Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 09:51

General

  • Target

    c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    c07a58218ce9fe1f80bc6da7940d520d

  • SHA1

    279407aebe4756b53cb166d0e2ff9ad2d7745e1f

  • SHA256

    115aa826395b6da44910d052c62907328c8d54f0bce306d5669f42364694a67e

  • SHA512

    2da6e69b801da12998574dee313e2c7101fe4c2da4fb1c96c8f0c43e0b6740f3ecb211d99f9cf4112333479c2ba65a42dfe8e9c1ee78d804d055e06443e06e7c

  • SSDEEP

    3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 36 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 59 IoCs
  • Modifies registry class 9 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c07a58218ce9fe1f80bc6da7940d520d_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\monmscms.exe
      "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\monmscms.exe""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4424
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1040
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1100
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4332
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3076
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:800
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2972
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2056
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • Views/modifies file attributes
          PID:512
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2256
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3436
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:224
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • Views/modifies file attributes
          PID:3328
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4356
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2096
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2644
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:636
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:868
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2676
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:832
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3840
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:4876
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:536
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4996
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1112
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:544
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2476
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1196
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4336
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4792
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4976
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2196
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4432
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4856
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2676
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4340
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3944
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3652
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • Views/modifies file attributes
          PID:1588
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1556
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1112
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4132
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:856
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2012
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:440
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2836
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • Views/modifies file attributes
          PID:5032
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4288
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1172
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3392
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:876
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:4496
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2976
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1376
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1540
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1228
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3156
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2624
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3660
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4288
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • Views/modifies file attributes
          PID:2756
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1004
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4524
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:856
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2056
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2288
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:3148
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:3428
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\monmscms.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2472
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 588
        3⤵
        • Program crash
        PID:2152
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs regedit.exe
        PID:2196
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
    1⤵
      PID:1440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1088 -ip 1088
      1⤵
        PID:1900
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
        • System Location Discovery: System Language Discovery
        PID:4588
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:17410 /prefetch:2
          2⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4452.tmp

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\dnserror[1]

        Filesize

        2KB

        MD5

        2dc61eb461da1436f5d22bce51425660

        SHA1

        e1b79bcab0f073868079d807faec669596dc46c1

        SHA256

        acdeb4966289b6ce46ecc879531f85e9c6f94b718aab521d38e2e00f7f7f7993

        SHA512

        a88becb4fbddc5afc55e4dc0135af714a3eec4a63810ae5a989f2cecb824a686165d3cedb8cbd8f35c7e5b9f4136c29dea32736aabb451fe8088b978b493ac6d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\NewErrorPageTemplate[1]

        Filesize

        1KB

        MD5

        dfeabde84792228093a5a270352395b6

        SHA1

        e41258c9576721025926326f76063c2305586f76

        SHA256

        77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

        SHA512

        e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\errorPageStrings[1]

        Filesize

        4KB

        MD5

        d65ec06f21c379c87040b83cc1abac6b

        SHA1

        208d0a0bb775661758394be7e4afb18357e46c8b

        SHA256

        a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

        SHA512

        8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BKKBWXOR\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\down[1]

        Filesize

        748B

        MD5

        c4f558c4c8b56858f15c09037cd6625a

        SHA1

        ee497cc061d6a7a59bb66defea65f9a8145ba240

        SHA256

        39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

        SHA512

        d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHVIU6BA\httpErrorPagesScripts[1]

        Filesize

        11KB

        MD5

        9234071287e637f85d721463c488704c

        SHA1

        cca09b1e0fba38ba29d3972ed8dcecefdef8c152

        SHA256

        65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

        SHA512

        87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

      • C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

        Filesize

        168B

        MD5

        e7efc2c945a798b4dab3fe50f1524592

        SHA1

        0bb937ccd89e40c91c0e58b376873ef909fe805b

        SHA256

        624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

        SHA512

        e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

      • C:\Users\Admin\AppData\Local\Temp\advsec32.dll

        Filesize

        4KB

        MD5

        3adea70969f52d365c119b3d25619de9

        SHA1

        d303a6ddd63ce993a8432f4daab5132732748843

        SHA256

        c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

        SHA512

        c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

      • C:\Users\Admin\AppData\Local\Temp\bot.log

        Filesize

        2KB

        MD5

        37bed2ced761f9fe445a373604d80412

        SHA1

        af6fea06397851774ae7fa67da3c3337979ce890

        SHA256

        3d4bf924bba391393a53cc9338a7aba835cc184101ff8188a9a2bdd5cda3ddf5

        SHA512

        211040b4ee3b5696896ca5c8bfed67db4ddb567a7f3b1278e06e9345679ce6eb919e08f682dd364e660a4d9c4748bba165c67acefe72ba070d354d1cc05e234a

      • C:\Users\Admin\AppData\Local\Temp\bot.log

        Filesize

        6KB

        MD5

        9a9950905053f01fcffc9f7379945508

        SHA1

        f75fff05b979042cef8829328a81765de1928612

        SHA256

        81fdead0fa716e988c8cde1c491a284679975466ab60094043c0985ba5500b7a

        SHA512

        686df799e306bb80de7debdfa4502eb031ca445e349ae857d1501658576e77222ab1337e41af976cee6845968d5b1a86cc054381370557df86cd0f4d9b04a907

      • C:\Users\Admin\AppData\Local\Temp\monmscms.exe

        Filesize

        104KB

        MD5

        bf839cb54473c333b2c151ad627eb39f

        SHA1

        34af1909ec77d2c3878724234b9b1e3141c91409

        SHA256

        d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

        SHA512

        23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

      • C:\Users\Admin\AppData\Local\Temp\smss.exe

        Filesize

        18KB

        MD5

        b3624dd758ccecf93a1226cef252ca12

        SHA1

        fcf4dad8c4ad101504b1bf47cbbddbac36b558a7

        SHA256

        4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef

        SHA512

        c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

      • C:\Users\Admin\AppData\Local\Temp\win5.tmp

        Filesize

        240B

        MD5

        ee926df00618b73a370f2dbcbe19ebeb

        SHA1

        eb775efca19c657d4cc02d21190db4f522ae750d

        SHA256

        6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

        SHA512

        6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

      • C:\Windows\SysWOW64\hostpoolras.exe

        Filesize

        1.7MB

        MD5

        9240adb5ce18633c3b5dbd6554dd4778

        SHA1

        3c3b3e168a2e06160096ba64ca7e21b8c176629d

        SHA256

        214adac31f2d43a59f45105b35e13ea8bcd72896cffb601ad09f0b82c9ca374a

        SHA512

        3ec0e426a4fb64877f4af3f54809562293daa660f97ee13f635a73b7d803a15b5e5bb292eb7bad56b90b7ad1dee639fe06aef24834b31b23b6b2599fb1309f6c

      • memory/3800-258-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

      • memory/3800-239-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

      • memory/3800-0-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB