3d377a53698e96b46952bc7aed2024a577833bb9a3d7922b01a77f07490155d7

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Size

2.2MB
MD5

1bc55516337fbd792bca179ba6a37701
SHA1

3af2f89be985f16eaace6d82bd69aa313ae70565
SHA256

3d377a53698e96b46952bc7aed2024a577833bb9a3d7922b01a77f07490155d7
SHA512

129944a2d4a7318f382b6ddcc09c9865b45825e17661562700a56ad4019b613fc5088c5409ba3b25a4f0ddada7679eb753af6e03e5c9f3129eabf22259dbdfa7
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware collection discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\hostsvcproc.exe"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0069006e0066006f006600770063007200610073002e006500780065000000	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Executes dropped EXE 37 IoCs

pid	Process
2648	svcnetlsa.exe
1288	smss.exe
3044	smss.exe
1652	smss.exe
2188	smss.exe
2968	smss.exe
1492	smss.exe
3020	smss.exe
2512	smss.exe
2928	smss.exe
2640	smss.exe
2120	smss.exe
2000	smss.exe
2872	smss.exe
1240	smss.exe
1128	smss.exe
3064	smss.exe
864	smss.exe
920	smss.exe
2256	smss.exe
1852	smss.exe
836	smss.exe
1900	smss.exe
3068	smss.exe
2752	smss.exe
2216	smss.exe
2944	smss.exe
2128	smss.exe
548	smss.exe
1960	smss.exe
1724	smss.exe
1332	smss.exe
2168	smss.exe
340	smss.exe
992	smss.exe
2388	smss.exe
2392	smss.exe

