Malware Analysis Report

2024-10-19 11:47

Sample ID 240615-gkd5jstgnq
Target ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118
SHA256 1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
Tags
discovery collection spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270

Threat Level: Known bad

The file ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

discovery collection spyware stealer upx

Reads local data of messenger clients

Executes dropped EXE

Drops startup file

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Checks installed software on the system

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:51

Reported

2024-06-15 05:54

Platform

win7-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\TFjXAla\PgYcv.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A bot.whatismyipaddress.com N/A N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"

C:\ProgramData\TFjXAla\PgYcv.exe

"C:\ProgramData\TFjXAla\PgYcv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.usertrust.com udp
US 8.8.8.8:53 crl.comodoca.com udp
US 8.8.8.8:53 icanhazip.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 curlmyip.com udp
US 8.8.8.8:53 bot.whatismyipaddress.com udp
US 8.8.8.8:53 crl.usertrust.com udp
US 8.8.8.8:53 crl.comodoca.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 crl.usertrust.com udp

Files

memory/956-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

memory/956-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7503.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarBE45.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/956-25-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/956-26-0x0000000073FF0000-0x000000007459B000-memory.dmp

\ProgramData\TFjXAla\PgYcv.exe

MD5 ad10830a3342900f70cac19a8d1b6abe
SHA1 205261ebec6b48d1eda0ff543198fa23a62490a1
SHA256 1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
SHA512 297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a

memory/956-40-0x0000000073FF0000-0x000000007459B000-memory.dmp

memory/2204-39-0x0000000073FF0000-0x000000007459B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaea292e9ad408e6fc74b0ae54b91ed7
SHA1 8b159ddb466091c6b31e60113087a2f3b8cba16b
SHA256 64a233c63533ca64b45d0b02a8c6c0c01352754f4570182fcdda35ab123f9438
SHA512 8724ee6738a95895107da81e0b27cc95d4ac9abb3b76f399be1769ef8ddea88b06f61ee15f5bbf0e30645f4074d5e98a9b634fd86c72c4b5095a5cd8bf6f1608

memory/2204-49-0x0000000073FF0000-0x000000007459B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:51

Reported

2024-06-15 05:54

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TFjXAla.url C:\ProgramData\TFjXAla\PgYcv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\TFjXAla\PgYcv.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1164 set thread context of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 set thread context of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 set thread context of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA\Blob = 0300000001000000140000008ad5c9987e6f190bd6f5416e2de44ccd641d8cda140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8040000000100000010000000ff5fbc4290fa389e798467ebd7ae940b0f0000000100000014000000c45627b5584bf62327df60d6185744a2d2f2bcbf190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28195c00000001000000040000000008000018000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c4b0000000100000044000000350034003500370041003800430045003400420032004100370034003900390046003800320039003900410030003100330042003600450031004300370043005f000000200000000100000088040000308204843082036ca0030201020210421af2940984191f520a4bc62426a74b300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3035303630373038303931305a170d3230303533303130343833385a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381f43081f1301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d8300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c303506082b0601050507010104293027302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d010105050003820101004d422fa6c18aeb07809058468cf81939662a3c5a2c6dcfd4d987558d790b12887b408fd5c7f84b8d551663adb757dc3b2bbdd3c14f1e03874b449be3e2404526f326492b6a84f1547ad442dafcd36abb667eca9eeae9bbdc07c7c3924e833c81499f92d53209ea492ea111719a36d2c54e68b6cb0e1b2516af6cde5d76d81f72b193268617db18deaf45e9dffb98af1418eda45ef6899445f055044addff27dd064a40f6b4bcf1e40f9902bbfd5d0e2e28c1be3b5f1a3f971084bc163ed8a39c631d66cb5c5fda3ef30f0a093522dbdbc03f00f9e60d5d67d1fda01e032bd940f7becc87665480a6a3b8f51962d5d226b19826ee9acb44a7455a8195151af551 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\TFjXAla\PgYcv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\TFjXAla\PgYcv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4012 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe C:\ProgramData\TFjXAla\PgYcv.exe
PID 4012 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe C:\ProgramData\TFjXAla\PgYcv.exe
PID 4012 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe C:\ProgramData\TFjXAla\PgYcv.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 4896 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 3928 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 436 N/A C:\ProgramData\TFjXAla\PgYcv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ad10830a3342900f70cac19a8d1b6abe_JaffaCakes118.exe"

