Malware Analysis Report

2025-01-18 01:06

Sample ID 240613-g7rn6axdkh
Target a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118
SHA256 24af90a82bce57acc5521e068ddfc0f94e35d89830687bae2f97878b9a3deafb
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

24af90a82bce57acc5521e068ddfc0f94e35d89830687bae2f97878b9a3deafb

Threat Level: Shows suspicious behavior

The file a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:27

Reported

2024-06-13 06:29

Platform

win7-20240508-en

Max time kernel

133s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2296 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 548 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 2552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2552 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe 7-1-2-5-2-4-8-3-5-3-2 KE9HPzszKy0tHS1MVEBLR0A1LRssTD5TVUpQR0FBOC4eKENHTlJFPDotMTMtMh4qQUU8OisdLUlRTT9TP0xcREE7KjU3Lx4rS0JNU0NLXlNNSjlgcW9tOCgucWBwciZxY2IrWm9uKGJdbF4pZmxfbh4qQUhBQEZGQjYxMi81LSo0Li8zGS5CLDstMC0xMh4oQzA4Ky0YLD8wOyYwHipCMDUqLB0tPTQ7KC8cJ01NTEJOQlJaTk5BUzxAVzYfLUtQSzxSPlFdPlRKPDscJ01NTEJOQlJaTD1FQjgdLT5XQ1pTTkQ6GyxDUURdPktAREZJQjsZLkZKUVBXP01MVUxEUDgwHCdRQz5MRFhNUF1RSkk4HS1PTDstHis8UCw6HihRU0lSRUVCWlRDRUJNSENFRT5CQlNLSzsbLUVLXE1STE1IS0A7cGpyYB0tS0RSUFBKQUtCXFNMRFBaQj1RUDgvHihHRz9DVDUuGyxHTF5CVEw9RUY+XENHQlBUTlA9QThjX2VyYxstQEdUSUlNOkNdRE45MC4pMzQnMDcuLC0oMhssUkJMQzgvMCoyNDYyLjA0Gy1AR1RJSU06Q11PR0k9Oi4sLykuMCsvMSIuNTAzMzA0JU5J

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260059.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 t2.symcb.com udp
US 8.8.8.8:53 t1.symcb.com udp
US 8.8.8.8:53 tl.symcd.com udp
US 8.8.8.8:53 tl.symcb.com udp
US 8.8.8.8:53 serv.the-app-data.info udp

Files

memory/2296-0-0x000007FEF649E000-0x000007FEF649F000-memory.dmp

memory/2296-8-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab407C.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/2296-16-0x000007FEF61E0000-0x000007FEF6B7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar89CE.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2296-26-0x000000001B3C0000-0x000000001B438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 0cde0cad0ce4b585b01f5f4372421806
SHA1 3c7aa727e1d848384380c9d2faf36ef204c62012
SHA256 b067a5cd483d8b48109a8e6b0b6f14a98cba55bdfdbb19746bb0b34225fff98e
SHA512 ebfcfe5e648989d896b6dcb1006958998ef6f5e141214fe330ad3e70f89412ba2e88640f3f0554c52b9f6f0dae0545eead982b36405f2e35af61e019d41b4468

\Users\Admin\AppData\Local\Temp\nst8BDC.tmp\amobm.dll

MD5 98aafe4b27cc67a4aa2f3f8cb2696c7a
SHA1 819d9079822e56185b5860dc9f705c468ec74767
SHA256 b2cc39a4cf32de27d4d9e4204c5f51be48568f450780bd9b3322a1c592dbbbf7
SHA512 800e3f3d6426272d9d271fd53d6ca8cf49a722d4f3c3f64158de1e9bae1b8fe73b69d225f15991bfc4fdcded98f59279326ebb0d86e8cf9ff84cecd0d4d8eb9d

\Users\Admin\AppData\Local\Temp\nst8BDC.tmp\nsisunz.dll

MD5 5f13dbc378792f23e598079fc1e4422b
SHA1 5813c05802f15930aa860b8363af2b58426c8adf
SHA256 6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA512 9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

MD5 c9956ff8300e9d03818f9ea699dd5166
SHA1 119029567399a3a4c453f2686bc7f1ad9181e2d0
SHA256 d4f2bfa905ebe30c7393db660d4bdd99e5c3a1a7c5f17b2f06d60b4b85f9cc7a
SHA512 8201d9c97b894f6ca9da57a18ccda3fa1694b6cc54ff1b53a4981dd5add7edef2e30b7252190e39610c6523da0a6878987d9ba5b583fcdda774f509d7ff51f12

C:\Users\Admin\AppData\Local\Temp\81718260059.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:27