Loads dropped DLL 38 IoCs

pid	Process
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe
1840	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svcnetlsa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\hostsvcproc.exe"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ctffwcpptp.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hostsvcproc.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmssqlms.ocx	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwcpptpdisp.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dnshostfwc.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\infofwcras.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\infofwcras.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ctffwcpptp.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hostsvcproc.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmssqlms.ocx	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fwcpptpdisp.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dnshostfwc.exe	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00357d91d7cbda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000a307628b50af9c69282b7ead775bbf3068935e9ba630a6359d8d38422a17f2d7000000000e80000000020000200000008683ef51f2e4545379b17c8b35534bc45959fd3532fc9a7505993f5694d71ca390000000315b1073f25b3833aa58a2850cb90e20c7e3964b81da480d7c774fbd204b9c80d97822f68d4d30fe23ec68f1ceaa496b08242b28c48f0ea50de8940841320f2840cb525ac9b8fbf2ea9ed49a833cd11430cc63a83f1a49e610e0ae4612a56978027fdb7aa2840e0ed13c4124704d0a1d2f0c09ea6e2433cd30c78aae230f43ff56dccf386fca268aee55a00cab8de1884000000086f0588f814d378fbb0b645a457d731b57a044d6d17afdf582fa8f7471f8b081de9c33aef9c6f7c031fae7f3654c253f9c38b634711cf14e056052e6ce2427f1	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000019ccf2f0eb0964c4574b096fd70a4703181d4be7f95a00324a216bd20a471fd8000000000e80000000020000200000002f26e46b3dec7332b6b0fe7961de3f02d2773c8065e3636898c540720c8d6a06200000002f542a29ccb664a134f2606b5b6a48e3469a2e28a10d1a8a445c19f90f7e8a9f400000006fd07ba4d70ed1bad62bc496801e1d261d2c6e46b0f6ffd36aca9a34237fa9bd44f6228b75ec2d8979530d18ab98dab1e7bab71c6dff41ef34b1d0d9f31055a0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426014761"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3C70F61-37CA-11EF-A7A3-7A58A1FDD547} = "0"	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\cmssqlms.ocx"	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
1704	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeBackupPrivilege	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
Token: SeDebugPrivilege	2648	svcnetlsa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2556	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2556	iexplore.exe
2556	iexplore.exe
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2648	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2648	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2648	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe	28
PID 1276 wrote to memory of 2648	1276	1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe	28
PID 2648 wrote to memory of 1840	2648	svcnetlsa.exe	29
PID 2648 wrote to memory of 1840	2648	svcnetlsa.exe	29
PID 2648 wrote to memory of 1840	2648	svcnetlsa.exe	29
PID 2648 wrote to memory of 1840	2648	svcnetlsa.exe	29
PID 1840 wrote to memory of 1288	1840	cmd.exe	31
PID 1840 wrote to memory of 1288	1840	cmd.exe	31
PID 1840 wrote to memory of 1288	1840	cmd.exe	31
PID 1840 wrote to memory of 1288	1840	cmd.exe	31
PID 1840 wrote to memory of 1072	1840	cmd.exe	32
PID 1840 wrote to memory of 1072	1840	cmd.exe	32
PID 1840 wrote to memory of 1072	1840	cmd.exe	32
PID 1840 wrote to memory of 1072	1840	cmd.exe	32
PID 1840 wrote to memory of 3044	1840	cmd.exe	33
PID 1840 wrote to memory of 3044	1840	cmd.exe	33
PID 1840 wrote to memory of 3044	1840	cmd.exe	33
PID 1840 wrote to memory of 3044	1840	cmd.exe	33
PID 1840 wrote to memory of 2424	1840	cmd.exe	34
PID 1840 wrote to memory of 2424	1840	cmd.exe	34
PID 1840 wrote to memory of 2424	1840	cmd.exe	34
PID 1840 wrote to memory of 2424	1840	cmd.exe	34
PID 1840 wrote to memory of 1652	1840	cmd.exe	35
PID 1840 wrote to memory of 1652	1840	cmd.exe	35
PID 1840 wrote to memory of 1652	1840	cmd.exe	35
PID 1840 wrote to memory of 1652	1840	cmd.exe	35
PID 1840 wrote to memory of 2836	1840	cmd.exe	36
PID 1840 wrote to memory of 2836	1840	cmd.exe	36
PID 1840 wrote to memory of 2836	1840	cmd.exe	36
PID 1840 wrote to memory of 2836	1840	cmd.exe	36
PID 1840 wrote to memory of 2188	1840	cmd.exe	37
PID 1840 wrote to memory of 2188	1840	cmd.exe	37
PID 1840 wrote to memory of 2188	1840	cmd.exe	37
PID 1840 wrote to memory of 2188	1840	cmd.exe	37
PID 1840 wrote to memory of 2060	1840	cmd.exe	38
PID 1840 wrote to memory of 2060	1840	cmd.exe	38
PID 1840 wrote to memory of 2060	1840	cmd.exe	38
PID 1840 wrote to memory of 2060	1840	cmd.exe	38
PID 1840 wrote to memory of 2968	1840	cmd.exe	39
PID 1840 wrote to memory of 2968	1840	cmd.exe	39
PID 1840 wrote to memory of 2968	1840	cmd.exe	39
PID 1840 wrote to memory of 2968	1840	cmd.exe	39
PID 1840 wrote to memory of 1292	1840	cmd.exe	40
PID 1840 wrote to memory of 1292	1840	cmd.exe	40
PID 1840 wrote to memory of 1292	1840	cmd.exe	40
PID 1840 wrote to memory of 1292	1840	cmd.exe	40
PID 1840 wrote to memory of 1492	1840	cmd.exe	41
PID 1840 wrote to memory of 1492	1840	cmd.exe	41
PID 1840 wrote to memory of 1492	1840	cmd.exe	41
PID 1840 wrote to memory of 1492	1840	cmd.exe	41
PID 1840 wrote to memory of 1728	1840	cmd.exe	42
PID 1840 wrote to memory of 1728	1840	cmd.exe	42
PID 1840 wrote to memory of 1728	1840	cmd.exe	42
PID 1840 wrote to memory of 1728	1840	cmd.exe	42
PID 1840 wrote to memory of 3020	1840	cmd.exe	43
PID 1840 wrote to memory of 3020	1840	cmd.exe	43
PID 1840 wrote to memory of 3020	1840	cmd.exe	43
PID 1840 wrote to memory of 3020	1840	cmd.exe	43
PID 2648 wrote to memory of 1704	2648	svcnetlsa.exe	44
PID 2648 wrote to memory of 1704	2648	svcnetlsa.exe	44
PID 2648 wrote to memory of 1704	2648	svcnetlsa.exe	44
PID 2648 wrote to memory of 1704	2648	svcnetlsa.exe	44

