljd.txt
| MD5 | 3c87564578c6f1c218604ba44c64a0c8 |
| SHA1 | cbc1e56933b91cbc7f67338f4751d3dfebbd693e |
| SHA256 | a46fd6776673bd1ed5490db4ee5dfe0c874a737bc1d40f36a5e275cb8ba15852 |
| SHA512 | 6a206166e7753541e78990c95d5b3acabb492540f201d892fcbec63abf90e8328bd63e24fbf2c35b2c9050f26bd38625f51381446d34d6ff5a83b45785d2b266 |
C:\Users\Admin\AppData\Local\Temp\98236438\len.icm
| MD5 | 39cef9cc01b5f76ffe9a55e40498c285 |
| SHA1 | 52611d47c08ecf8723cf402eb63ad2a1dead7361 |
| SHA256 | ec50f64c962924cb8fe6e63332b49c6bbd451f19d00737aa8fc14c4c45532386 |
| SHA512 | 952d422fee8b4861d0ade04070cc62a04a78acd6eccddcd7328652f24e3effe123a15722aff79e626f91ff500d771c340390acce78bd42b8ed063a045d417507 |
C:\Users\Admin\AppData\Local\Temp\98236438\ktk.docx
| MD5 | 3447a0942faa38ad9e8a3eab6667f8b7 |
| SHA1 | ef7879412b6b12f49652d56f3cc709d87b997baa |
| SHA256 | ca58e7be5b8f076a1e685ffcfcedd583ea63772f6e2eccffe2e0ad3266fe1ee8 |
| SHA512 | 9265b2648f55971ed96a11af2f969de8f016fe25ecb011d871eda773bbe6ca4ed4a855bd5edf240e21c8bcc39c3bb3eda28489ad6f421cf505ff402fbefa3fdf |
C:\Users\Admin\AppData\Local\Temp\98236438\kir.mp4
| MD5 | c8d5db069c5586939c8993d2b9367c68 |
| SHA1 | 88f2e3eea2e66414d62b77b2f9244f5c22924c5a |
| SHA256 | da1e66ef72c6cb7fae8040f2dccd3a286ec20b526d35cf3b2fe63dc610d70efb |
| SHA512 | b56d6339a5d7edecf81cb991e98f4502be2f7f9500c04bc855821b3d57cd53e4e87139a999b6a5375041e5d87b1418f99ed3d0686c085e3c49b3608d5a3bcf6b |
C:\Users\Admin\AppData\Local\Temp\98236438\DMCAT
| MD5 | 54c7f83e6efce6e5cb2c002fa2e2399e |
| SHA1 | 8e785b1c46ad77a5aad3df44014491d39938fd2a |
| SHA256 | 9dd3d3f0bb67e6b6ebff00f1cd6b8d12688ebd79f187969cb52fbf0986d9ac67 |
| SHA512 | a75c510ff049a5b518c71f230a325dd8e80043a89676bfaca446f9d4b59376f86deb6a0c815bc3242fa3bdac1f18916d3adf03ddd6a0ae030731582e3340e1b9 |
C:\Users\Admin\AppData\Local\Temp\98236438\kgj.pdf
| MD5 | 00101ea5ee87e9b6c1028ff1df3d4e11 |
| SHA1 | f62197092474b7d36f61a9d96b23238951aa5c5c |
| SHA256 | 36fb82be3ccb9be1f39399a71f2998d00bea68b79ac84835c8faa977c15c05c3 |
| SHA512 | fe57500673e71202607e84f0c89a0df6d1009859b592c3b7c96e211ff4232f8fd2fcdcb6b556fb73c7d6d3ce8d9e6543890eb916d25c27547c60fdfe23601195 |
C:\Users\Admin\AppData\Local\Temp\98236438\jso.mp3
| MD5 | f6a989564f75ee9b3fe28b2c53d4f9c6 |
| SHA1 | 5129d2809960147bf067cf55366326a3a06987b3 |
| SHA256 | cf9d02ebac5a207b29938735e7d620a2e8ce75c979f6f54d689c7a265d3f3635 |
| SHA512 | 58d3be386bab4a4fef727bdc07e0d95700bc88e9746e1b5408d40af788b6147fd2d6fabd758389e344962c1959b4d6c4f8a50740c0e4eebd0916b33ee91e5b56 |
C:\Users\Admin\AppData\Local\Temp\98236438\jdk.docx
| MD5 | e6dfbdbc39741a6b1d74d3246c5370e5 |
| SHA1 | a2f0482c8d3f3edff6752329a0268a794ce4b0a4 |
| SHA256 | 5b75524fb0856709163416557da38a83b51f250dfac238c901efc10a67861b48 |
| SHA512 | fea079dd55fc47f80a9d0371225b9f9b48a8f7f20b0618ec1f47be21d29ada56668a7c98971d484c3ad6f8362dac8f4ba26162906e0cab09e8498a4825de8fbe |
C:\Users\Admin\AppData\Local\Temp\98236438\hre.dat
| MD5 | 70700f78a8f8bbc0ee15b49ccb691394 |
| SHA1 | a03d1414804c9c451ad58f7e3960ffc7580a64f3 |
| SHA256 | a5bf7d6f6a957e2c6c48b0a4502a90761a4aca5e83ab41623716d45d3ea92f21 |
| SHA512 | 077cc7ff877c638c3994042d54a42339d1850ec8601e8e906b5e17008c7d668e7e7d2060dbe8d961f2ac8773e64b56854867fc7e32a3d78b9bd43468b36422e2 |
C:\Users\Admin\AppData\Local\Temp\98236438\gtc.dat
| MD5 | 731a1922d9d58eb0c7c9fbee60f17c3e |
| SHA1 | 8233364e9e561f0524a74f4274bb934eb87df9b8 |
| SHA256 | 95266f1ee53ee0a10031905c80af7bf5a9dac25c69491d1600a81d1c5d03b5c6 |
| SHA512 | 5e99118ef02853e6bbc7bcebc734c37e670401f8f42cbb49efe4f7708b10d55e470799ae7023750bad97d20d645d919e66f7d8024872dc3522e19c8e78ccb547 |
C:\Users\Admin\AppData\Local\Temp\98236438\gma.ico
| MD5 | 83197a5cd08bb406c01ed074db06fbba |
| SHA1 | 02f9be266193a5cabf61b0e0066ecba00bf6fe84 |
| SHA256 | 84ceeb20b194f71fac2eaef87f983e2ec7bcee9fdccd695caa8f15bfb47ed809 |
| SHA512 | eba49ace2cba791e3033046c8cc3e6d47f006fe549b8042766d228a580a66aab0cc1641110045a04d2598b09f2e1e3be5477d9f9438c920224b2c0774a578eb0 |
C:\Users\Admin\AppData\Local\Temp\98236438\gbv.mp4
| MD5 | d531d161b4a0aaa0c501c02836e12b3e |