Reported

2024-06-13 06:29

Platform

win10v2004-20240508-en

Max time kernel

96s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c0000000100000004000000000800000400000001000000100000008ccadc0b22cef5be72ac411a11a8d81203000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3964 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3964 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3964 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 3536 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 3536 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 3536 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe
PID 1488 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1488 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe C:\Windows\SysWOW64\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a4325cffe3af673ef38fcdccbc3906e7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe 7-1-2-5-2-4-8-3-5-3-2 KE9HPzszKy0tHS1MVEBLR0A1LRssTD5TVUpQR0FBOC4eKENHTlJFPDotMTMtMh4qQUU8OisdLUlRTT9TP0xcREE7KjU3Lx4rS0JNU0NLXlNNSjlgcW9tOCgucWBwciZxY2IrWm9uKGJdbF4pZmxfbh4qQUhBQEZGQjYxMi81LSo0Li8zGS5CLDstMC0xMh4oQzA4Ky0YLD8wOyYwHipCMDUqLB0tPTQ7KC8cJ01NTEJOQlJaTk5BUzxAVzYfLUtQSzxSPlFdPlRKPDscJ01NTEJOQlJaTD1FQjgdLT5XQ1pTTkQ6GyxDUURdPktAREZJQjsZLkZKUVBXP01MVUxEUDgwHCdRQz5MRFhNUF1RSkk4HS1PTDstHis8UCw6HihRU0lSRUVCWlRDRUJNSENFRT5CQlNLSzsbLUVLXE1STE1IS0A7cGpyYB0tS0RSUFBKQUtCXFNMRFBaQj1RUDgvHihHRz9DVDUuGyxHTF5CVEw9RUY+XENHQlBUTlA9QThjX2VyYxstQEdUSUlNOkNdRE45MC4pMzQnMDcuLC0oMhssUkJMQzgvMCoyNDYyLjA0Gy1AR1RJSU06Q11PR0k9Oi4sLykuMCsvMSIuNTAzMzA0JU5J

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get serialnumber

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic /output:C:\Users\Admin\AppData\Local\Temp\81718260052.txt bios get version

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 908

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 t2.symcb.com udp

Files

memory/3964-0-0x00007FFEF8FC5000-0x00007FFEF8FC6000-memory.dmp

memory/3964-1-0x00007FFEF8D10000-0x00007FFEF96B1000-memory.dmp

memory/3964-2-0x00007FFEF8FC5000-0x00007FFEF8FC6000-memory.dmp

memory/3964-3-0x000000001BCD0000-0x000000001BD48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 0cde0cad0ce4b585b01f5f4372421806
SHA1 3c7aa727e1d848384380c9d2faf36ef204c62012
SHA256 b067a5cd483d8b48109a8e6b0b6f14a98cba55bdfdbb19746bb0b34225fff98e
SHA512 ebfcfe5e648989d896b6dcb1006958998ef6f5e141214fe330ad3e70f89412ba2e88640f3f0554c52b9f6f0dae0545eead982b36405f2e35af61e019d41b4468

C:\Users\Admin\AppData\Local\Temp\nsyB631.tmp\amobm.dll

MD5 98aafe4b27cc67a4aa2f3f8cb2696c7a
SHA1 819d9079822e56185b5860dc9f705c468ec74767
SHA256 b2cc39a4cf32de27d4d9e4204c5f51be48568f450780bd9b3322a1c592dbbbf7
SHA512 800e3f3d6426272d9d271fd53d6ca8cf49a722d4f3c3f64158de1e9bae1b8fe73b69d225f15991bfc4fdcded98f59279326ebb0d86e8cf9ff84cecd0d4d8eb9d

C:\Users\Admin\AppData\Local\Temp\nsyB631.tmp\nsisunz.dll

MD5 5f13dbc378792f23e598079fc1e4422b
SHA1 5813c05802f15930aa860b8363af2b58426c8adf
SHA256 6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d
SHA512 9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

C:\Users\Admin\AppData\Local\Temp\dbacabfhdcfa.exe

MD5 c9956ff8300e9d03818f9ea699dd5166
SHA1 119029567399a3a4c453f2686bc7f1ad9181e2d0
SHA256 d4f2bfa905ebe30c7393db660d4bdd99e5c3a1a7c5f17b2f06d60b4b85f9cc7a
SHA512 8201d9c97b894f6ca9da57a18ccda3fa1694b6cc54ff1b53a4981dd5add7edef2e30b7252190e39610c6523da0a6878987d9ba5b583fcdda774f509d7ff51f12

C:\Users\Admin\AppData\Local\Temp\81718260052.txt

MD5 9025468f85256136f923096b01375964
SHA1 7fcd174999661594fa5f88890ffb195e9858cc52
SHA256 d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df
SHA512 92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

C:\Users\Admin\AppData\Local\Temp\81718260052.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\81718260052.txt

MD5 f8e2f71e123c5a848f2a83d2a7aef11e
SHA1 5e7a9a2937fa4f06fdf3e33d7def7de431c159b4
SHA256 79dae8edfddb5a748fb1ed83c87081b245aeff9178c95dcf5fbaaed6baf82121
SHA512 8d34a80d335ee5be5d899b19b385aeaeb6bc5480fd72d3d9e96269da2f544ccc13b30fd23111980de736a612b8beb24ff062f6bed2eb2d252dbe07a2ffeb701e

memory/3964-79-0x00007FFEF8D10000-0x00007FFEF96B1000-memory.dmp