Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    c07a58218ce9fe1f80bc6da7940d520d

  • SHA1

    279407aebe4756b53cb166d0e2ff9ad2d7745e1f

  • SHA256

    115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e

  • SHA512

    2da6e69b801da12998574dee313e2c7101fe4c2da4fb1c96c8f0c43e0b6740f3ecb211d99f9cf4112333479c2ba65a42dfe8e9c1ee78d804d055e06443e06e7c

  • SSDEEP

    3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 36 IoCs
  • Loads dropped DLL 37 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Modifies registry class 9 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 34 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe
      "C:\Users\Admin\AppData\Local\Temp\rassvcmon.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_win_path
      PID:2944
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2460
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1772
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2580
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1028
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:548
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:704
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2012
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1868
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1120
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2716
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2812
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2408
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3024
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2480
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1240
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2700
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2892
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1740
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:784
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2160
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2252
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2388
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2276
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1528
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2444
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2128
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2124
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1368
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1584
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:544
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:800
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2696
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1052
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1496
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2540
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1580
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2364
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2148
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1344
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2156
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1728
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1488
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:896
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1396
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2392
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2724
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2184
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2864
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2332
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2700
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2600
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2576
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:884
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:424
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1076
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1184
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2288
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:672
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2304
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1748
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2064
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1040
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2528
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2120
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1140
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2584
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2624
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\RASSVC~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2360
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1708
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs regedit.exe
        PID:2744
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2992
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    509017a4c7c18ee03a95d1e418677ca3

    SHA1

    a022b0d1092a17dd5cfedb3e5916b85d7822ed59

    SHA256

    afdbc82e8943450c2b89b3ebb92c67ea3a19706e96d35205d3582230f9708347

    SHA512

    7ce39591021e488b7753a02dc9cc7819f73b1e70b71427f3f4f7f3cb7bc942aa1eb3a5b348f3171647ecbebb2f975127a7d5229c9cafe58f5f0624b52c1cd22d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4574115816c3ed54ea1b5a2fd77ec063

    SHA1

    1b572b975848185c704dc2dc3b5dd2069c2cdfb7

    SHA256

    0bc646dd5c8114adfd1e18450309508f189c710ea9f7ffbd2535e400df8e346d

    SHA512

    feeb9e5b570ccbc2155c8d931b0b7974d0e255066303c0b95fef7f5f52e9190635ce7fd5bc6c7645aee2a940fd911b5405dd737d1211a6098c3e7bedca3f42ed

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c1bc4900a5bbe76da0ae4ac01af016fc

    SHA1

    0941307b2852d112a9541250775ad020e9bfac1b

    SHA256

    040c639781babc522049164660c0ee71b7700f84f192f38b4e6af5d64d0a568c

    SHA512

    fb444a3b64a2fc8bd8383692c7ceec4e0ad9ba0595eafaf178da65f2add1839ce6577f539e94363e7ae29cd6803ee10b2256b7cf15fe16c24555bce6b2a30745

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    592273012067181412907c8af4da7651

    SHA1

    8c344570b9d98a0616089068fd51264563e05369

    SHA256

    0ad2ef578dec553d65da385d8b75a52e57c707d636925e49b2789abc1e145981

    SHA512

    c73db9df789b1060509c127bb1e99cff6ac756073f9954fdd8bc9118063716231dc49b90682d29f1682590086079651c050988c63f27d89f55724ba614ce3343

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8af10c10fd45b5c3351f33c2a59c6584

    SHA1

    aba9f43f8200cf749d7f01ba43adc6b75593ec83

    SHA256

    727f542cb64a5cd947ad103f6ef7763a7266af817c891f363c7d1d7145ae64eb

    SHA512

    4db17ca63cd8ce582329ec313ee91850f400c032900880e35d24b4252268d20063a770d1991de9c39bb8ab7174b4d97a6ce7d1ef66470c5e6195c1d6d2f2caf3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    35abf60b8fba418664b65b731c9f437e

    SHA1

    83f15a145d2d97808208886701ce87319ed055cb

    SHA256

    f9b1c1b6db26fb3c0f444ea3da4038d7f1e02bee9e87eb9695113bad15d0fb3c

    SHA512

    f75c5014ebe970dfaef34148a1d263f311429056ce287f75d6a52b5863d1c0d40a49212d3d433eb7b424d3cbf6e9a252fd57e8ce392d0255e4a13c86db5f3a08