| SHA1 | 15cad0caaf28fe8110531038c5c53cf585848d31 |
| SHA256 | 50548cce5346d27f5f27cbd2441afd04a4dca65051c5dcd5143ff8989e0afb86 |
| SHA512 | a2d12d49366168d0143c9cf6ab9d0a7ce45cbf44b6e2eb2affeeb24bfa3f53b897b46cbc608dae8d6324b2855f9b666ba5912e5eee21ef4964a7798d22db6a1f |
C:\Users\Admin\AppData\Local\Temp\98236438\fdk.dat
| MD5 | d8d7e9d30ab45716631974be8243b9fb |
| SHA1 | 908ccfde115a408be6147a43fb60099d592f6a03 |
| SHA256 | 506fc7fe400ec08ff077b9a1835d8710a582ed2d06a14d11c1cf0299b320c49f |
| SHA512 | d3125f09e17006bcebc4b97a1e222a81815cd5b00a7f2b85fd0daa6d312ce892c376a69e4dc00e6dbe88c800ccda0b58d8bdccc71d327784000a0caa6b3bda73 |
C:\Users\Admin\AppData\Local\Temp\98236438\fdb.xl
| MD5 | 760d150f9a98d4c8cd1e3d4e6b208bdc |
| SHA1 | 5e839edf8e021c5d7f97a471c911dbaf5993bead |
| SHA256 | 9078eeb2a257f901a8357137688539181bed9f5e8d1d37c8bd34122d3aa96540 |
| SHA512 | cd5e02e356300edb654ef0c90f6e580dea2fbb847e8b4a32eeb41196a61c2108b1f93700cc9a4b000255bc1156c7cdbfbed6d9c9e0609b7f92b5982247be3ea0 |
C:\Users\Admin\AppData\Local\Temp\98236438\elv.ico
| MD5 | 2ccf9e3c62f40f365a15b998e6b0a679 |
| SHA1 | 0e5713e7946d6b7b613b41ed0b42dc8dccaa12ea |
| SHA256 | 151096eca18ccbe3e68b894e56debb1d428e3c407e0ea33a7e8d11ff19985dd6 |
| SHA512 | e0eba5e29d057138a2c87465747275f8f452f1869af389b21a894ec6812445d9342c16e92388c4fd0a131f5fb2bf463d3939da36bf8c1cacda65f9da4443a8ba |
C:\Users\Admin\AppData\Local\Temp\98236438\ehc.xl
| MD5 | 7f9c2778d111b88e413e2ed5a2246db6 |
| SHA1 | 1dd5e8f3df5cdcc9fb57070fba69e4edda620495 |
| SHA256 | 1e97ebfb5a2da4df482ff80bcc60340922c9e87b905bc61c694c19eb119d37c9 |
| SHA512 | 955ab981d6ea62247e8216f2685ce17adb8f02d735615f3e54dbc8f08bb7ad4aebb4ec69818e6fcdb541875fc5cba11092e8e61fd8a21f0f4ef296ed894df362 |
C:\Users\Admin\AppData\Local\Temp\98236438\efr.dat
| MD5 | d1d9ec98c50c2122365d4e3e57c73cf3 |
| SHA1 | fc3941172809c360a023e79c1932ac241d9e7fdb |
| SHA256 | ef94c9b3669f96f434d805e1e9233fb4bedcde4e4671bb1a46700efe4d3b5c5e |
| SHA512 | 48af759554128cc23fc10f1fff7486c4ae438689c2093ff928fba46aaf02b66cccb5da24a34a9be769b23b2d8b5d68be68a6a8d0acdd550ead87390eac12e591 |
C:\Users\Admin\AppData\Local\Temp\98236438\dhq.mp4
| MD5 | da372fbfcd3a81c79ec37ff44f62e5f4 |
| SHA1 | eb4f9fd415cf63e37ce5ba28a38dd57d675196b5 |
| SHA256 | c51b010c38b6d6f6680ee1a09d704c1dff398002598faf64e9d64a13bc8d3f22 |
| SHA512 | e29d14ab863d6181707e5d269704af7dd977fa463897532cce17aee1e852bf0f400b6c1b811479d068fd1d3f9e8fa17010c8a21387b040bc14f14e555ab0d163 |
C:\Users\Admin\AppData\Local\Temp\98236438\cxo.bmp
| MD5 | a828362c267e17c906c2b57cde3d4785 |
| SHA1 | 37a2b7fe3a95dc075d819ab181ba2b7017507a4c |
| SHA256 | 2d3a6ba474bb30ed71494de14eabe7a03beb366f63765c7dfa21f7ad4be0ea9a |
| SHA512 | 37bbb70413652a3e5ffe10fdab250dd40fd44947ce5599cb17d7a3132d3e7c8e0693d31425ffb902d77b4181f5e99fac9992a98e215a0c38373311f6ed41176f |
C:\Users\Admin\AppData\Local\Temp\98236438\cqs.ppt
| MD5 | a97d61e030ca77c8a53e9259444b5f23 |
| SHA1 | c3f60be7388a324a3b38ed1239ef9fe457939cf6 |
| SHA256 | 5f1b629dc97ad43e0004ab1efd97441bfa0c5b0e6c9b4a5a6a8529db68debdaf |
| SHA512 | 9a3c05610df05ea3a6213ec319f16f1325343774a998663a01e70a2e9f3d9fb69a40f2514b8f524c2412b53bd807fc97d21583a1f09bd8fd5b7d4b2a0c2399f3 |
C:\Users\Admin\AppData\Local\Temp\98236438\cet.icm
| MD5 | f6fdffa1cd18c737d404663645f67bf2 |
| SHA1 | c80530e5043120ca2d78c4ce9129b02025f489b9 |
| SHA256 | ae41415d4d4ea1a8ba2f7a653fe6810bdb358a35fba530eacafebaed8d862263 |
| SHA512 | 948a3bcbc7a6c472e2197b824c0848ececc6a50bad4ec6361156b396c5f01f1985299b373f186c28b797a7aec4052ed711d803b44db869c4b0a9ef7dc3360a0f |
C:\Users\Admin\AppData\Local\Temp\98236438\cdo.mp4
| MD5 | ea6f521eec16a962e7d47578c7209ab4 |
| SHA1 | fb844b66a6443d36ba76781f6adf4da4944ba568 |
| SHA256 | 02dfbfb288649901c177f8ff755fdf409fd1c12e7ecc2a21a034407d7afeac9b |
| SHA512 | 4841e1758c34ae824a7cd774ef8852bf0420e475ac8b48413e937e2382ce66b5fb78504bd7e32f3e8e2b6cd1c0660f9248cd2a679e5352397ea04a78e69cfd18 |
C:\Users\Admin\AppData\Local\Temp\98236438\bue.mp3
| MD5 | dc34a1e623ed7b7996ab2d059f95ffb6 |
| SHA1 | 49cfd28d42c2cadfbef620aeec9ecbf82df5913d |
| SHA256 | fe193eefdd50b272ee7ea0f0a424d8d13ddc3df3493943173cc03626738188f7 |
| SHA512 | 9f9cbfbaf94b24803652fe957f9b64ab5881b89fd14f83666d1221ed2e996aa1a42de8582572e318e224eb491778d2e18a6dd58e46066f3b9a597bb6ddbaa84c |
C:\Users\Admin\AppData\Local\Temp\98236438\asd.docx
| MD5 | 8f0bca5d42019a962c065f3fbfc1066c |
| SHA1 | afe76e5e83b428bd1ffa4a6c1f41b208a0cf4c97 |
| SHA256 | 61c194e2ff55f9f681d8c75c009a43ec5855f4defe5dd4256b47c0def8b457b7 |
| SHA512 | 2325fd2d7ea5622498a6f67a737ec3dc7cb3e59e61f7ff01b152bb6d0aaa5592db4e22cde4708e7097a165efa65474215fc7157f3854a249c27f860971d2e1b2 |
C:\Users\Admin\AppData\Local\Temp\98236438\afm=bbr
| MD5 | 71e495b493e10ee2df8d17e65ef235a6 |
| SHA1 | e3fbc9d8609f47f5cd66a2f0c6caa59e259b9213 |
| SHA256 | 5e524a0207c6b84e594e9b08f83bdf412ceb25c9d35b5cb374090ea1542c8537 |
| SHA512 | 74197aafd53c4c6f0849fba5b880c8439a4e0e12b0140b4b115bb0ce0bf4ee8afc4ccde144e4beefa7123e9e587f5d9547a55c0523705272643567ea04fa6275 |
memory/1976-203-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-202-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1976-200-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-207-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-205-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-198-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-194-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-192-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-190-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-196-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-208-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1976-211-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2916-225-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-228-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-226-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-222-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-220-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-218-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-216-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-214-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-212-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/2916-229-0x0000000004430000-0x0000000004432000-memory.dmp
C:\Users\Admin\AppData\Roaming\dfrgJLK\logs.dat
| MD5 | b14273c83fc2d86b2d8c78448ea09d65 |
| SHA1 | 6b7c48c4e4b90a4cbce99d2068f21c1d57527d4a |
| SHA256 | 4e42e2416a39d272ba7e65825d535d530cd826aa3edd74a3384a6f74e425ad5c |
| SHA512 | b7f0cf7dc0877aedea2c407a92c10ce5a01e4ee04920c545f9c9066324b9a6bc86de081438046112fee5b28ce3c75350cd9e65848ae50e2d603c9afd0ea12895 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-12 11:58
Reported
2024-05-12 12:01
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Remcos
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windty,gidowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98236438\\ttp.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\98236438\\AFM_BB~1" | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1304 set thread context of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39fcda73563dc640ff3f8f5b1d3df6e5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
"C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe" afm=bbr
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe C:\Users\Admin\AppData\Local\Temp\98236438\DMCAT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C Start C:\Users\Admin\AppData\Local\Temp\M1k3594dll.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.apkupdatessl.co | udp |
| US | 8.8.8.8:53 | casillas.hicam.net | udp |
| US | 8.8.8.8:53 | casillasmx.chickenkiller.com | udp |
| US | 8.8.8.8:53 | casillas45.hopto.org | udp |
| US | 8.8.8.8:53 | casillas.libfoobar.so | udp |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | settings.wifizone.org | udp |
| US | 8.8.8.8:53 | wifi.con-ip.com | udp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
| US | 8.8.8.8:53 | rsaupdatr.jumpingcrab.com | udp |
| N/A | 127.0.0.2:2404 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | casillas.hicam.net | udp |
| US | 8.8.8.8:53 | casillasmx.chickenkiller.com | udp |
