nanocore | 30b2748b757fab768959b46cd67c4397fd79a4aa54e3446b7fbbbb46365d8a58

Resubmissions

28-05-2024 07:29

240528-jbhsgscb67 10

28-05-2024 07:20

240528-h6cpaabh93 10

Analysis

max time kernel
110s
max time network
110s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
Size

553KB
MD5

7c26b6c3cd05b0815037f5cafd13e237
SHA1

c9977e3771c0ac0e06bc286fce230fe64317ec27
SHA256

30b2748b757fab768959b46cd67c4397fd79a4aa54e3446b7fbbbb46365d8a58
SHA512

7fb32bed3f6470b4cff0523bb53f07f9c81bc6683bdefcec397613ed07a170e1e8de3fa3629edb61d26d7826356f548c3623ac9c0b98767e85889681563afe76
SSDEEP

12288:UEyJXR26P1lamEzK+Q9D8+OHn6y2yadF0Kqss:UDV1aDzK+s87HMTF0K

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 64 IoCs

Processes:

Chercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exeChercosrs.exe

pid	process
2692	Chercosrs.exe
1600	Chercosrs.exe
2480	Chercosrs.exe
1820	Chercosrs.exe
1272	Chercosrs.exe
1628	Chercosrs.exe
884	Chercosrs.exe
2732	Chercosrs.exe
1744	Chercosrs.exe
1752	Chercosrs.exe
2056	Chercosrs.exe
1632	Chercosrs.exe
2300	Chercosrs.exe
1292	Chercosrs.exe
844	Chercosrs.exe
1240	Chercosrs.exe
3024	Chercosrs.exe
2808	Chercosrs.exe
1732	Chercosrs.exe
1588	Chercosrs.exe
2664	Chercosrs.exe
2880	Chercosrs.exe
2760	Chercosrs.exe
1860	Chercosrs.exe
1968	Chercosrs.exe
1448	Chercosrs.exe
1408	Chercosrs.exe
1188	Chercosrs.exe
1832	Chercosrs.exe
1236	Chercosrs.exe
2796	Chercosrs.exe
2816	Chercosrs.exe
1796	Chercosrs.exe
1540	Chercosrs.exe
2968	Chercosrs.exe
1976	Chercosrs.exe
2036	Chercosrs.exe
2304	Chercosrs.exe
2148	Chercosrs.exe
2484	Chercosrs.exe
1200	Chercosrs.exe
948	Chercosrs.exe
2000	Chercosrs.exe
2124	Chercosrs.exe
2344	Chercosrs.exe
1516	Chercosrs.exe
536	Chercosrs.exe
572	Chercosrs.exe
3784	Chercosrs.exe
3844	Chercosrs.exe
3900	Chercosrs.exe
3952	Chercosrs.exe
1852	Chercosrs.exe
2644	Chercosrs.exe
2312	Chercosrs.exe
1352	Chercosrs.exe
848	Chercosrs.exe
2680	Chercosrs.exe
3124	Chercosrs.exe
3176	Chercosrs.exe
3236	Chercosrs.exe
3292	Chercosrs.exe
3380	Chercosrs.exe
3464	Chercosrs.exe

Loads dropped DLL 1 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

pid process

2340 7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Chercosrs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\chercosrs = "C:\\Users\\Admin\\AppData\\Local\\Chercosrs.exe"	Chercosrs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exeChercosrs.exeChercosrs.exe

description	pid	process	target process
PID 2340 set thread context of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2692 set thread context of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2732	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1744	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1752	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2056	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1632	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2300	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1292	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 844	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1240	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3024	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2808	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1732	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1588	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2664	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2880	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2760	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1860	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1968	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1448	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1408	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1188	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1832	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1236	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2796	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2816	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1796	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1540	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2968	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1976	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2036	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2304	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2148	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2484	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1200	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 948	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2000	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2124	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2344	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1516	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 536	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 572	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3784	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 3844	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3900	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 3952	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 1852	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2644	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 2312	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 1352	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 848	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 2680	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3124	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 3176	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3236	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 3292	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3380	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 set thread context of 3464	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 set thread context of 3512	2692	Chercosrs.exe	Chercosrs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exeChercosrs.exeChercosrs.exe