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b8430e5e373f3d8fe70e1b9300735a87

    SHA1

    21415a41a5676def9b26655a4aa3c9c15b6dcf23

    SHA256

    0688fdbe6753578950c32415a114bdd3466eaf8a90e3393f13668e6a2f9512dc

    SHA512

    14fe0b44448ef6770291dd40ad293291dca3e9dc87d09a3171e4ecac00fe69fa066bc474711c61f5df05d5fa6c3dfc35c1333d85b552de5da50ed65c4b8b9446

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    19a5f9fbb2066e5985cb9cd5cd8dda35

    SHA1

    499e273aded9beb4bf147d5126fbb34184945fae

    SHA256

    8702c1985b596c17170a5f6012f1d61af2b8bf0afba54f80b01c00a075d71d54

    SHA512

    24479b17c15270bae573bd149c533ad2ea3078194a71bd649aea48fdb132665aa75bc7711fe74475a6349b4577cfe13fdab3217fe8d02b6e1ed9f545061a0689

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    93c635f51e47ea067964ecbef5372c19

    SHA1

    25a15f2f915d3d5615bfc1014e5340bc46b7279d

    SHA256

    6c21c421a618a3f6992b50b51c77420960e02907b4289287dc2bf6e355dc41fe

    SHA512

    a5bd798218c32d35a4fd4590baa3ba90d2bbfdeeb13df625ca6d125eaec3d6896610e7af3c490282b32421d9dc673f08dfeb4d892d6ed314f027d752b8ab52b7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bce140e953437ba78349c9e4f3c02de7

    SHA1

    113880de05ca40a014364da2f293f0f2bb944220

    SHA256

    d865dc10f6514bb8b62066a57321a0fa3f5222c8c2aa34e40ce719e94b2f0faf

    SHA512

    d174386f08eed3a5f207018ff13175a378e0058ae2da543c083c478912b233aa41094109b0dd92fb324961dc0cf4c41560f1250da893b8c2b66b2cfe0d592e4c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fbe0ed1be7f90f34ba8b43f821ee7824

    SHA1

    c040f7ae57223ab80051584111f45d31e95e9573

    SHA256

    c565c8cc37552dca9a285f1c6f210ade3bb8fa53068d65fbafb6e3e353537538

    SHA512

    8902c379d699aa7e01d02124d70a8f139b28bdf27a06b34db81bf39cfef827826b6738bf90cf810828da5296504b6cc8c4fea06a00bf958f7cecebdaeae177ce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    df4749e7c97565e893408c8a2d66c60e

    SHA1

    252890a9ffda1d3071d6dadd4cc6763e2419c5dd

    SHA256

    ba545440c62d697a6c1f5159271121d806535cdf4eea049f7b7eda616682e15b

    SHA512

    facdce589090d4927ccd3e4b750d3b22477bf05432ad4630274ad6e7be609a2472e5d51afba08bdd8593151193570aaeb0b457e8f916e35e38d09016804b0e52

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4ca9c3f88e5a34a1cad9d5f89b5495f1

    SHA1

    b3269d5d3643e988209b227aef309c33b1a394c3

    SHA256

    5791de24ef7a79daab727228e12d971686a6b988dbc9133b2fba3a8fb863e871

    SHA512

    7473d17dd31c2f5c72455a807400108ab8456b19569c98d7e41af4c72ccfa1d5520a280f6fa5ade07d97814c6a75796e551b39312d68e8a878741e21c7b91d25

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7786ae91d170b0c8d5078a15c4183c98

    SHA1

    c352e2c00f40c4f896b2b987fd9373a83d516c81

    SHA256

    9bfd4302e601f1975b8b60fb22531259c98bbddfe07667af3cf835e77905876a

    SHA512

    7e41b9327dd262b9702c4cdaf510ad5b6313906727603d3688058dfc094c26965a229e0e3fbe1dc914290774cb11d0a70e5f332da23be2ea4bfc07248e9a00c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e21d661f00e0eb54e6c409d72ae6ddb2