Views/modifies file attributes 1 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2128	attrib.exe
1076	attrib.exe
1148	attrib.exe
2352	attrib.exe
1128	attrib.exe
2428	attrib.exe
1520	attrib.exe
2176	attrib.exe
1904	attrib.exe
2700	attrib.exe
2256	attrib.exe
1072	attrib.exe
1728	attrib.exe
2552	attrib.exe
2432	attrib.exe
952	attrib.exe
2832	attrib.exe
572	attrib.exe
2092	attrib.exe
1292	attrib.exe
1792	attrib.exe
2004	attrib.exe
2040	attrib.exe
2424	attrib.exe
2060	attrib.exe
2992	attrib.exe
1096	attrib.exe
2600	attrib.exe
2836	attrib.exe
2116	attrib.exe
952	attrib.exe
1068	attrib.exe
1884	attrib.exe
2600	attrib.exe
328	attrib.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svcnetlsa.exe

C:\Users\Admin\AppData\Local\Temp\1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1bc55516337fbd792bca179ba6a37701_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\svcnetlsa.exe
  "C:\Users\Admin\AppData\Local\Temp\svcnetlsa.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1288
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:3044
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1652
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2188
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2968
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1492
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:3020
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2512
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2640
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2120
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2000
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2872
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:572
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1240
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:3064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:920
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2256
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:836
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1900
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:3068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2216
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2944
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2128
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:548
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1960
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1128
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1724
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2168
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:992
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2388
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\SVCNET~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
    3⤵
    - Modifies Internet Explorer settings
    - Runs regedit.exe
    PID:1704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93f38209ca63c93a55f9819acade623b

SHA1
7e18dde8382b4b9c580d6ef439753b6119495041

SHA256
3685ce02ae22258adf834d0bd7cff8905b12825f7b54c574465a7dfeceb32158

SHA512
9b9721431d755c16f9e3ef5d302184454cc6a318e9440da2f00000cf4a00dcdd1e902b999fe3b084447b82b0cca88a9c66102cd3b21856a074679400ce32bf2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea3561f03da8e04f36b8eda041755ec9

SHA1
d2082ecbe64a344792b5b55f7e16835f12db1e49

SHA256
42291ada176884a2d4db95eba1ce210fccf7397c46507f7dc144f67a86eb9bea

SHA512
6f74f6ed85461a1871b5a50f79b887a9717da51f40bd1e56ba2a87346f9e1eae69c0956bdfff162ac28bbe092e7193dc4b2a15b2fc0ed344d9f9b9ce6a67b65e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23c8a95b610df8b615c0cae92165c0f2

SHA1
1b2a61ff6c5206e82afb999cad2b208ddfda53e8

SHA256
973f4d8db6703c989a07c5b1439d81038d864cae5dd2b84118a64a77ed40a9e5

SHA512
02c1e4e2c59b3468b920f160a89d93e852880922d55fa28fa8b206983b7994c0b49591188f9de982d008e4915915b10f0fc628b8881c07c562ffbc55abdb13ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27a83e7b3b3c8deca5bb0c13857c3f50

SHA1
7c14677e0b04c4f661abf13b939017f2789316e5

SHA256
3b8de20f3b94f9204d28d91df9dd45f7751761182f9d88cd6222683ba9bcdf9b

SHA512
174c3e4ee14e9ef2771954c9234cbc8feb09095c1b5663f2f5d22d07a7423251eeaa9e7923dd36845ad80d15da61849c86348aa35aca0b1aa05bb0459cc89df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ae7fbf022973e399519bf789c0552f1