pid	process
2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe
2692	Chercosrs.exe
2480	Chercosrs.exe
2480	Chercosrs.exe
2692	Chercosrs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

pid process

1840 7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

pid	process
1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exeChercosrs.exeChercosrs.exe

description	pid	process
Token: SeDebugPrivilege	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
Token: SeDebugPrivilege	1840	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
Token: SeDebugPrivilege	2692	Chercosrs.exe
Token: SeDebugPrivilege	2480	Chercosrs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msdt.exemsdt.exe

pid process

2264 msdt.exe
2352 msdt.exe

pid	process
2264	msdt.exe
2352	msdt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exeChercosrs.exeChercosrs.exe

description	pid	process	target process
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 1840	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
PID 2340 wrote to memory of 2692	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	Chercosrs.exe
PID 2340 wrote to memory of 2692	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	Chercosrs.exe
PID 2340 wrote to memory of 2692	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	Chercosrs.exe
PID 2340 wrote to memory of 2692	2340	7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1600	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 2480	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 2480	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 2480	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 2480	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1820	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 1272	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 1628	2480	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2692 wrote to memory of 884	2692	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 2732	2480	Chercosrs.exe	Chercosrs.exe
PID 2480 wrote to memory of 2732	2480	Chercosrs.exe	Chercosrs.exe

C:\Users\Admin\AppData\Local\Temp\7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c26b6c3cd05b0815037f5cafd13e237_JaffaCakes118.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1600

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2808

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1860

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1188

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:3844

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
- Executes dropped EXE
PID:3464

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:3600

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:2936

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:3888

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:1748

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:1836

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
4⤵
PID:1648

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2300

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:844

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1968

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1796

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2968

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2148

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2344

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3784

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3900

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3236

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
- Executes dropped EXE
PID:3380

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:3512

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:3704

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:3840

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:4076

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:2396

C:\Users\Admin\AppData\Local\Chercosrs.exe
"C:\Users\Admin\AppData\Local\Chercosrs.exe"
3⤵
PID:2604

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:604

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2848

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1720

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI
1⤵
- Suspicious use of FindShellTrayWindow
PID:2264

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" /name Microsoft.Troubleshooting /page "resultPage?keywords=+;NetworkDiagnostics"
2⤵
PID:840

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:3540

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqeskinu.cmdline"
2⤵
PID:3632

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE44.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE43.tmp"
3⤵
PID:3664

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:3940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tnvndolu.cmdline"
2⤵
PID:2516

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E81.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E80.tmp"
3⤵
PID:4064

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:808

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereporting
1⤵
PID:3076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3320

C:\Windows\system32\msdt.exe
-skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF905D.tmp -ep NetworkDiagnosticsGenericNetConnection
1⤵
- Suspicious use of FindShellTrayWindow
PID:2352

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chercosrs.exe
Filesize
553KB

MD5
7c26b6c3cd05b0815037f5cafd13e237

SHA1
c9977e3771c0ac0e06bc286fce230fe64317ec27

SHA256
30b2748b757fab768959b46cd67c4397fd79a4aa54e3446b7fbbbb46365d8a58

SHA512
7fb32bed3f6470b4cff0523bb53f07f9c81bc6683bdefcec397613ed07a170e1e8de3fa3629edb61d26d7826356f548c3623ac9c0b98767e85889681563afe76

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.000\NetworkDiagnostics.0.debugreport.xml
Filesize
63KB

MD5
d5f95cf48c1ffc428a0c4ec9b5f2f5bc

SHA1
d655f6a2a2cbf9de7b1333819688ab4f42728e3a

SHA256
03991c814e4dcac450d94da721e76e9409ba51d6b1b5cc14d80835e74757078b

SHA512
c0ba9e63da476eefa8fde73fc3ea70ffca9af94531188497aee0d7d731645250a01365dc133bb211ff8330fba839084f933cccdd4ebed62a45f740fd07b2a635

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.000\NetworkDiagnostics.1.debugreport.xml
Filesize
5KB

MD5
4fae8fabff1b70f81c8b147784d59ead

SHA1
834034bb35cb0699c7d892b25756b09ecb47dbf6

SHA256
8d97dc6c55f301c20db271f03899b93df7b05675944769e80cf50ec6afcfcdae

SHA512
deb0f3fc85a8c14d79d0d8840e9d2ca80415ebe88814899ed872313a10ff93bd355ae0941ab94c2e15adf89367849b321a424564f060ada36a3adbf45497dbbd

