Analysis Overview
SHA256
a611726fce2fb740e19f3713cd5106554ad38323e2e07754790e2863d6121d77
Threat Level: Known bad
The file 49bc9d05c7563d08947c3dabce5c4a47_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
NirSoft WebBrowserPassView
Detected Nirsoft tools
NirSoft MailPassView
Checks computer location settings
UPX packed file
Executes dropped EXE
Deletes itself
Uses the VBS compiler for execution
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-29 13:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 13:39
Reported
2024-07-29 17:37
Platform
win7-20240704-en
Max time kernel
150s
Max time network
130s
Command Line
Signatures
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe |
| PID 1252 set thread context of 2452 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 2452 set thread context of 1532 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2452 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"
C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/2116-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2116-1-0x0000000000260000-0x0000000000266000-memory.dmp
memory/2476-8-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2476-6-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2476-11-0x00000000005B0000-0x0000000000638000-memory.dmp
memory/2476-10-0x00000000005B0000-0x0000000000638000-memory.dmp
memory/2116-7-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2476-3-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2476-5-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2116-2-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2476-22-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2476-23-0x0000000000400000-0x000000000051D000-memory.dmp
\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 3e03ff51909c69388af076fb28211308 |
| SHA1 | ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d |
| SHA256 | e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a |
| SHA512 | 804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d |
memory/2476-34-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1252-39-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/2452-52-0x0000000000A70000-0x0000000000AF8000-memory.dmp
memory/2452-49-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2452-51-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2452-50-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 4faeb26ed008892d9aa99779dcdf5651 |
| SHA1 | 55c0d65bf691afc5062cd463743b271a643f02f7 |
| SHA256 | abb64cd0cc40d7c39ad4dadcd8eccbeb8e567dc22e65685031a5d17b3805902a |
| SHA512 | 6ed93f46f942d1621cc233676bdf787e31bcdb6aef81af84dc22d5dbfaee0d34e861c4f6db0b149ca747495c1e05f6d418e6fefe2c13295adddabf5721409c21 |
memory/1532-68-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1532-69-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1532-71-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2452-72-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1532-73-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1796-74-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1796-75-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1796-77-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1796-83-0x0000000000400000-0x0000000000458000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 13:39
Reported
2024-07-29 18:12
Platform
win10v2004-20240729-en
Max time kernel
145s
Max time network
124s
Command Line
Signatures
HawkEye
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4488 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe |
| PID 3668 set thread context of 5020 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
| PID 5020 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 5020 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"
C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe
"C:\Users\Admin\AppData\Local\Temp\Order25JUN2020.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | 158.21.88.77.in-addr.arpa | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4488-0-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/4488-2-0x0000000000830000-0x0000000000831000-memory.dmp
memory/4488-1-0x0000000000800000-0x0000000000806000-memory.dmp
memory/4580-3-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4580-6-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4580-11-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4488-12-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/4580-10-0x00000000009F0000-0x0000000000A78000-memory.dmp
memory/4580-8-0x00000000009F0000-0x0000000000A78000-memory.dmp
memory/4580-9-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4580-5-0x0000000000400000-0x000000000051D000-memory.dmp
memory/4580-23-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | 3e03ff51909c69388af076fb28211308 |
| SHA1 | ac7bf8faacdcd0c4fc5f28cbf2a61ba6c723229d |
| SHA256 | e0fe96154b8014ef6a40088e32dcf4fadfceb5de67dc82c9c04d9ff70b4c0f9a |
| SHA512 | 804b5028988570b1d678586d6c0e02f3a03293e299beca8746899dfce635e0d026e172597cbde6a0a46c39e4624baf7b7b324fdd0c6f32abc21be6bb2ea15d1d |
memory/4580-34-0x0000000000400000-0x000000000051D000-memory.dmp
memory/3668-36-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/5020-57-0x0000000000400000-0x000000000051D000-memory.dmp
memory/5020-53-0x0000000000400000-0x000000000051D000-memory.dmp
memory/3668-45-0x0000000000400000-0x00000000004FD000-memory.dmp
memory/5020-44-0x0000000000970000-0x00000000009F8000-memory.dmp
memory/5020-42-0x0000000000400000-0x000000000051D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 4faeb26ed008892d9aa99779dcdf5651 |
| SHA1 | 55c0d65bf691afc5062cd463743b271a643f02f7 |
| SHA256 | abb64cd0cc40d7c39ad4dadcd8eccbeb8e567dc22e65685031a5d17b3805902a |
| SHA512 | 6ed93f46f942d1621cc233676bdf787e31bcdb6aef81af84dc22d5dbfaee0d34e861c4f6db0b149ca747495c1e05f6d418e6fefe2c13295adddabf5721409c21 |
memory/4848-64-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4848-65-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4848-67-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4848-66-0x0000000000420000-0x00000000004E9000-memory.dmp
memory/5020-68-0x0000000000400000-0x000000000051D000-memory.dmp
memory/1216-69-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1216-70-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
memory/1216-77-0x0000000000400000-0x0000000000458000-memory.dmp