| US | 8.8.8.8:53 | casillas.libfoobar.so | udp |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| US | 8.8.8.8:53 | settings.wifizone.org | udp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.2:2404 | tcp | |
| US | 8.8.8.8:53 | casillas.hicam.net | udp |
| US | 8.8.8.8:53 | casillasmx.chickenkiller.com | udp |
| US | 8.8.8.8:53 | casillas.libfoobar.so | udp |
| US | 8.8.8.8:53 | du4alr0ute.sendsmtp.com | udp |
| MX | 187.155.77.154:2404 | du4alr0ute.sendsmtp.com | tcp |
| US | 8.8.8.8:53 | settings.wifizone.org | udp |
| MX | 187.155.58.99:2404 | wifi.con-ip.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\98236438\ttp.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\98236438\afm=bbr
| MD5 | 71e495b493e10ee2df8d17e65ef235a6 |
| SHA1 | e3fbc9d8609f47f5cd66a2f0c6caa59e259b9213 |
| SHA256 | 5e524a0207c6b84e594e9b08f83bdf412ceb25c9d35b5cb374090ea1542c8537 |
| SHA512 | 74197aafd53c4c6f0849fba5b880c8439a4e0e12b0140b4b115bb0ce0bf4ee8afc4ccde144e4beefa7123e9e587f5d9547a55c0523705272643567ea04fa6275 |
C:\Users\Admin\AppData\Local\Temp\98236438\wct.xl
| MD5 | b7eba7d7661204d2ec3cecea1cb271c1 |
| SHA1 | ea03ed00bebd30cc5315c11e1c46836de887c413 |
| SHA256 | 1d027338125b69c312c36a1b275558bf43c5b40240c4e822a5479abb84a23ab8 |
| SHA512 | 0d21f49ad973d075d24ca37db2f9d3f8d71901191d5c3ef8cff070bd822bb81dbca48bca7da7840d814a55eb4a1c6bde7fa83806842d1766804e9a69ef0577fd |
C:\Users\Admin\AppData\Local\Temp\98236438\xts.bmp
| MD5 | f1f2c88997a4c17cb819de78b4d3e289 |
| SHA1 | 1141f5ca5419e7cd5fe0a2eeceb9633378d5d32d |
| SHA256 | 28c340a5eec796627f8e5148bdec9d5e91293ad812c60b73852cef680f7a8223 |
| SHA512 | 99ce8c90eed22eab91baf0eac3132a4e37d1b07c6efecc95a83623b5d73b913dabba0ff1292cd2f8b579810a635c909a83e5d54d570631c9c20a1c4adb8423c3 |
C:\Users\Admin\AppData\Local\Temp\98236438\xes.ppt
| MD5 | d967480caec3af0893587c0130bf5e2a |
| SHA1 | 5aaabb9713e30e441023680903996824b4d599f2 |
| SHA256 | 4d5e2705f3f58263e979d43c23002c2c143ab2f152b4ee34b69dd93a9bea0dcf |
| SHA512 | dde3847b6f61d4c00b9966e8e207b7e5cd2236b92033963e85f7b71aa957287dc360bfa8f1babaab543be75b8856d994b231d9ee3dc386544e2cc41424105168 |
C:\Users\Admin\AppData\Local\Temp\98236438\xco.bmp
| MD5 | cb72eea9cf4403d853338ed2e480b4fe |
| SHA1 | ca50a90ebf696dee2666061737ba1018976c3859 |
| SHA256 | ff7d45b253a8884ce809a169a73b0f648cc8b182ba2bdc91ee0a7df36cb1b415 |
| SHA512 | 87b30e5478aa4976d8757095bb8f65773555a3218948649270894185a7cc4e57c37b94e99030b1f783da5258c245311dde59c6377ac7c84ee224345c0b6b61c5 |
C:\Users\Admin\AppData\Local\Temp\98236438\vbl.docx
| MD5 | 9fe25513ac3e6940124e4fcf791287d7 |
| SHA1 | f635cded7d038fe249907545d8c555f95ee23908 |
| SHA256 | f770a592dbac1cceeca005c5ef408c90ec2ab95d97f71da1dbf0d3e9789a06f5 |
| SHA512 | f09ed37cf80cb36cb3ad83890997b0a3ba53910e6d78efe278ad4d6e9978b9a12a54a2ca2e3d2c0be23f3297caab0cb23316a425108084e9cf703532111c7a82 |
C:\Users\Admin\AppData\Local\Temp\98236438\uvq.xl
| MD5 | 7d7bccbda0a68e45367bc7bb3dfebc56 |
| SHA1 | bc43f4700a77108a1f1aa9cae53c521f6bd4cb48 |
| SHA256 | 81ab20e443fc4a984487f0c1ecd430f7f1d4ed00251d74b5468119b9b53c2e05 |
| SHA512 | afc8ff01a5dbac8eaa636615b3cb71b6d98beeebd447c70f443eccf0f279b1cfb5641252daff3cdbdc9dce87a5ea91837cfd7935e05cd1291e22252e0f4fc1d0 |
C:\Users\Admin\AppData\Local\Temp\98236438\uvk.jpg
| MD5 | 8f4c187eb758ace563d305b565d7b0e4 |
| SHA1 | 63e31f2ac43b5e860b03e82717e8796d4443e8c4 |
| SHA256 | acc69c7db61e13b5937bf007c572ac8026a216ca12a0b33392290e171670df66 |
| SHA512 | 9893b821a25a5a73fa38c0dfaa24b221ef63f0d5fd2707c1b88d5a29abee03e6bf9aa34ae639a0b3d5ae02cae3a7e2dcbabba69977be8b10b575ad1612156787 |
C:\Users\Admin\AppData\Local\Temp\98236438\urb.icm
| MD5 | 02f79ebf87134edf1fec0e955f6724f0 |
| SHA1 | b667c6af7b550dd9d023a8b5c1e5b42de3d7533d |
| SHA256 | 23ae91df10ef5fe10bff4c89f7fe790e8326e128e860d3a42d6f60196b9a4dae |
| SHA512 | 97b20ac762d196e710510356f4239f3d28e0d1870df83896661bfd73cb036ed6623369d64ea9dd991e0e854b756fada060ad317ee4e726e6dba638481f72fe83 |
C:\Users\Admin\AppData\Local\Temp\98236438\ulp.mp3
| MD5 | 847ed99b965d2fdc093abc393d499fab |
