Analysis Overview
SHA256
1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
Threat Level: Known bad
The file ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Reads local data of messenger clients
Executes dropped EXE
Drops startup file
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 05:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 05:51
Reported
2024-06-15 05:54
Platform
win7-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | bot.whatismyipaddress.com | N/A | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 956 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | C:\ProgramData\TFjXAla\PgYcv.exe |
| PID 956 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | C:\ProgramData\TFjXAla\PgYcv.exe |
| PID 956 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | C:\ProgramData\TFjXAla\PgYcv.exe |
| PID 956 wrote to memory of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | C:\ProgramData\TFjXAla\PgYcv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"
C:\ProgramData\TFjXAla\PgYcv.exe
"C:\ProgramData\TFjXAla\PgYcv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | curlmyip.com | udp |
| US | 8.8.8.8:53 | bot.whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
Files
memory/956-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp
memory/956-1-0x0000000073FF0000-0x000000007459B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7503.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarBE45.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/956-25-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/956-26-0x0000000073FF0000-0x000000007459B000-memory.dmp
\ProgramData\TFjXAla\PgYcv.exe
| MD5 | ad10830a3342900f70cac19a8d1b6abe |
| SHA1 | 205261ebec6b48d1eda0ff543198fa23a62490a1 |
| SHA256 | 1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270 |
| SHA512 | 297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a |
memory/956-40-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/2204-39-0x0000000073FF0000-0x000000007459B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eaea292e9ad408e6fc74b0ae54b91ed7 |
| SHA1 | 8b159ddb466091c6b31e60113087a2f3b8cba16b |
| SHA256 | 64a233c63533ca64b45d0b02a8c6c0c01352754f4570182fcdda35ab123f9438 |
| SHA512 | 8724ee6738a95895107da81e0b27cc95d4ac9abb3b76f399be1769ef8ddea88b06f61ee15f5bbf0e30645f4074d5e98a9b634fd86c72c4b5095a5cd8bf6f1608 |
memory/2204-49-0x0000000073FF0000-0x000000007459B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 05:51
Reported
2024-06-15 05:54
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
107s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TFjXAla.url | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1164 set thread context of 4896 | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
| PID 1164 set thread context of 3928 | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
| PID 1164 set thread context of 436 | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\TFjXAla\PgYcv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"
C:\ProgramData\TFjXAla\PgYcv.exe
"C:\ProgramData\TFjXAla\PgYcv.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp612D.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 104.18.38.233:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 23.41.178.90:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 90.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.184.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | smtp.gmail.com | udp |
| NL | 142.250.27.108:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 108.27.250.142.in-addr.arpa | udp |
| NL | 142.250.27.108:587 | smtp.gmail.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4012-0-0x0000000075142000-0x0000000075143000-memory.dmp
memory/4012-1-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/4012-2-0x0000000075140000-0x00000000756F1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
memory/4012-29-0x0000000075140000-0x00000000756F1000-memory.dmp
C:\ProgramData\TFjXAla\PgYcv.exe
| MD5 | ad10830a3342900f70cac19a8d1b6abe |
| SHA1 | 205261ebec6b48d1eda0ff543198fa23a62490a1 |
| SHA256 | 1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270 |
| SHA512 | 297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 86588fffc7a0af9f576fbffc655192ab |
| SHA1 | 4169e1435e462de160936a4d20b7356fa69b2bf6 |
| SHA256 | 75c2c070a14efda171db2c819954e25b02e0037c689fabff65073ca24cebaa22 |
| SHA512 | 3f97687237e1f8bc762c9098bedc9124eda56edd83d530970bde420ee06a2bd71352b423f64ef042fc9b38112191e2ea9134697c031ca1e79f64603a78789b2e |
memory/4012-44-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/1164-47-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/1164-48-0x0000000075140000-0x00000000756F1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
| MD5 | 46804d944f11e97d7623dd5cd0c3c3fe |