C:\ProgramData\TFjXAla\PgYcv.exe

"C:\ProgramData\TFjXAla\PgYcv.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe -f "C:\Users\Admin\AppData\Local\Temp\tmp612D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.38.233:80 crl.usertrust.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 23.41.178.90:443 www.bing.com tcp
US 8.8.8.8:53 crl.comodoca.com udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 172.64.149.23:80 crl.comodoca.com tcp
US 8.8.8.8:53 90.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:80 ipinfo.io tcp
US 104.18.38.233:80 crl.comodoca.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 104.18.38.233:80 crl.comodoca.com tcp
US 104.16.184.241:80 icanhazip.com tcp
US 34.117.186.192:80 ipinfo.io tcp
US 8.8.8.8:53 smtp.gmail.com udp
NL 142.250.27.108:587 smtp.gmail.com tcp
US 8.8.8.8:53 108.27.250.142.in-addr.arpa udp
NL 142.250.27.108:587 smtp.gmail.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4012-0-0x0000000075142000-0x0000000075143000-memory.dmp

memory/4012-1-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4012-2-0x0000000075140000-0x00000000756F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/4012-29-0x0000000075140000-0x00000000756F1000-memory.dmp

C:\ProgramData\TFjXAla\PgYcv.exe

MD5 ad10830a3342900f70cac19a8d1b6abe
SHA1 205261ebec6b48d1eda0ff543198fa23a62490a1
SHA256 1648342127afbaed5c1eab686168efe8d174f0a8115f2357b67ca1da021f3270
SHA512 297c715bf5197a44188a7041ec879e7e4ee91a0fba895fa1057d1af102221bda0b06a4a95b26370d549c90bc1ddbeb16d45eaeb7aa514de2bf0771d5a8ac2d3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0

MD5 86588fffc7a0af9f576fbffc655192ab
SHA1 4169e1435e462de160936a4d20b7356fa69b2bf6
SHA256 75c2c070a14efda171db2c819954e25b02e0037c689fabff65073ca24cebaa22
SHA512 3f97687237e1f8bc762c9098bedc9124eda56edd83d530970bde420ee06a2bd71352b423f64ef042fc9b38112191e2ea9134697c031ca1e79f64603a78789b2e

memory/4012-44-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/1164-47-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/1164-48-0x0000000075140000-0x00000000756F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

MD5 46804d944f11e97d7623dd5cd0c3c3fe
SHA1 be0708b276871a160404529f8b69d487f04f026f
SHA256 9c5e42911b86a54279cc962def8e3284d1095d321d43a75e6e2dbab9669a10b0
SHA512 1b9e8eb59ab434cd97db2b99b7d92f42d2b7e29dcc10d2c23c9f87445d26d94817cc4cabca7f6be1882fb383c4085494827a937e0ea1d95733cf5d3ba3a14c02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B90B117906B8A74C79D1BC450C2B94B1_A54F26A8A41DE52C237D54D67F12793F

MD5 b97e64a86c999ec479a9a2b11eda10ea
SHA1 948005adf5d78c37af413d31bb125132b06ef189
SHA256 2badb7ed2925ce5a1eee5b258ceb3950a9631b43643738867d938d2033f55863
SHA512 06a39096adbb1700fcc4279b0e8236e7ccc013985ce21d3681ffeae0a46b9cf9437fa1a4540e49dbe9ce804594e3ac121b70957248dd893ca690481f40f4dbed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B

MD5 ebf8b5bf1e25ca35ef1dc8cc25307f7e
SHA1 d5ca1658dcc9996c2e74e62c1ce88738381fbee1
SHA256 c6c513d636bea7006389e76d380c0f0fa3874fa4bc5436578357a076de309246
SHA512 58d002388e21138f953af86c6fff41e5ffd8e926b6884f49b372cf6123cd6f5970d1719e50cca488576bde41bf9fb41f2a5ed90223ae5abf777f9a153ca01c37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404

MD5 cd800dd610d5f7266075e862ae13b920
SHA1 616db329b91e7a7fe4c78f10a6f1bd6c1e07dd8a
SHA256 8ec5be304f8d66f4842f193ca4e3738dffe28d3efe55eea69db834a6588fb019
SHA512 962b90722a9ef2b48e84c40e62bee89978dec927a9ea70fa4e5d8597e33b4508d7f906740cddc8eeea4372c4ba365a2a26bcb038005468d885772205d140419c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404

