matiex | 7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
Size

1.9MB
MD5

9dd6a382a4b8e3295ed977f1cc176c0a
SHA1

cd990deea4530f113c617b9cda0eeea7ada9170e
SHA256

7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
SHA512

a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc
SSDEEP

24576:zRgV9lX4ePztJzKe4QTnExJrP6+RtCFKOqRuGmjpMg8R5w+cTll8add1Lj6vull+:zR6bbJR7OyKiKO0VaqgY5w+eTZ3Ejmr6

Score

10^/10

matiex predatorstealer wshrat collection credential_access discovery execution keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

wshrat

http://blackhillls.ddns.net:1334

Signatures

Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main payload 6 IoCs

resource	yara_rule
behavioral1/memory/1620-6-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex
behavioral1/files/0x0033000000015cc6-10.dat	family_matiex
behavioral1/files/0x0007000000015d56-28.dat	family_matiex
behavioral1/memory/2832-37-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex
behavioral1/memory/2904-62-0x0000000000D70000-0x0000000000DE2000-memory.dmp	family_matiex
behavioral1/memory/2724-97-0x0000000000400000-0x00000000005F1000-memory.dmp	family_matiex

PredatorStealer
Predator is a modular stealer written in C#.
stealer predatorstealer
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

WSHRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0033000000015cc6-10.dat	family_wshrat
behavioral1/files/0x0008000000015d34-30.dat	family_wshrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 7 IoCs

flow	pid	Process
4	1788	wscript.exe
8	1788	wscript.exe
17	1788	wscript.exe
19	1788	wscript.exe
20	1788	wscript.exe
21	1788	wscript.exe
22	1788	wscript.exe

Deletes itself 1 IoCs

pid	Process
2732	notepad.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbs	notepad.exe

Executes dropped EXE 5 IoCs

pid	Process
2832	scvhost.exe
2904	BsA2woE9zZbLwSC.exe
2636	scvhost.exe
2724	scvhost.exe
1672	bin.exe

Loads dropped DLL 13 IoCs

pid	Process
2732	notepad.exe
2732	notepad.exe
2832	scvhost.exe
912	cmd.exe
1672	bin.exe
1672	bin.exe
1672	bin.exe
1672	bin.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe
2324	WerFault.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2636-35-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral1/memory/2636-39-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral1/memory/2636-42-0x0000000000400000-0x0000000000760000-memory.dmp	upx
behavioral1/memory/2636-38-0x0000000000400000-0x0000000000760000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	scvhost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js\""	wscript.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
9	checkip.dyndns.org
11	freegeoip.app
12	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2636	2832	scvhost.exe	34

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2324	2904	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BsA2woE9zZbLwSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe:ZoneIdentifier	notepad.exe

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	17	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	19	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	20	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	21	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom
HTTP User-Agent header	22	WSHRAT\|141C077A\|PDIZKVQX\|Admin\|Microsoft Windows 7 Ultimate \|plus\|nan-av\|false - 16/8/2024\|JavaScript-v3.3\|GB:United Kingdom