| SHA1 | be0708b276871a160404529f8b69d487f04f026f |
| SHA256 | 9c5e42911b86a54279cc962def8e3284d1095d321d43a75e6e2dbab9669a10b0 |
| SHA512 | 1b9e8eb59ab434cd97db2b99b7d92f42d2b7e29dcc10d2c23c9f87445d26d94817cc4cabca7f6be1882fb383c4085494827a937e0ea1d95733cf5d3ba3a14c02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F
| MD5 | b97e64a86c999ec479a9a2b11eda10ea |
| SHA1 | 948005adf5d78c37af413d31bb125132b06ef189 |
| SHA256 | 2badb7ed2925ce5a1eee5b258ceb3950a9631b43643738867d938d2033f55863 |
| SHA512 | 06a39096adbb1700fcc4279b0e8236e7ccc013985ce21d3681ffeae0a46b9cf9437fa1a4540e49dbe9ce804594e3ac121b70957248dd893ca690481f40f4dbed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B
| MD5 | ebf8b5bf1e25ca35ef1dc8cc25307f7e |
| SHA1 | d5ca1658dcc9996c2e74e62c1ce88738381fbee1 |
| SHA256 | c6c513d636bea7006389e76d380c0f0fa3874fa4bc5436578357a076de309246 |
| SHA512 | 58d002388e21138f953af86c6fff41e5ffd8e926b6884f49b372cf6123cd6f5970d1719e50cca488576bde41bf9fb41f2a5ed90223ae5abf777f9a153ca01c37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404
| MD5 | cd800dd610d5f7266075e862ae13b920 |
| SHA1 | 616db329b91e7a7fe4c78f10a6f1bd6c1e07dd8a |
| SHA256 | 8ec5be304f8d66f4842f193ca4e3738dffe28d3efe55eea69db834a6588fb019 |
| SHA512 | 962b90722a9ef2b48e84c40e62bee89978dec927a9ea70fa4e5d8597e33b4508d7f906740cddc8eeea4372c4ba365a2a26bcb038005468d885772205d140419c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404
| MD5 | 0b9187e593e686044a610abfe96c25b7 |
| SHA1 | 8534bdb1e02a61e8c30134c9e123da2ab9c8bdc7 |
| SHA256 | 54cfd7010055af3f9d7f159cc4e6743aae214cb1730fc11745f9a5ff52670d23 |
| SHA512 | e341a74c256cbf474a72f1e07f07899acb16da1920783f25d33893192eaa16a57221b6706466b2a7dcf0ef16feb5a3ec4d8229ea3e319ccfb53896b53fa13478 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B
| MD5 | a0f7376e1f79ecdae22e6056d3d35d21 |
| SHA1 | 5bc80480b5014bd2739eba15f4df3fac62749af4 |
| SHA256 | 6e029f4314dfd8b27d48008f0579f978b9c7c50600921b26b57901526a28d652 |
| SHA512 | 780fcced1a99d476f9ba7e91d81faae0f2374cf478dc8df3054ef3a570e46956b154aafbb3b279f9af971ebbe31451dd0d09546b5876e4714c7546f2a8a874c4 |
memory/1164-66-0x0000000075140000-0x00000000756F1000-memory.dmp
C:\ProgramData\bsNiLXEzb\fb165896bb11473eadc2346276cfaa55
| MD5 | 578716a8b6b660ba05159a4957ac238d |
| SHA1 | 1745319c341f18093ca1aaf93f15d80fc8a65524 |
| SHA256 | 2f38824c68ecbe5a889bd00b4165f467cd94ea6f4da5356db76fa3724b5d16fe |
| SHA512 | bac6582e7db0e6a0c31a1374a7abf36a65a62d360c082ed634d6be73632c966c10a06d46829e1ad79fe040934beea65b68d51c06a09d9569dd99f83b77e0fc70 |
C:\ProgramData\bsNiLXEzb\044a2df5102748ddacb7881a228226dd
| MD5 | e83b7ff967e2529f3e452cdd72fc10f2 |
| SHA1 | d5667e6c3cf485214ecbaf200ffa74a1424510ae |
| SHA256 | 8eacf57cf79c2722e9332977919fc4c5b6f36eae964e4282ee760d9651db3d9e |
| SHA512 | ceb49abb4c1647ceed6a59622b973cd0a5127c61ef3afb3f7ec7bfcf7165d6f7f4a322924401965d3b50d65ee1764eb68aa28697d2746ea3eb10e0a0996eada6 |
memory/4896-71-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1164-72-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/4896-74-0x0000000000400000-0x000000000048E000-memory.dmp
memory/4896-75-0x0000000000400000-0x000000000048E000-memory.dmp
memory/4896-79-0x0000000000400000-0x000000000048E000-memory.dmp
memory/4896-83-0x0000000000400000-0x000000000048E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp
| MD5 | b0cc2e6f2d8036c9b5fef218736fa9c9 |
| SHA1 | 64fd3017625979c95ba09d7cbea201010a82f73f |
| SHA256 | 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50 |
| SHA512 | a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b |
memory/3928-86-0x0000000000400000-0x0000000000491000-memory.dmp
memory/3928-88-0x0000000000400000-0x0000000000491000-memory.dmp
memory/3928-87-0x0000000000400000-0x0000000000491000-memory.dmp
memory/3928-90-0x0000000000400000-0x0000000000491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp
| MD5 | de4e5ff058882957cf8a3b5f839a031f |
| SHA1 | 0b3d8279120fb5fa27efbd9eee89695aa040fc24 |
| SHA256 | ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49 |
| SHA512 | a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72 |
memory/436-94-0x0000000000400000-0x000000000043C000-memory.dmp
memory/436-95-0x0000000000400000-0x000000000043C000-memory.dmp
memory/436-97-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp612D.tmp
| MD5 | 3525ea58bba48993ea0d01b65ea71381 |
| SHA1 | 1b917678fdd969e5ee5916e5899e7c75a979cf4d |
| SHA256 | 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2 |
| SHA512 | 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986 |
memory/1164-101-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/1164-102-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/1164-103-0x0000000075140000-0x00000000756F1000-memory.dmp
memory/1164-104-0x0000000075140000-0x00000000756F1000-memory.dmp