| SHA1 | 441a23cb3e2c18d13278d0d988f0c011eacdb4ed |
| SHA256 | d5ace5968ca69d68f519a3f9ec77be593d15c45c3f56d2b3319c614bdc13e631 |
| SHA512 | 5114839104e3432b4bd8f174f784c38e1a1ab7b11f087a2cf3483e0bbc7a47a58ae809de755458a78cead18798fa7d4b82ab8e8e47d591bc8f3937e8aad480dc |
C:\Users\Admin\AppData\Local\Temp\98236438\uej.dat
| MD5 | 6d72b88f32d5c5a0ee3dcd6bc779e3bc |
| SHA1 | 85d138d5040be8a9ac0240e1ecc73daf761a324d |
| SHA256 | 02df6f16f32269fa37745d2b31dd74f57c4171b0a76ba9e41b457a76f2169fd9 |
| SHA512 | abe3dca6fa14c626336cfef344b36f996a7289f6b26030b7c6d2d36155016d3932f70a66da2241970678b5c3301b55ff81f31d4ec113b83aebf2490d54101ea8 |
C:\Users\Admin\AppData\Local\Temp\98236438\tvw.ppt
| MD5 | 5a7211bc1920e1ce4725e3eed98ff5d7 |
| SHA1 | bb7c4320939d04f6ebef21153d76d0161b5c7f58 |
| SHA256 | 75597dcb2bf0561304c183b468a13ae243595f0f759e2643f4f17bf9b5d5a7b7 |
| SHA512 | eeaf607f505014c22b160894623ec930bc4800dbeb142487e032df1c6762ccea23f61a2eb1b4486b117f81d14187a4ee616299713cd582f4c8e836b5ea3af1a9 |
C:\Users\Admin\AppData\Local\Temp\98236438\tof.pdf
| MD5 | 7c97e3e7bac987efff3cc3b52b7f2af1 |
| SHA1 | b5656475f8900d94db13627a210c1d340777f2c2 |
| SHA256 | c111e99f72de1f0ec459a7cf1de2c2b2b1cd0bcc7136da8d89fdfd4236b9b1b5 |
| SHA512 | 9d4f89c5ab4ab7316af5b3eba519c9849258cce8e74528e1387b04d4f5bb6bd417ee280978d71ff79acd5d5c99093c851328d32c8c44502c24157f1a54e4e618 |
C:\Users\Admin\AppData\Local\Temp\98236438\sjc.dat
| MD5 | bd8bed068b45a9a95c896b5af056e184 |
| SHA1 | bab131973be6da5fd94e53389241e55101365fea |
| SHA256 | 8db416eaa44b0444d8863186d1f676db922b92b4b653f16190038de048bd0c6d |
| SHA512 | 2bef1a282302332c9238becfdae1d6b35c6987143892bc8227af8128c31e8a042a62ef0b9ebd8b02d2bdbccdef0ec48242863de16b94a52c9bb97318fa2fc82c |
C:\Users\Admin\AppData\Local\Temp\98236438\sdd.docx
| MD5 | f110900c7c1808b239d477d3ee7ca594 |
| SHA1 | 8034e93a2d33d8fb71ecd712fd108dfc68de2358 |
| SHA256 | ee543bc6a79691e9f4fa11ce2b0823088771275f56e3df4ee0d2ab670d3c8ad4 |
| SHA512 | 6a88bfb257af40dcfc15c7d8defdcde54f11c287fed0ac4fbbd462e352c1b3179cf60865d2e18146caba113119fc042395bf37abca5e8131050e6918159274ed |
C:\Users\Admin\AppData\Local\Temp\98236438\rvv.mp4
| MD5 | 72e7917a38011d920de3ea0d3286c9cc |
| SHA1 | e4d477bdd2678b5d33d4044e54485def224ef7e3 |
| SHA256 | f0835d199103f7fb854f7cf54b4905c3311a95acf299f2e6cd34077243bd4994 |
| SHA512 | 4c94db58ed7ba2ec1249bfdfb90c3212eab1ef32239758ebb4bdf205c36f4bdb7a4b36abb1b366126725cf60b23d4032abd0cba3c583360bcdd30ccb1e74263a |
C:\Users\Admin\AppData\Local\Temp\98236438\rpo.xl
| MD5 | 661ed976e8546caf908b114108e6e93f |
| SHA1 | 944b548688f19fdc08b521bf933a087a1bad18b8 |
| SHA256 | 10800ea73209130a00bf4a7f72b3d2348af46ef5f6dcf3fa9a7a2fcca7206b83 |
| SHA512 | de5fc35d9cfafadc5a579f3a2d9f1f62de7529b8643accc512278334caf96c6c281cb98d63c54f20b626a8fa4adcd20269208d81c317fa040449c9a58a330bdd |
C:\Users\Admin\AppData\Local\Temp\98236438\rfp.icm
| MD5 | df3d6d25ed6c9576bb1f222682839502 |
| SHA1 | 88009905ee951b224c6729246a0ad24795c65906 |
| SHA256 | b698a63d31bbfca7a7b6c0a48e0a87b2911ff2146dd3158fdf0d3c2cd7d10ece |
| SHA512 | 8eaa45bf3a82098762c73bfdca830aed28f6d8f20d74377546e60e94835baf43dfcba631e46ee81c7ecd2ff9617c369b617bc2d35db07b6b3b2ca7eb56c31076 |
C:\Users\Admin\AppData\Local\Temp\98236438\qqq.bmp
| MD5 | 366cc8ad481c4736ebe25490ab902158 |
| SHA1 | c9a5a09ef87b88d3637fabe814b681dfdade3c21 |
| SHA256 | 7e8e27d641dc8c84237ef2c41dc97e6cab15e8d49eea1856651eb2df56b034b6 |
| SHA512 | 79c2eb224afb547475b33638ef46f267300ba313f19f82f98ced2441c3908c70f03cbe2f6dd483d64f06229c0a52d730eef5a3ab1f8dd7a33e1dd55594112218 |
C:\Users\Admin\AppData\Local\Temp\98236438\qia.icm
| MD5 | 2a759d67ca2b2844862c02ac2273f934 |
| SHA1 | d6e38bb3ccec31064d084b6665c5e4ae365bb713 |
| SHA256 | 59ddd5ba46b53ae680e1feafb5eae8725cc2eebc39c680d7fec93cb840ff9547 |
| SHA512 | e0d0b382096c12d25f8dbe3923b68daaf94ab2f1c20bf09bba509b9ea5f0f168b8bd16429b2a8f6b269208e84a49a8293bb82c8670ad2ccde713bafeada440e8 |
C:\Users\Admin\AppData\Local\Temp\98236438\ppw.mp3
| MD5 | 8861185d6a2daebc74b3ea81ac037a1d |
| SHA1 | 4426e432073f401da76407dcab458485b7799d87 |