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
2832	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe
2724	scvhost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2832	scvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	BsA2woE9zZbLwSC.exe
Token: SeDebugPrivilege	2636	scvhost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 1620 wrote to memory of 2732	1620	9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2832	2732	notepad.exe	31
PID 2732 wrote to memory of 2832	2732	notepad.exe	31
PID 2732 wrote to memory of 2832	2732	notepad.exe	31
PID 2732 wrote to memory of 2832	2732	notepad.exe	31
PID 2832 wrote to memory of 2740	2832	scvhost.exe	32
PID 2832 wrote to memory of 2740	2832	scvhost.exe	32
PID 2832 wrote to memory of 2740	2832	scvhost.exe	32
PID 2832 wrote to memory of 2740	2832	scvhost.exe	32
PID 2832 wrote to memory of 2904	2832	scvhost.exe	33
PID 2832 wrote to memory of 2904	2832	scvhost.exe	33
PID 2832 wrote to memory of 2904	2832	scvhost.exe	33
PID 2832 wrote to memory of 2904	2832	scvhost.exe	33
PID 2832 wrote to memory of 2636	2832	scvhost.exe	34
PID 2832 wrote to memory of 2636	2832	scvhost.exe	34
PID 2832 wrote to memory of 2636	2832	scvhost.exe	34
PID 2832 wrote to memory of 2636	2832	scvhost.exe	34
PID 2832 wrote to memory of 2724	2832	scvhost.exe	35
PID 2832 wrote to memory of 2724	2832	scvhost.exe	35
PID 2832 wrote to memory of 2724	2832	scvhost.exe	35
PID 2832 wrote to memory of 2724	2832	scvhost.exe	35
PID 2740 wrote to memory of 1788	2740	WScript.exe	36
PID 2740 wrote to memory of 1788	2740	WScript.exe	36
PID 2740 wrote to memory of 1788	2740	WScript.exe	36
PID 2740 wrote to memory of 1788	2740	WScript.exe	36
PID 2636 wrote to memory of 912	2636	scvhost.exe	39
PID 2636 wrote to memory of 912	2636	scvhost.exe	39
PID 2636 wrote to memory of 912	2636	scvhost.exe	39
PID 2636 wrote to memory of 912	2636	scvhost.exe	39
PID 912 wrote to memory of 1672	912	cmd.exe	41
PID 912 wrote to memory of 1672	912	cmd.exe	41
PID 912 wrote to memory of 1672	912	cmd.exe	41
PID 912 wrote to memory of 1672	912	cmd.exe	41
PID 2904 wrote to memory of 2324	2904	BsA2woE9zZbLwSC.exe	42
PID 2904 wrote to memory of 2324	2904	BsA2woE9zZbLwSC.exe	42
PID 2904 wrote to memory of 2324	2904	BsA2woE9zZbLwSC.exe	42
PID 2904 wrote to memory of 2324	2904	BsA2woE9zZbLwSC.exe	42

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	BsA2woE9zZbLwSC.exe

C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9dd6a382a4b8e3295ed977f1cc176c0a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"
      4⤵
      Drops startup file
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js"
        5⤵
        Blocklisted process makes network request
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe
      "C:\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1276
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2324
  - - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c bin.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Users\Admin\AppData\Local\Temp\bin.exe
        
        bin.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1672
  - - C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost\scvhost.exe" 2 2636 259436916
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
647KB

MD5
5afda7c7d4f7085e744c2e7599279db3

SHA1
3a833eb7c6be203f16799d7b7ccd8b8c9d439261

SHA256
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4

SHA512
7cbbbef742f56af80f1012d7da86fe5375ac05813045756fb45d0691c36ef13c069361457500ba4200157d5ee7922fd118bf4c0635e5192e3f8c6183fd580944

Download Submit
C:\Users\Admin\AppData\Local\Temp\SDOupJClKPesZvUKaabs2blkzwnEoJFcriZd6i.js

Filesize
184KB

MD5
4e47fc3b25104418b7f7a5523e51639a

SHA1
de60259e11ec477b9083d641ffdbc88230a0927b

SHA256
f0e2f3ca73d64210c1d6a7ca07a2a145f3e94b0d41f99cd45f9fe008d288f345

SHA512
a76d6098d2df124d4cb0f773410f186cd579d288d5cd30c6dcf90f24aca01b2d4777274abb1278287a9accada490bb1187209f8c53207c3baf8c26f606fc7225

Download Submit
C:\Users\Admin\AppData\Local\Temp\bookmarks.txt

Filesize
13B

MD5
61f8a15f0bf3ef90a36796b6cbb7b105

SHA1
9a0893ee4bfb0e58c64902fc4da215dcbec12e3f

SHA256
678150f8aa675320e486b135418a7ed5b546514a5aa808588eccc12fe8cd2130

SHA512
5afb5a40e95b289db50db7aa151a5a526ef04824533fccd0ad3d6ea813cc5621b8009521d7f5db69fbcb1a46640e963427fd6b42721df26f1fbfc89f59a8abab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookies.txt