SHA1
f8442be9947b665f3d303719cae03980b56df735

SHA256
fe03d1960e55b5f4f5b032f34ac57f3c304c61165877dad44efd90e6b3b65851

SHA512
4c518c68a43837f6f2211ef1832d3a5b4015ab69eb2a2d0658645d36efbb2e685116b3a4c3d23553c6b1a046a06b03303d6ef67daa3721d784496a76ec53659f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7643d0d75ec70e4fb36d2b9a4e7f0b82

SHA1
683a2091b4362682cdf058a42b98be79fd460100

SHA256
c19a734a7b73874f5a7a30a2fb35e05e1e1324372dda483854effbace3a30910

SHA512
9a97c00ccc997df136f49a944f9e9d1f917fed9fdc97f85f2bce18148c4087c4e6e170a5fc4c8a2d0232e69b64e8e1622f53ad8688d5811c50cbfab434c5d9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f594dfc4cbece96f8c248a23fe5ca5a

SHA1
72bd2ebedac320bbefd553601dbd4bdc704bd6e0

SHA256
71edffe70b5d6a4786c57aa7c80a616c1f9a97b7991deab7c82ea9f80369fa8e

SHA512
055e995a1dda616c0aef80d582e51d7e423b42bb8ce9cf621bc6830ea910588c1b4b51e46cba03dce0f3f148beaaf997601de9b8c8172518e6866c59784420a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83367c048ab7d25da9b9d0653c455ceb

SHA1
7d8208319b8681133d13ed2a8fd2c574140b2608

SHA256
9971c2dda07bb8eb877be0400dd7977fe0cb772de8450fc8993bf6d0b1bb6412

SHA512
e0e417cb6669ce7bfd24030ed044fee6d41430f3c3ea4027b7381ccf412c5402babd85e94f404c61782802921ac592317d979775ac8b4f5ba3db3915169e4fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
789cd05de238e78630b1605fe06a973f

SHA1
36621065ccc89a3055145fce4feccf1d290f11a8

SHA256
b1a1b37f3484978f098b9d96bbe217a525fc6cd83cd4c7fb82fcf76f722ac143

SHA512
ce33611d30f174be2c31d748a4f723f3058d273a84bae6d2c6b4bb8192f2004783a2fda6d87e334a67a12ddf6efaba21f75492d1b8ba7b55510ed4e067c1e333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e5c0ee24bb0083db41192a2b6b618bf

SHA1
ba267ad8030fafb3765b39b94e0f0b3f597f6224

SHA256
262cfaa280c13526089db745177bc6e313d114fbdab06f26ae70f07e81319e9a

SHA512
81f00c86faad7e7dc22d4a0d6616899a5a558c78f750d2f5941f007d117db0dbd26f294148c112e37384012a73d42bf5cbb8f061f28bb63d09e79568b7330593

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d7e94d493ca2497f7854661c8995dc

SHA1
35b4e5aaadd7328f44be723d1e9252f3cf001140

SHA256
9913e97ec1ce8d2a15ef23908e0d882558164e31d55785918ae8209c19df97ee

SHA512
8060b52c2a2c6eb58af8b8a28d2b761b4fddcdf497e65724eba742b841b98193895a0651935fd369fad83511082f6f822434d3c44b8c94aa74f66b3456b04d54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc6d1ec7cceb3cf31c1430b006e99f4

SHA1
9a12382be0dd31ca094509e4dbd534e25733ccf0

SHA256
759331f73be4af53cab3fa6415e5d79a69b660070659216f5a1699848a4714a7

SHA512
8ff09ffe74f71a0f10d29d3a4118befaa483413a5ffdb266bc94ec59c1b4e370bfe993ebbf793564d034c6386bb73f804f2708f727bb6ef36fd40c3abf78b2b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a97da2605ecff64f2f5ddba4cc0645e

SHA1
e10720cb275ac857ed36b6724df16e681b701e96

SHA256
374c4569926b10cfcae14695e484a99b02693430038d2d2a5da17ae0ef9feae1

SHA512
7357d0d9242e4f7861d4eb111527ba96652444a4e2baf84e0ae371dc92472790011702192f917fd58f1a810b14181716435bffaabdcd523547ac28760e04061d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a5777bab01c52029c907b2c80a6b6ec