| SHA256 | 9ccb476c33e870c8b4bf6ccdf0ae62a0c11c4c1b08016099452d52d8710a6e5f |
| SHA512 | 3aa42348ecb679450db616fcdd6e3a632ec4e9154144f3e3d5efd0737ca361fa438a1c4a6711398080c1142b38e0853b219989d2f67b227b5a7a1804d564341f |
C:\Users\Admin\AppData\Local\Temp\98236438\pjl.mp4
| MD5 | f56be69a1cdfbabbd85402ed8a7cb893 |
| SHA1 | 10e040188699f2c23d2e18e0e767087697956e39 |
| SHA256 | e0ad156268ac2484aa6dcec6cf12522d76b86ebbda4a94c6e5c0716ecc180e7c |
| SHA512 | 7147c850efa02a021cda72de6a9d339b880b5594a40d2efb5798a2301b9aed78947daa1509a8de01b4e140119e14eafcb2c4b7909b84b94eb5b7ffa7aaa20270 |
C:\Users\Admin\AppData\Local\Temp\98236438\oxv.jpg
| MD5 | e9a81450269ba154c3c99b1de117923f |
| SHA1 | 55761cc4db22ffa692863e8b74f8481d9b27eb28 |
| SHA256 | 9b055d17320879d184b152b82b9ff50be77a07ae79cff3e13a294bc63479c9ac |
| SHA512 | 812e16aac034b02b6aeb3c2b02f6f1e51a8ee5b40aee60aa5f9e4c875e61639f21c652b0beb009f7290a11e2e26306a6fe2ab1d651390839ec8a63134970307e |
C:\Users\Admin\AppData\Local\Temp\98236438\oso.dat
| MD5 | e53b6ab5d813db435f2b93dca1acbca0 |
| SHA1 | ffa3d2dc5c4a8dd3df9c21dd3683f6cd54741def |
| SHA256 | afe7a18e7f8a18aa763867d0006b076fb926315671890e6a45f142b76a3bf827 |
| SHA512 | 10c9e5dea4fba724b04a679c83543efcbea87c88abf29323177ad989aac2c1e12bdea4f462d5e3964f27a66beaaf78317669e2e4df3debbc28c074b3313257e1 |
C:\Users\Admin\AppData\Local\Temp\98236438\oof.ico
| MD5 | 8ce1e80b17909a607afb829944acd586 |
| SHA1 | 594167c4a50388eafce029b48206dc8051b8dc40 |
| SHA256 | f542b26a8f5ac88d75a0b0432b27a98d58491436205609ef34f2909c2de8b37d |
| SHA512 | e0f5f31b4d50ae19d1a1f679953747813548b4409d3594605b6a4c57d72cb0dd0243e263cc3b802d721f9af0c52cecd97f16963773f911da4dadf522ec236511 |
C:\Users\Admin\AppData\Local\Temp\98236438\omh.dat
| MD5 | 9c509a0cda3e9689f80da424bddeabed |
| SHA1 | 9d8b862dd593e43f704863376b00fcf1c8c6bad0 |
| SHA256 | e81993bb83aaa5d40d0939a9f2b5826e0ffed8f04344466653cc27629d454bd2 |
| SHA512 | 75d34083752aa99d1c798f822a9ca81724fbca9b72f3f57d4cdf3c982d075f309d235cb903a4a3317b0255cee03dea95891a242e9bfb4488c687cd1d7a8f4aa7 |
C:\Users\Admin\AppData\Local\Temp\98236438\ojr.jpg
| MD5 | ed6adacff435d18031a5a03e9b1714f0 |
| SHA1 | 2341a85c37a6fc2968a2b6932da2df07ad542487 |
| SHA256 | c4234c46eca8dd80fbb58439bf0222790f3ad1a88d3c9f7d0a05e2f5aa59dc89 |
| SHA512 | 8d21c8857c1759fcb0bf5d75fe03ec03754616565aaac6140b958bf0fa04a15eaa9d0e1e9f2f190060075a63828002b4370ba16079133997b68c14c1c3998794 |
C:\Users\Admin\AppData\Local\Temp\98236438\msn.txt
| MD5 | a7c3050a69ceb711e2c3cbe404ae52d9 |
| SHA1 | f7bfe2c6b9a01ece96eefe77fa6156e1aa7a8149 |
| SHA256 | 29200b6b0699d3adcde2dcb88fe700a9ab9515053c7ecb254d0192e402fa56a0 |
| SHA512 | 531d59c0cc5555b913fe0d778e8923b0952efdca9baeb6c7e42157c3294bc2db03ca01340376cfc180deb72f5ecb328c6ceb215fb0554c2d3a512a606f101c8c |
C:\Users\Admin\AppData\Local\Temp\98236438\ljd.txt
| MD5 | 3c87564578c6f1c218604ba44c64a0c8 |
| SHA1 | cbc1e56933b91cbc7f67338f4751d3dfebbd693e |
| SHA256 | a46fd6776673bd1ed5490db4ee5dfe0c874a737bc1d40f36a5e275cb8ba15852 |
| SHA512 | 6a206166e7753541e78990c95d5b3acabb492540f201d892fcbec63abf90e8328bd63e24fbf2c35b2c9050f26bd38625f51381446d34d6ff5a83b45785d2b266 |
C:\Users\Admin\AppData\Local\Temp\98236438\len.icm
| MD5 | 39cef9cc01b5f76ffe9a55e40498c285 |
| SHA1 | 52611d47c08ecf8723cf402eb63ad2a1dead7361 |
| SHA256 | ec50f64c962924cb8fe6e63332b49c6bbd451f19d00737aa8fc14c4c45532386 |
| SHA512 | 952d422fee8b4861d0ade04070cc62a04a78acd6eccddcd7328652f24e3effe123a15722aff79e626f91ff500d771c340390acce78bd42b8ed063a045d417507 |
C:\Users\Admin\AppData\Local\Temp\98236438\ktk.docx
| MD5 | 3447a0942faa38ad9e8a3eab6667f8b7 |
| SHA1 | ef7879412b6b12f49652d56f3cc709d87b997baa |
| SHA256 | ca58e7be5b8f076a1e685ffcfcedd583ea63772f6e2eccffe2e0ad3266fe1ee8 |
| SHA512 | 9265b2648f55971ed96a11af2f969de8f016fe25ecb011d871eda773bbe6ca4ed4a855bd5edf240e21c8bcc39c3bb3eda28489ad6f421cf505ff402fbefa3fdf |
C:\Users\Admin\AppData\Local\Temp\98236438\kir.mp4
| MD5 | c8d5db069c5586939c8993d2b9367c68 |
| SHA1 | 88f2e3eea2e66414d62b77b2f9244f5c22924c5a |
| SHA256 | da1e66ef72c6cb7fae8040f2dccd3a286ec20b526d35cf3b2fe63dc610d70efb |