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.000\ResultReport.xml
Filesize
35KB

MD5
cdfd9926a08db2e148018fdd21517d11

SHA1
212c37f44ddc2901206238bece1c616f0bdb53f6

SHA256
546a8dbb741dce39283336d776c060a487b61d47f5a5bb3552d6db4c481ae082

SHA512
e181ae75ddc50ab05aeefb8b3958cc1058d34767910c1d6b6cc9a9925fdbdc92a107b73d27078aea92114be2d469d6d589f4648e394e75eafc07d8c0088aef0b

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.000\results.xml
Filesize
253B

MD5
840b413cbf5e57a93deecff7e76cf260

SHA1
cdcb54b73ea2acbfaa16e9355b347c2548411026

SHA256
de5825ee63dd98ca86f86652ff81ac75380b3ac4d880ab44d8984b8bf531ffae

SHA512
2130c9f55a3b28492c698def50cf92d805ccee1334c95ca8f9f776f6ceeee91884e751fac42510088a262dd82de01dcd6aaac5186db4a97a221bd8289a72c3a1

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.001\NetworkDiagnostics.0.debugreport.xml
Filesize
5KB

MD5
086ae5883cce861d6130ce3ea8f0ee10

SHA1
314ce2ffcaa85c3676c0af97e10acc4c809a4350

SHA256
9a842b629e32ecab0098928c529bb7452fbbc4c9407fdaa43cf5ab17a40ad972

SHA512
cd7410338649d2d9b9fe45f02f80e4be78a09ff7e7b040296e5601dbddd8b6d0cf62072442d05a984a3f8cbfe01200bd46fe2dd60ccf6320168f70e349e8f9ff

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024052807.001\ResultReport.xml
Filesize
34KB

MD5
463b48f70be3df9697e8f3ec07b0ff95

SHA1
acea3bf19f57235d12471be9e34ff8c099fc6cec

SHA256
c9e5faafbd0825c6297ab2e66308cb112f0becee2ea6bddd4dc8936992307245

SHA512
ae7ea3ce8c9321d41606ab87f0eb2d1fb24e32bdd6cc8b72d56092df5984ceb78be384302b4a45c607d1313948b116cb7b157cc1e0d29212dd183ff7e8642e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLA3F1A.tmp
Filesize
195B

MD5
4968891482744e3dffae478b81c59512

SHA1
88b21cfb0947dc03367c502943f1de432c945e9c

SHA256
73ff71d870b9dd4f1f2649dc5567b906ce4e6e78fc7f74b8019a41f4e469060c

SHA512
865a1f50cb8ade4634967628a3df44bcb732faf2e8ce29052f1edd93fb6a48fdeee42710520e533873b259d4ee66679f0e548ce89da6ad1679ff30dd03ff5321

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLA6CF5.tmp
Filesize
142B

MD5
89247260f56735c9ab8bd8e1273c3912

SHA1
d0b2cdadb36579396493fb1f803309d6b46df13e

SHA256
c76e242d3e331793eb93fce78cd90f84a1059f12d11571aa9d9d7b7b38fb417c

SHA512
9ace3d380473495b756870f81a51028ac41cb77316658a0df4cc67c28e8dfa877ba59dc16658d6518e3cf7e91ae937f78d95cff08e679e4f50da57a82af679db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE44.tmp
Filesize
1KB

MD5
687f85575784e99e62e2d929b209d7f4

SHA1
3a76acb8fc310be10bb5edee8e0d247c3a7e1f4a

SHA256
0d5561e80d1615a1e353a692d75ca9ac3adea122c8d9a26bfb092213821f4dec

SHA512
443953b72fb0f39a9cce9ef70c3e6386b2ea743bcdddf1d87f74e1b096d92c6f693e3873a9f9590c9a8b0c2f9a3534fab6de39b02d2a5bdfff92c5191c9ab6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqeskinu.dll
Filesize
3KB

