Analysis Overview
SHA256
14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8
Threat Level: Known bad
The file 5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.bin was found to be: Known bad.
Malicious Activity Summary
Gozi
Unexpected DNS network traffic destination
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 23:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 23:16
Reported
2024-05-17 23:19
Platform
win7-20240508-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Gozi
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\comr8030 = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Connssec\\clbcenum.dll\",DllRegisterServer" | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2192 set thread context of 2288 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\control.exe |
| PID 2288 set thread context of 1208 | N/A | C:\Windows\system32\control.exe | C:\Windows\Explorer.EXE |
| PID 2288 set thread context of 2532 | N/A | C:\Windows\system32\control.exe | C:\Windows\system32\rundll32.exe |
| PID 1208 set thread context of 1976 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1
C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\18A4.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\18A4.bi1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | intraders-support.at | udp |
Files
memory/2192-0-0x0000000073020000-0x00000000739ED000-memory.dmp
memory/2192-3-0x0000000073020000-0x00000000739ED000-memory.dmp
memory/2192-1-0x0000000073020000-0x00000000739ED000-memory.dmp
memory/2192-2-0x00000000730DB000-0x00000000730E0000-memory.dmp
memory/2192-12-0x00000000001E0000-0x000000000022A000-memory.dmp
memory/2192-5-0x00000000001E0000-0x000000000022A000-memory.dmp
memory/2288-14-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp
memory/2288-15-0x0000000001BA0000-0x0000000001C53000-memory.dmp
memory/2288-22-0x0000000000070000-0x0000000000071000-memory.dmp
memory/2288-23-0x0000000001BA0000-0x0000000001C53000-memory.dmp
memory/2192-21-0x0000000073020000-0x00000000739ED000-memory.dmp
memory/1208-24-0x00000000045E0000-0x0000000004693000-memory.dmp
memory/1208-29-0x00000000045E0000-0x0000000004693000-memory.dmp
memory/1208-28-0x0000000002AA0000-0x0000000002AA1000-memory.dmp
memory/2532-31-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2532-32-0x0000000000270000-0x0000000000323000-memory.dmp
memory/2288-36-0x0000000001BA0000-0x0000000001C53000-memory.dmp
memory/1208-37-0x00000000045E0000-0x0000000004693000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\18A4.bi1
| MD5 | 86ae6b510c19228190f4b797503ce192 |
| SHA1 | 0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1 |
| SHA256 | be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a |
| SHA512 | bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5 |
memory/1976-42-0x0000000000450000-0x00000000004F5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 23:16
Reported
2024-05-17 23:19
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Gozi
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coreORes = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cryppast\\dpnaslad.dll\",DllRegisterServer" | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4048 set thread context of 5008 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\control.exe |
| PID 5008 set thread context of 3532 | N/A | C:\Windows\system32\control.exe | C:\Windows\Explorer.EXE |
| PID 3532 set thread context of 4012 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3532 set thread context of 4232 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 5008 set thread context of 3280 | N/A | C:\Windows\system32\control.exe | C:\Windows\system32\rundll32.exe |
| PID 3532 set thread context of 4780 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3532 set thread context of 2576 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3532 set thread context of 3708 | N/A | C:\Windows\Explorer.EXE | C:\Windows\System32\RuntimeBroker.exe |
| PID 3532 set thread context of 3240 | N/A | C:\Windows\Explorer.EXE | C:\Windows\syswow64\cmd.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = fba4178fb0a8da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "0" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = f4d10a8fb0a8da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = 0114020000000000c0000000000000464c0000000114020000000000c00000000000004683000000200000006356b28eb0a8da01518eeb8eb0a8da01518eeb8eb0a8da01619206000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbeb15855bab15855ba2e0000000000000000000000000000000000000000000000000046930c00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59ec1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59ec1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = 6d57818eb0a8da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\d73754b0-4df5-45ae = 0114020000000000c0000000000000464c0000000114020000000000c0000000000000468300000020000000bae17d8eb0a8da01bae17d8eb0a8da01bae17d8eb0a8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000366332653934636136653565313632336632366236656430393433663566643364613764356161343437303330303366353164656366386133373734393761620000b20009000400efbeb15855bab15855ba2e0000000000000000000000000000000000000000000000000046930c00360063003200650039003400630061003600650035006500310036003200330066003200360062003600650064003000390034003300660035006600640033006400610037006400350061006100340034003700300033003000300033006600350031006400650063006600380061003300370037003400390037006100620000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c36633265393463613665356531363233663236623665643039343366356664336461376435616134343730333030336635316465636638613337373439376162000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59bc1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59bc1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\91aec1e7-7cb2-4013 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000021439f8eb0a8da0174cbe68eb0a8da0174cbe68eb0a8da01e25606000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeb15855bab15855ba2e00000000000000000000000000000000000000000000000000ce7e1800640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59dc1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59dc1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "8324" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\db3e2a0dfacd9c43e7636fedbdb46e65f90a7e290d4e40fa97f28ce82e35f6dd" | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = 06697d8eb0a8da01 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\79340d7d-0150-416e = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000032f6718eb0a8da0132f6718eb0a8da0132f6718eb0a8da01000000000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000b15855ba2000646233653261306466616364396334336537363336666564626462343665363566393061376532393064346534306661393766323863653832653335663664640000b20009000400efbeb15855bab15855ba2e00000000000000000000000000000000000000000000000000ce7e1800640062003300650032006100300064006600610063006400390063003400330065003700360033003600660065006400620064006200340036006500360035006600390030006100370065003200390030006400340065003400300066006100390037006600320038006300650038003200650033003500660036006400640000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea0000001800000003000000bdeab64b1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c64623365326130646661636439633433653736333666656462646234366536356639306137653239306434653430666139376632386365383265333566366464000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006276726b697074730000000000000000c2dfa40c293cbb45ae1b53f4041e69b59ac1a9623c0def11bca546fd0705b728c2dfa40c293cbb45ae1b53f4041e69b59ac1a9623c0def11bca546fd0705b728d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0031003300330037003800320034003000330034002d0032003700330031003300370036003900380031002d0033003700350035003400330036003500320033002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d000000680000000048000000c9712a8a000000000000d01200000000000000000000000000000000 | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\15f7fe51-c7e9-4c73 = "\\\\?\\Volume{8A2A71C9-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\6c2e94ca6e5e1623f26b6ed0943f5fd3da7d5aa44703003f51decf8a377497ab" | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\control.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5016784605ad3fd883fbdfdd5fbd469fJaffaCakes118.dll,#1
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\control.exe
C:\Windows\system32\control.exe /?