| SHA512 | b56d6339a5d7edecf81cb991e98f4502be2f7f9500c04bc855821b3d57cd53e4e87139a999b6a5375041e5d87b1418f99ed3d0686c085e3c49b3608d5a3bcf6b |
C:\Users\Admin\AppData\Local\Temp\98236438\kgj.pdf
| MD5 | 00101ea5ee87e9b6c1028ff1df3d4e11 |
| SHA1 | f62197092474b7d36f61a9d96b23238951aa5c5c |
| SHA256 | 36fb82be3ccb9be1f39399a71f2998d00bea68b79ac84835c8faa977c15c05c3 |
| SHA512 | fe57500673e71202607e84f0c89a0df6d1009859b592c3b7c96e211ff4232f8fd2fcdcb6b556fb73c7d6d3ce8d9e6543890eb916d25c27547c60fdfe23601195 |
C:\Users\Admin\AppData\Local\Temp\98236438\jso.mp3
| MD5 | f6a989564f75ee9b3fe28b2c53d4f9c6 |
| SHA1 | 5129d2809960147bf067cf55366326a3a06987b3 |
| SHA256 | cf9d02ebac5a207b29938735e7d620a2e8ce75c979f6f54d689c7a265d3f3635 |
| SHA512 | 58d3be386bab4a4fef727bdc07e0d95700bc88e9746e1b5408d40af788b6147fd2d6fabd758389e344962c1959b4d6c4f8a50740c0e4eebd0916b33ee91e5b56 |
C:\Users\Admin\AppData\Local\Temp\98236438\jdk.docx
| MD5 | e6dfbdbc39741a6b1d74d3246c5370e5 |
| SHA1 | a2f0482c8d3f3edff6752329a0268a794ce4b0a4 |
| SHA256 | 5b75524fb0856709163416557da38a83b51f250dfac238c901efc10a67861b48 |
| SHA512 | fea079dd55fc47f80a9d0371225b9f9b48a8f7f20b0618ec1f47be21d29ada56668a7c98971d484c3ad6f8362dac8f4ba26162906e0cab09e8498a4825de8fbe |
C:\Users\Admin\AppData\Local\Temp\98236438\hre.dat
| MD5 | 70700f78a8f8bbc0ee15b49ccb691394 |
| SHA1 | a03d1414804c9c451ad58f7e3960ffc7580a64f3 |
| SHA256 | a5bf7d6f6a957e2c6c48b0a4502a90761a4aca5e83ab41623716d45d3ea92f21 |
| SHA512 | 077cc7ff877c638c3994042d54a42339d1850ec8601e8e906b5e17008c7d668e7e7d2060dbe8d961f2ac8773e64b56854867fc7e32a3d78b9bd43468b36422e2 |
C:\Users\Admin\AppData\Local\Temp\98236438\gtc.dat
| MD5 | 731a1922d9d58eb0c7c9fbee60f17c3e |
| SHA1 | 8233364e9e561f0524a74f4274bb934eb87df9b8 |
| SHA256 | 95266f1ee53ee0a10031905c80af7bf5a9dac25c69491d1600a81d1c5d03b5c6 |
| SHA512 | 5e99118ef02853e6bbc7bcebc734c37e670401f8f42cbb49efe4f7708b10d55e470799ae7023750bad97d20d645d919e66f7d8024872dc3522e19c8e78ccb547 |
C:\Users\Admin\AppData\Local\Temp\98236438\gma.ico
| MD5 | 83197a5cd08bb406c01ed074db06fbba |
| SHA1 | 02f9be266193a5cabf61b0e0066ecba00bf6fe84 |
| SHA256 | 84ceeb20b194f71fac2eaef87f983e2ec7bcee9fdccd695caa8f15bfb47ed809 |
| SHA512 | eba49ace2cba791e3033046c8cc3e6d47f006fe549b8042766d228a580a66aab0cc1641110045a04d2598b09f2e1e3be5477d9f9438c920224b2c0774a578eb0 |
C:\Users\Admin\AppData\Local\Temp\98236438\gbv.mp4
| MD5 | d531d161b4a0aaa0c501c02836e12b3e |
| SHA1 | 15cad0caaf28fe8110531038c5c53cf585848d31 |
| SHA256 | 50548cce5346d27f5f27cbd2441afd04a4dca65051c5dcd5143ff8989e0afb86 |
| SHA512 | a2d12d49366168d0143c9cf6ab9d0a7ce45cbf44b6e2eb2affeeb24bfa3f53b897b46cbc608dae8d6324b2855f9b666ba5912e5eee21ef4964a7798d22db6a1f |
C:\Users\Admin\AppData\Local\Temp\98236438\fdk.dat
| MD5 | d8d7e9d30ab45716631974be8243b9fb |
| SHA1 | 908ccfde115a408be6147a43fb60099d592f6a03 |
| SHA256 | 506fc7fe400ec08ff077b9a1835d8710a582ed2d06a14d11c1cf0299b320c49f |
| SHA512 | d3125f09e17006bcebc4b97a1e222a81815cd5b00a7f2b85fd0daa6d312ce892c376a69e4dc00e6dbe88c800ccda0b58d8bdccc71d327784000a0caa6b3bda73 |
C:\Users\Admin\AppData\Local\Temp\98236438\fdb.xl
| MD5 | 760d150f9a98d4c8cd1e3d4e6b208bdc |
| SHA1 | 5e839edf8e021c5d7f97a471c911dbaf5993bead |
| SHA256 | 9078eeb2a257f901a8357137688539181bed9f5e8d1d37c8bd34122d3aa96540 |
| SHA512 | cd5e02e356300edb654ef0c90f6e580dea2fbb847e8b4a32eeb41196a61c2108b1f93700cc9a4b000255bc1156c7cdbfbed6d9c9e0609b7f92b5982247be3ea0 |
C:\Users\Admin\AppData\Local\Temp\98236438\elv.ico
| MD5 | 2ccf9e3c62f40f365a15b998e6b0a679 |
| SHA1 | 0e5713e7946d6b7b613b41ed0b42dc8dccaa12ea |
| SHA256 | 151096eca18ccbe3e68b894e56debb1d428e3c407e0ea33a7e8d11ff19985dd6 |
| SHA512 | e0eba5e29d057138a2c87465747275f8f452f1869af389b21a894ec6812445d9342c16e92388c4fd0a131f5fb2bf463d3939da36bf8c1cacda65f9da4443a8ba |
C:\Users\Admin\AppData\Local\Temp\98236438\ehc.xl
| MD5 | 7f9c2778d111b88e413e2ed5a2246db6 |
| SHA1 | 1dd5e8f3df5cdcc9fb57070fba69e4edda620495 |
| SHA256 | 1e97ebfb5a2da4df482ff80bcc60340922c9e87b905bc61c694c19eb119d37c9 |
| SHA512 | 955ab981d6ea62247e8216f2685ce17adb8f02d735615f3e54dbc8f08bb7ad4aebb4ec69818e6fcdb541875fc5cba11092e8e61fd8a21f0f4ef296ed894df362 |
C:\Users\Admin\AppData\Local\Temp\98236438\efr.dat
| MD5 | d1d9ec98c50c2122365d4e3e57c73cf3 |
| SHA1 | fc3941172809c360a023e79c1932ac241d9e7fdb |
| SHA256 | ef94c9b3669f96f434d805e1e9233fb4bedcde4e4671bb1a46700efe4d3b5c5e |
| SHA512 | 48af759554128cc23fc10f1fff7486c4ae438689c2093ff928fba46aaf02b66cccb5da24a34a9be769b23b2d8b5d68be68a6a8d0acdd550ead87390eac12e591 |
C:\Users\Admin\AppData\Local\Temp\98236438\dhq.mp4
| MD5 | da372fbfcd3a81c79ec37ff44f62e5f4 |
| SHA1 | eb4f9fd415cf63e37ce5ba28a38dd57d675196b5 |
| SHA256 | c51b010c38b6d6f6680ee1a09d704c1dff398002598faf64e9d64a13bc8d3f22 |
| SHA512 | e29d14ab863d6181707e5d269704af7dd977fa463897532cce17aee1e852bf0f400b6c1b811479d068fd1d3f9e8fa17010c8a21387b040bc14f14e555ab0d163 |
C:\Users\Admin\AppData\Local\Temp\98236438\cxo.bmp
| MD5 | a828362c267e17c906c2b57cde3d4785 |
| SHA1 | 37a2b7fe3a95dc075d819ab181ba2b7017507a4c |
| SHA256 | 2d3a6ba474bb30ed71494de14eabe7a03beb366f63765c7dfa21f7ad4be0ea9a |
| SHA512 | 37bbb70413652a3e5ffe10fdab250dd40fd44947ce5599cb17d7a3132d3e7c8e0693d31425ffb902d77b4181f5e99fac9992a98e215a0c38373311f6ed41176f |
C:\Users\Admin\AppData\Local\Temp\98236438\cqs.ppt
| MD5 | a97d61e030ca77c8a53e9259444b5f23 |
| SHA1 | c3f60be7388a324a3b38ed1239ef9fe457939cf6 |
| SHA256 | 5f1b629dc97ad43e0004ab1efd97441bfa0c5b0e6c9b4a5a6a8529db68debdaf |
| SHA512 | 9a3c05610df05ea3a6213ec319f16f1325343774a998663a01e70a2e9f3d9fb69a40f2514b8f524c2412b53bd807fc97d21583a1f09bd8fd5b7d4b2a0c2399f3 |
C:\Users\Admin\AppData\Local\Temp\98236438\cet.icm
| MD5 | f6fdffa1cd18c737d404663645f67bf2 |
| SHA1 | c80530e5043120ca2d78c4ce9129b02025f489b9 |
| SHA256 | ae41415d4d4ea1a8ba2f7a653fe6810bdb358a35fba530eacafebaed8d862263 |
| SHA512 | 948a3bcbc7a6c472e2197b824c0848ececc6a50bad4ec6361156b396c5f01f1985299b373f186c28b797a7aec4052ed711d803b44db869c4b0a9ef7dc3360a0f |
C:\Users\Admin\AppData\Local\Temp\98236438\cdo.mp4
| MD5 | ea6f521eec16a962e7d47578c7209ab4 |
| SHA1 | fb844b66a6443d36ba76781f6adf4da4944ba568 |
| SHA256 | 02dfbfb288649901c177f8ff755fdf409fd1c12e7ecc2a21a034407d7afeac9b |
| SHA512 | 4841e1758c34ae824a7cd774ef8852bf0420e475ac8b48413e937e2382ce66b5fb78504bd7e32f3e8e2b6cd1c0660f9248cd2a679e5352397ea04a78e69cfd18 |
C:\Users\Admin\AppData\Local\Temp\98236438\bue.mp3
| MD5 | dc34a1e623ed7b7996ab2d059f95ffb6 |
| SHA1 | 49cfd28d42c2cadfbef620aeec9ecbf82df5913d |
| SHA256 | fe193eefdd50b272ee7ea0f0a424d8d13ddc3df3493943173cc03626738188f7 |
| SHA512 | 9f9cbfbaf94b24803652fe957f9b64ab5881b89fd14f83666d1221ed2e996aa1a42de8582572e318e224eb491778d2e18a6dd58e46066f3b9a597bb6ddbaa84c |
C:\Users\Admin\AppData\Local\Temp\98236438\DMCAT
| MD5 | 54c7f83e6efce6e5cb2c002fa2e2399e |
| SHA1 | 8e785b1c46ad77a5aad3df44014491d39938fd2a |
| SHA256 | 9dd3d3f0bb67e6b6ebff00f1cd6b8d12688ebd79f187969cb52fbf0986d9ac67 |
| SHA512 | a75c510ff049a5b518c71f230a325dd8e80043a89676bfaca446f9d4b59376f86deb6a0c815bc3242fa3bdac1f18916d3adf03ddd6a0ae030731582e3340e1b9 |
C:\Users\Admin\AppData\Local\Temp\98236438\asd.docx
| MD5 | 8f0bca5d42019a962c065f3fbfc1066c |
| SHA1 | afe76e5e83b428bd1ffa4a6c1f41b208a0cf4c97 |
| SHA256 | 61c194e2ff55f9f681d8c75c009a43ec5855f4defe5dd4256b47c0def8b457b7 |
| SHA512 | 2325fd2d7ea5622498a6f67a737ec3dc7cb3e59e61f7ff01b152bb6d0aaa5592db4e22cde4708e7097a165efa65474215fc7157f3854a249c27f860971d2e1b2 |
memory/1796-168-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2164-170-0x0000000000400000-0x00000000004DF000-memory.dmp
memory/1796-171-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1796-175-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1796-172-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2164-176-0x0000000000400000-0x00000000004DF000-memory.dmp
C:\Users\Admin\AppData\Roaming\dfrgJLK\logs.dat
| MD5 | a30dd672d935e8d54c1bb4a344f2ef5c |
| SHA1 | d16ee23343b5a34b1f3b4754b3f70a49a305b7a1 |
| SHA256 | 9f52f20f4f63e4900a136cdf6d178de757c12c3eef250e078a381218c791f702 |
| SHA512 | a33ee563cc0a17eab75fb1e1d44aebacf8a60e48a0cb30f874bf97d53b2bc3a0baacf8677c86f716494c424f33587b500c49893c557fa73895d29a02239e76eb |