Filesize
11B

MD5
c62837b28d4938edd0ed433c62d0fbff

SHA1
e9ea5b724941b7c1d2ac740b896f97ad804e58d3

SHA256
041a0aa02efee5c154ee06e5bb07fcde75d5a2a0277e390a170cf9e719d93ffe

SHA512
12c5692a05b1b8b4fe6e2f4a7347886cfcc51b62aec46dbeaaa3c0c8949576e7693ccb60611a9915c9f2a7376003fc71210ea580fb0976783c3bf268ac132793

Download Submit
C:\Users\Admin\AppData\Local\Temp\credit_cards.txt

Filesize
16B

MD5
0b5acd38883c21a5c6ce1bf1475b7e3c

SHA1
f44085a126b0530e8f0e6472518d2e8dc92b5fb5

SHA256
a2c8010d9942ce512425fd4d19b6c574683a9cba8c28ca94e34797f11abb56a1

SHA512
1d8373dc80e08b69c820e4adfbd77f9fc45448b86d01820483b2cb1a870b96df3824fc3b4991c761076d02bc0030e752b95ba4da699b439fd725df0e7d272f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\passwords.txt

Filesize
13B

MD5
7294c881f5e23198c7000056e50ef7e7

SHA1
65f942dda2ae75aad6444e7a9ccc7352b5c88e23

SHA256
2be7f0deacefc2c099e3309e42989fac20dc32af7e722d0bdeb3bc72f44698f4

SHA512
ca66605f5b605bdc060ae870fd4d48b20651e0fa8ae126de3e511ada760d1e32fe1709ae536fa46b166d89f1d36501130f9a86c845c2a2776bbdb8f577e7ddb3

Download Submit
\Users\Admin\AppData\Local\Temp\BsA2woE9zZbLwSC.exe

Filesize
432KB

MD5
db1c4abd9f89e2accb740f7c01cb1504

SHA1
3a290627dc9ceec7f013c48a4032d69573cc4dbd

SHA256
877586c1dbff58fb4c4b9e0543c8e76bad590557b132d8f36b24733558ea02a9

SHA512
474746e5584aa500a7ffbaef4e940c7631c38b4b74557a4b38a8e3a0434a427b3ffb1b7ab3f46a7d226bd3f789df62ee74fbc0f230e19cd246ca8cb6a27a16f7

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe

Filesize
23KB

MD5
345da28112fc97cbad74e45c510fd783

SHA1
dc88113783ed200262428c3000c35fdd093c5b64

SHA256
b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864

SHA512
e9b294b03ffd005ce6d8380be285baf762d0f135676c1fd4737f43c34e39ad3da77e7c3a07a7197475c1d17b09628b03e9e9c1808698dd89852ad60b9febfa2d

Download Submit
\Users\Admin\AppData\Roaming\conhost\scvhost.exe

Filesize
1.9MB

MD5
9dd6a382a4b8e3295ed977f1cc176c0a

SHA1
cd990deea4530f113c617b9cda0eeea7ada9170e

SHA256
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964

SHA512
a9181c76e87101bedff793689df0d60d89e49469b0b6f768961f0185bbda82d78837db236a2a8bf9585252ee467d2081ce02769662b57d6b3386836550d5e7dc

Download Submit
memory/1620-6-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1620-1-0x0000000000300000-0x000000000030F000-memory.dmp

Filesize
60KB

Download
memory/1620-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1620-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x0000000000300000-0x000000000030F000-memory.dmp

Filesize
60KB

Download
memory/1672-84-0x00000000043F0000-0x0000000004498000-memory.dmp

Filesize
672KB

Download
memory/1672-73-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2636-42-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2636-38-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2636-40-0x0000000002560000-0x000000000270A000-memory.dmp

Filesize
1.7MB

Download
memory/2636-98-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2636-39-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2636-35-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2724-97-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2732-7-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2732-4-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2832-37-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2832-21-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2832-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2904-62-0x0000000000D70000-0x0000000000DE2000-memory.dmp

Filesize
456KB

Download