MD5 0b9187e593e686044a610abfe96c25b7
SHA1 8534bdb1e02a61e8c30134c9e123da2ab9c8bdc7
SHA256 54cfd7010055af3f9d7f159cc4e6743aae214cb1730fc11745f9a5ff52670d23
SHA512 e341a74c256cbf474a72f1e07f07899acb16da1920783f25d33893192eaa16a57221b6706466b2a7dcf0ef16feb5a3ec4d8229ea3e319ccfb53896b53fa13478

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F4D9C889B7AEBCF4E1A2DAABC5C3628A_0F96BACF3D5FC89AB4994155F45ADF7B

MD5 a0f7376e1f79ecdae22e6056d3d35d21
SHA1 5bc80480b5014bd2739eba15f4df3fac62749af4
SHA256 6e029f4314dfd8b27d48008f0579f978b9c7c50600921b26b57901526a28d652
SHA512 780fcced1a99d476f9ba7e91d81faae0f2374cf478dc8df3054ef3a570e46956b154aafbb3b279f9af971ebbe31451dd0d09546b5876e4714c7546f2a8a874c4

memory/1164-66-0x0000000075140000-0x00000000756F1000-memory.dmp

C:\ProgramData\bsNiLXEzb\fb165896bb11473eadc2346276cfaa55

MD5 578716a8b6b660ba05159a4957ac238d
SHA1 1745319c341f18093ca1aaf93f15d80fc8a65524
SHA256 2f38824c68ecbe5a889bd00b4165f467cd94ea6f4da5356db76fa3724b5d16fe
SHA512 bac6582e7db0e6a0c31a1374a7abf36a65a62d360c082ed634d6be73632c966c10a06d46829e1ad79fe040934beea65b68d51c06a09d9569dd99f83b77e0fc70

C:\ProgramData\bsNiLXEzb\044a2df5102748ddacb7881a228226dd

MD5 e83b7ff967e2529f3e452cdd72fc10f2
SHA1 d5667e6c3cf485214ecbaf200ffa74a1424510ae
SHA256 8eacf57cf79c2722e9332977919fc4c5b6f36eae964e4282ee760d9651db3d9e
SHA512 ceb49abb4c1647ceed6a59622b973cd0a5127c61ef3afb3f7ec7bfcf7165d6f7f4a322924401965d3b50d65ee1764eb68aa28697d2746ea3eb10e0a0996eada6

memory/4896-71-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1164-72-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4896-74-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4896-75-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4896-79-0x0000000000400000-0x000000000048E000-memory.dmp

memory/4896-83-0x0000000000400000-0x000000000048E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp

MD5 b0cc2e6f2d8036c9b5fef218736fa9c9
SHA1 64fd3017625979c95ba09d7cbea201010a82f73f
SHA256 997aceeb78143e057d4ea0ed699db3cc1c723f699b4532663b7b85c83baa5c50
SHA512 a1fe80b2971c4d1141a594f27eaea61500bf701cd1b8fbdb5ac2204a63c8ef862344f8c30f65ce769f0acf2b0718ed33a02744dd1a152c4a62a5318333d29b9b

memory/3928-86-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3928-88-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3928-87-0x0000000000400000-0x0000000000491000-memory.dmp

memory/3928-90-0x0000000000400000-0x0000000000491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp60BE.tmp

MD5 de4e5ff058882957cf8a3b5f839a031f
SHA1 0b3d8279120fb5fa27efbd9eee89695aa040fc24
SHA256 ef54f46b9f1e342fc12e035ae94f57c61ea4e8be4e116f0a1c6f86310f400f49
SHA512 a6b0d557e9eec4e56630e5ba64495df318f4fd959fffbdcbf77831185b067906917c9117a0ecd6ac817c7860d5d831cce15820d715657d81e2d817d9fab9fb72

memory/436-94-0x0000000000400000-0x000000000043C000-memory.dmp

memory/436-95-0x0000000000400000-0x000000000043C000-memory.dmp

memory/436-97-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp612D.tmp

MD5 3525ea58bba48993ea0d01b65ea71381
SHA1 1b917678fdd969e5ee5916e5899e7c75a979cf4d
SHA256 681bcee53cf679ac674e700136f9229b9184fe60ed6410dbd7a33d462ed13ae2
SHA512 5aad8dca43ec85882daf50c469bd04dcf0b62affc8bc605b3e289496a2679d4d548fea8bb0aea7080bbfbcdcab9d275fc6797b9c95b64f9f97ecf79583a83986

memory/1164-101-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/1164-102-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/1164-103-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/1164-104-0x0000000075140000-0x00000000756F1000-memory.dmp