MD5
0fff6526edf3c65a0d65f9702fa89d7e

SHA1
9f24a203c73d8faa61092dbd09a0ed69030090fa

SHA256
45139b13d004bd37ea95a89a25eee89c53486cbdc0638515964acd45e2e43653

SHA512
d44bad65d096e6bd7221b49447d7ef871a053ed2cec515ff94c3f2afe1a5e295407fb4d475092343bad29a39adba60ce4ce7ff97f04fafe8d160311010cf1ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pqeskinu.pdb
Filesize
11KB

MD5
47ab8b04ae956536372fbbc8ceccc353

SHA1
f20bb460c11e5fee28c8f9249a873e3848131df2

SHA256
ce1a8b95467d038799e2cce75b92a64efb14046d302fe9fb2faa94bba4ad7f8c

SHA512
2d6e8d6d9a2eaa9c7c51758a80dd513fe7dc59af7b22ff2b4bb0988d42c1a1f713d5696c57d9141300a3e767f5392cefca733914b641e319072bd719d34d6b02

Download Submit
C:\Windows\TEMP\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\NetworkDiagnosticsTroubleshoot.ps1
Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\UtilityFunctions.ps1
Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\en-US\LocalizationData.psd1
Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_9514dfb8-ab41-4ae4-a419-c127a66cb36b\result\ResultReport.xml
Filesize
34KB

MD5
145fcfd76c18c9974ff6e1d163cef4bd

SHA1
a87e286c8472f3ffa7be46a01f03c78e463e3a57

SHA256
2b7821ba54038dd0166fd419ebf69e9b3ec8c53bc3b238d9b1cfdfa353bd50dd

SHA512
beb5ccd27f676fc709208bcfed45dd6119ab7f25f30a27a55efb2d151d562f935d2ec9e5768fa315412434d71fd88ed56d6cd51732965630170d648d0bb7df95

Download Submit
C:\Windows\Temp\SDIAG_be1e2cad-abd2-4cf9-bbd1-cf33ed45d4b0\DiagPackage.diagpkg
Filesize
152KB

MD5
c9fb87fa3460fae6d5d599236cfd77e2

SHA1
a5bf8241156e8a9d6f34d70d467a9b5055e087e7

SHA256
cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f

SHA512
f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3

Download Submit
C:\Windows\Temp\SDIAG_be1e2cad-abd2-4cf9-bbd1-cf33ed45d4b0\result\results.xsl
Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Windows\Temp\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\DiagPackage.dll
Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_c2b63ad0-19c1-44d9-8a19-245ae0c70e66\en-US\DiagPackage.dll.mui
Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE43.tmp
Filesize
652B

MD5
e7a5dd5df13cc25a1bfe48440193a31b

SHA1
fff12243c57913a4727c69554b14d7f84a2c06cd

SHA256
c14e0989107b4d9c1eb860b8b307143cdcec3c7e7fb992a06b7d7ebc06dde46f

SHA512
25ccb35f703f0d803350920be87e2f2d71a9053a87df8ec1af1598fe59dbdd539751d044b60bef93600c7af72316f9367d930df4027fb5d15aa9381835dd30b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqeskinu.0.cs
Filesize
1007B

MD5
bac2724be827ee042ff2b312050aa844

SHA1
ca34fd2feb835c8746ad1bec6de9a24cc1368595

SHA256
6901eb7b1a34580f7ae741d2a0d09bfa0e85e0b2cbd945d961291e6f4a02bd33

SHA512
3e7b6d91ed41007b471c93015c7c8900c7141766d7a83b394fabceac93f91cb4b37ed06abc3371f96b314355aa4facf9e0214d7dfcb7faa0018db02ad0a970aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pqeskinu.cmdline
Filesize
309B

MD5
d179aa359efbb12c2a37b8083426979d

SHA1
4898abc9764902d56dba6fb215f5dffa3b0037ac

SHA256
26375620b5ea83e806662b37cf42117135163b842916dd0ab50271a156487b00

SHA512
79169b713389669294dc052d3bbf7fb20c9f18f2f44adfc7d21eae39cc2dd46910c1241adc4fcd846a2e44b0c677a5a8c28c2eacd993cb7d04cae9acb78bab5b

Download Submit
memory/1820-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1840-16-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-10-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1840-13-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1840-103-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-6-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1840-15-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-5-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/1840-14-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-0-0x0000000074881000-0x0000000074882000-memory.dmp

Filesize
4KB

Download
memory/2340-25-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-3-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-2-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-1-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/3540-611-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/3940-1032-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download