SHA1
b306d05992bc0dab2709dd0d9261c026bbb2c256

SHA256
1712af61e6d019411d6600e9b7c53290e3b9761e0eddb8161694e9aca2b8d97c

SHA512
ad1d341674e539d86947149c89bf44ca893d14c39502733e3214314fb5f0fb38d7e54dc6c18ae4331106c342375dd2eb5122a8459badee1d0ec3ca698196c3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2706c0c2089269d0687a71a3f4e4c7f8

SHA1
1c66af4e48402ec22769d1a081750b8252eb9e9b

SHA256
dc2f65c1dea3912451563ad86558bf8f2744bf789511be474f62b2a52d9a455e

SHA512
bc6812c928d193b3b50282107aea1bcd9b8f7a93578611039de55dfca1c2d688b7501f6874afecce8797ce962c20424451ec3f0628168c3609132164347e7fd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc792fe29bb8858ffb972736549cda4

SHA1
f24ef3d7ac668f6fc4d33e7a4f4af8300bbe27bd

SHA256
29ca6f64068ecffb0a552947eae537187562ff63a9426e28211268434790be80

SHA512
ac5669920caf793b97ca5c2d10b433f6ab241d2e02bf65ac084d0c94a50a376f6c7b40851574d6f041b51e9926117cdc3ca1764e30d98d828d4a3c99e2249210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d97414702c7cd3c320c019d529da8b51

SHA1
358dcb1ba050e79919e485261c670deacf27b69d

SHA256
cc4692e08a38bc1b6bd9f7cc5d1e2ba9296ae10b6d94b703581547c50a7a1dd0

SHA512
1419e8c9437ac0b8ca8afe3e91b7a132b58c4f9656a0a2b57e45da59c21ad5c6bc2dcc4c513e7d550d80a24fc26d88888e5264b5619917c518d29d70e2c6e0c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b87f4fd0348c45d678b9edbfa5046cce

SHA1
f2fc51626b84d9f4f2bed2c0bd80b59124fb8440

SHA256
87c590bd2190a6efe426975961816dc1c7c3c4bd25ed5b4b8e035fb2c17594ae

SHA512
658a4eae67fa37229cef48f1329405d880268090c590f7dfa9881b96aae25dc383f85631adcf88e7025c0494cb7ccc4edeecd795160a32405c9c32b0dfdc9cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48E5.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4979.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
3KB

MD5
f6ab595d6a69bd59caf410f5d55308cf

SHA1
f57bf31fb1171059556b8a6c923d86d221f771ad

SHA256
d44d83d4ede83886d2e0f5e76f1fb1e61ee8ab2d796627f3657026ce4d545492

SHA512
b09561e1ab31dc1dc774c3c1060181905052e51803ab6bd70941108041d9575e7cc0b48d1e87f2bbce0a20fc8be1628d9627319abad7c69468b669f891808fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
5KB

MD5
b506f3553362dd0ac34476dac06a23f3

SHA1
c5143b3f14381b2685bca4fcc5db4dd525d79b5c

SHA256
27bf84dbd5357636ac8bb8d94e7f5b24b44ffc44519b9e330f3ec505a651d9cc

SHA512
ada2159cfc940bb8b4e504f3d20829bb2e368dc92e376fdd5082f2761ac09bc19d6e21d38eec4b57ce139daf66ef4849ae2f2151fe3ee9024f5536450fbd2d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\cmssqlms.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
C:\Windows\SysWOW64\fwcpptpdisp.exe

Filesize
2.2MB

MD5
1bc55516337fbd792bca179ba6a37701

SHA1
3af2f89be985f16eaace6d82bd69aa313ae70565

SHA256
3d377a53698e96b46952bc7aed2024a577833bb9a3d7922b01a77f07490155d7

SHA512
129944a2d4a7318f382b6ddcc09c9865b45825e17661562700a56ad4019b613fc5088c5409ba3b25a4f0ddada7679eb753af6e03e5c9f3129eabf22259dbdfa7

Download Submit
\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
\Users\Admin\AppData\Local\Temp\svcnetlsa.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
memory/1276-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1276-247-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1276-267-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2648-295-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download