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?
C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\A188.bi1"
C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\A188.bi1"
C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.222.222:53 | resolver1.opendns.com | udp |
| US | 8.8.8.8:53 | intraders-support.at | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4048-0-0x0000000074220000-0x0000000074BED000-memory.dmp
memory/4048-1-0x0000000074220000-0x0000000074BED000-memory.dmp
memory/4048-3-0x0000000074220000-0x0000000074BED000-memory.dmp
memory/4048-2-0x00000000742DB000-0x00000000742E0000-memory.dmp
memory/4048-4-0x0000000074220000-0x0000000074BED000-memory.dmp
memory/4048-7-0x0000000002390000-0x00000000023DA000-memory.dmp
memory/4048-14-0x0000000002390000-0x00000000023DA000-memory.dmp
memory/5008-17-0x0000000000870000-0x0000000000923000-memory.dmp
memory/4048-22-0x0000000074220000-0x0000000074BED000-memory.dmp
memory/5008-24-0x0000000000870000-0x0000000000923000-memory.dmp
memory/5008-23-0x0000000000930000-0x0000000000931000-memory.dmp
memory/3532-25-0x00000000028A0000-0x0000000002953000-memory.dmp
memory/3532-31-0x0000000000830000-0x0000000000831000-memory.dmp
memory/3532-32-0x00000000028A0000-0x0000000002953000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Cryppast\dpnaslad.dll
| MD5 | 5016784605ad3fd883fbdfdd5fbd469f |
| SHA1 | 30100663d3d88d7399948f7f92602efcb70b5a86 |
| SHA256 | 14d4db1adde49001f81cb670a60f9d40fc7dea4b96cd77029ca87b44ccb586c8 |
| SHA512 | 3f61dac201d25c5cb8932e9bed8b762c6897462edf912091e6921f2895645908b64c91a779f8db0cac76a0ddae19808d9ba6ce7fb27cd0a0153c5bf20d01f116 |
memory/4012-37-0x00000295373A0000-0x00000295373A1000-memory.dmp
memory/4012-38-0x0000029538BF0000-0x0000029538CA3000-memory.dmp
memory/4012-33-0x0000029538BF0000-0x0000029538CA3000-memory.dmp
memory/4232-39-0x00000235698D0000-0x0000023569983000-memory.dmp
memory/4232-44-0x00000235698D0000-0x0000023569983000-memory.dmp
memory/5008-50-0x0000000000870000-0x0000000000923000-memory.dmp
memory/3280-46-0x000002B10E4D0000-0x000002B10E583000-memory.dmp
memory/4232-43-0x0000023569890000-0x0000023569891000-memory.dmp
memory/4780-51-0x0000014A235D0000-0x0000014A23683000-memory.dmp
memory/2576-55-0x00000137AA0E0000-0x00000137AA193000-memory.dmp
memory/3708-59-0x0000028A6BD10000-0x0000028A6BDC3000-memory.dmp
memory/3532-63-0x00000000028A0000-0x0000000002953000-memory.dmp
memory/4012-64-0x0000029538BF0000-0x0000029538CA3000-memory.dmp
memory/4232-65-0x00000235698D0000-0x0000023569983000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A188.bi1
| MD5 | 86ae6b510c19228190f4b797503ce192 |
| SHA1 | 0a6c67bc4f36fcdaa7a553f9ff9ae439f13b32d1 |
| SHA256 | be8c30a0e245b6d86db1e7bdf04b8cfa3117846d5b88f6d476066041eaea1c3a |
| SHA512 | bec76ed958ccf192f26b2eb9250f02ce2cf04318cc4f51d30cbbd24b96de172f4f26bbac018938ebd2f7c38f70e70def8d8f6b0e9b473b3a32bbe252449e3dd5 |
memory/3240-72-0x0000000000B80000-0x0000000000C25000-memory.dmp