    SHA1

    55cfd64a3bbb8ced0944fd2d0ec2eee9385cc5cf

    SHA256

    3a2368f9250d008ce10226fc32293209b8c93539e47ecea4763b5b873cca3ea6

    SHA512

    9443514e11e65b208a1997ba939a043b7d77f20e2ec1479ef6fc44babdb048646d8569386c675169a88c1a75a4091d236e0cb7f4fc8795432e450ecc931b36aa

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    de6af5157deb87fe447c709adf3cb0b0

    SHA1

    0e0e06ab44a071ca8479d5f81cf3a9d280e608c9

    SHA256

    c8b12bcf4f76843541cab8f0820dffdf8dba8a9e1b6aff1a2130f03d9332b5a8

    SHA512

    701df665656d3629253a182d362a7a5cf6b11ff49788297bdbf533a84d77090ea6b333d8dd07bedddaeb4bff36b882bfd0eca01cd7d1de7a01cc6a1cfb884c7a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    39e9183a2ada78930b8c9d84a9f80cac

    SHA1

    34218188cd20b9ccc69bd0652b3a2a4d523952c6

    SHA256

    7a140698348096b0de57d17aabbaec09841c979fc00e2a334a11d8c44af98568

    SHA512

    ee9268aea366eb537fbc4be13143e25c0e50eb7c72b4c83a29f52bea21f5ebf1eaf64fb6fc2e6bed455cfd4c16e288c3a45583bf091dc0c19f0ed9fd613bdfd9

  • C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

    Filesize

    168B

    MD5

    e7efc2c945a798b4dab3fe50f1524592

    SHA1

    0bb937ccd89e40c91c0e58b376873ef909fe805b

    SHA256

    624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

    SHA512

    e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

  • C:\Users\Admin\AppData\Local\Temp\Cab4A79.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4B4A.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\bot.log

    Filesize

    4KB

    MD5

    e6c6dadce4b7b24873c0cefa7f9fcc9e

    SHA1

    dc26a848b0f0afe4f2e5e29a0c48955b9083a8ae

    SHA256

    1387e0e74004a224f499daee26bcb423c834677bc91ac77460e7d6226cd2703b

    SHA512

    7dfb668b682d210d61d35f552fbcceb4b7626f11a5ba9641cf61fb30aade05ba72b0405963dcc82538eb0aca6286152911c3b704b15fc15e321f9d2e4a704f74

  • C:\Users\Admin\AppData\Local\Temp\win5.tmp

    Filesize

    240B

    MD5

    ee926df00618b73a370f2dbcbe19ebeb

    SHA1

    eb775efca19c657d4cc02d21190db4f522ae750d

    SHA256

    6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

    SHA512

    6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

  • C:\Windows\SysWOW64\dispipctf.exe

    Filesize

    2.2MB

    MD5

    38ad28dea89f24e2161a9d156c20df1c

    SHA1

    5dd31a3867d8e368c8056ca24e94b4f231d4dd03

    SHA256

    7fdbadeee16a8502fb70ff1af33d02337c31dd7e83c26a128f66392dbadebc38

    SHA512

    b8595c647e1f4a050bc0bbc098ec575f882ea9d663a9b423c25793292d5fea95a5b9776d6216cafe30ca0aba15ec929a1bc183b1bfc659d812976f1c0a987645

  • C:\Windows\SysWOW64\rassvcmon.ocx

    Filesize

    4KB

    MD5

    3adea70969f52d365c119b3d25619de9

    SHA1

    d303a6ddd63ce993a8432f4daab5132732748843

    SHA256

    c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

    SHA512

    c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

  • \Users\Admin\AppData\Local\Temp\rassvcmon.exe

    Filesize

    104KB

    MD5

    bf839cb54473c333b2c151ad627eb39f

    SHA1

    34af1909ec77d2c3878724234b9b1e3141c91409

    SHA256

    d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

    SHA512

    23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

  • \Users\Admin\AppData\Local\Temp\smss.exe

    Filesize

    15KB

    MD5

    6242e3d67787ccbf4e06ad2982853144

    SHA1

    6ac7947207d999a65890ab25fe344955da35028e

    SHA256

    4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

    SHA512

    7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

  • memory/2944-305-0x0000000000260000-0x0000000000262000-memory.dmp

    Filesize

    8KB

  • memory/3012-248-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/3012-0-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/3012-249-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/3012-275-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB