Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 05:17

General

  • Target

    c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    c847b7a2cf4a720d70aeef5b253b1f36

  • SHA1

    c8485fb5223eb30d867348f9480e2121f57f9f1c

  • SHA256

    7015fbbe40d9041e72fe13f794cdcfc3555f54edbe209bd6fcd6b71a30d22129

  • SHA512

    3d028a371848406f8d1d4b8ce9939c93ec5ceeb2dce9830b54e20e7ca8492cb83148c679b465292b0307d8cf6a57681709d657d90338a68cd68f6beba273158c

  • SSDEEP

    3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Malware Config

Signatures

  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 37 IoCs
  • Loads dropped DLL 38 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
  • Modifies registry class 9 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 35 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c847b7a2cf4a720d70aeef5b253b1f36_JaffaCakes118.exe"
    1⤵
    • Adds policy Run key to start application
    • Boot or Logon Autostart Execution: Active Setup
    • Loads dropped DLL
    • Adds Run key to start application
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\infopoolproc.exe
      "C:\Users\Admin\AppData\Local\Temp\infopoolproc.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_win_path
      PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE""
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1724
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2296
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:568
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1492
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1480
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1708
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1936
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2072
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2156
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1596
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2560
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2688
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2256
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2268
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3064
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1324
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2032
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1648
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1868
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:836
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2808
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1956
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2548
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2004
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1524
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1028
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1336
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1580
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1856
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2188
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2240
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2476
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:872
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1940
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3068
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2012
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2532
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1268
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:344
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:668
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1212
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1184
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1716
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2296
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1384
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1980
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:1760
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2660
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1672
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1620
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2020
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:1868
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:836
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2060
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2088
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1608
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:408
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2792
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1864
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1924
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2448
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:2100
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2496
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2188
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2476
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:784
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • Views/modifies file attributes
          PID:2420
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1476
        • C:\Windows\SysWOW64\attrib.exe
          attrib -s -h "C:\Users\Admin\AppData\Local\Temp\INFOPO~1.EXE"
          4⤵
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1388
        • C:\Users\Admin\AppData\Local\Temp\smss.exe
          "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
          4⤵
          • Executes dropped EXE
          PID:880
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Runs regedit.exe
        PID:2884
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2916
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bc178fcec2562d502b5b990881952e6a

    SHA1

    deff82d6854d68c072163e0d2e4e36e2b2163f5e

    SHA256

    0d8bf25a7ab9af09d37d2be72aaa4d25f15df93e70131f355832f1702dc4e49d

    SHA512

    4a7cefaedb8948864da2144fedb386389de15ab3deeb3bc44a1aaeaa279b080c5009dbce6d2f7912ba5de0faaaebed723814cd82f097fef9598dce09ac1d5128

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d8d232aafad9db2931be0adfd4baef87

    SHA1

    f0d7e4662c9b2c7c41163843f580bc3165c627e4

    SHA256

    f123657f9cb55f5190e47134a4c35e426ce9c365fbe320911cb1e2f0db7481ed

    SHA512

    ba9bd28d0b4b7d65014ada8d441608b6e9b8cc45bff107c715848ba463cf77aa324637fe30059d10a4c91e25ecdcd51edc59239b72554b527d020058c0935b2a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7d8e87baf19d82fee4368980b5148bc2

    SHA1

    3254478a069d045688057e4b45c0b1ed77bd8d49

    SHA256

    fd56a98dffb69ff2eabc24adf06ee665655b234dcf6e810bdc3698ee12f238eb

    SHA512

    0a7975f6d0ca99547287de80cd2ca8adbe981eb322e4160b5b93851540380f7c4c128f12a1df5a2cabef8155bd94fbd4d3acb5a97edfad4c921ecb1ece2f358b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a0416efb71324db781b5113bbbbbcc54

    SHA1

    9d420253fd6b17df3321c3f1470f5e88bfabc8f5

    SHA256

    95072f529f151e92f9e1b589f4347804d477af8a78e5e1637c2c4ea548770387

    SHA512

    3d6de1a2e3165139b4771b47c64ccb9e0abb29a55516c367ed6b9b9514c7cdc47cda58ea60d3dc40d715ae27f95223eb6f90357699ea551041f3cb3c3418f637

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    42644a95b5156d5cfe0ceb6af454ebe3

    SHA1

    dd53b19c02a09b3aedd3cdf2ba0e270cf45fa3d3

    SHA256

    f9b52fb7fc3294ba731bce3b5bb23b2e6d52f252bc4bc4cc44b4b427b6dbc5d3

    SHA512

    358f42ff6f653236f288872b30a02bd4404ead7c3d9583f2de8e5b93452e7120e1847c6a2479725f23fc1c3ce316e3c19c69510dfc519237ac5955afe2fc6c05

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    325a45d162469e594fdf60b1e452cfc8

    SHA1

    c4fef184dc3d2d264b9050470cc7cf30899e3bb1

    SHA256

    6c8f2ef91a38bfa822eef733e6451337f2a47c3abc79ba65d0ce9f1c096d18b8

    SHA512

    df61fb03f18c66fb8d49ce2f0051bd4e830dafef21bcad967e346a074cb27cad0a85b887199d94cc068cbc299c0b92b6841c65c7b9011ae2a96ca4f30d097acf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3e26b93dcf78703384b5d26ca93a6b97

    SHA1

    2237d369e87bc28a6b3a8e63636f79f8588415d0

    SHA256

    b7d61861c95985f6e38e052d661e374522a162f393443cede45a119c5f262374

    SHA512

    caa66081926766c548f64a91d0fbde3ae8ac51b2677224e3c4f1198e3fd1240ad2b017c5b7f13644708739594e9ce5076c0d5372a925f970fc9245ef4544b069

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6601081995cf85bbcacbc55c67a7df42

    SHA1

    c46b983d6f799b3324fee925762bad2d0cadbb0a

    SHA256

    734cd2a0f2e300ccee9ae8ef8893e3bcb21ff7fe9fca45ffb168ba7d4582167a

    SHA512

    8795805f9544285a8b903ca13c852b66fb5c116e3a9d7a58b87ffac087b374aaf1864547cd3f59772fada1c15068a6a37dd43d3db120451e00c128988a5e7969

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1d6189705983c52477be85924d41ce6d

    SHA1

    81693bad02f44c0f8c7bfbb199f244133aea89ee

    SHA256

    a6c95bb90a6f4ccac49f5219ec99028f79e8c9acf506b363c81890a0a1682171

    SHA512

    d8497c91c6b610cf98a6fad621cc86e02ea395f9ce8c77582f12d929d70441bac0f1b1e1562d3111607439c98c3389997389ba7f4dd662c1943a1f6982a2682a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    896d57da0c89fc49d214344df8a3f0e4

    SHA1

    c26a1107233ee3f1741fd54ad6040ac48e665314

    SHA256

    397347cee64e0f3991d7541c0b7478057d5bc125286361bd86a445bf54e4b515

    SHA512

    e87ba8cc70c103c8c73cf75559456d7021fff9b6ad3b6f85fd34e9682badace7e0ac8df6f08909ad5fdea0119d72c741f72e1de1d0b37bbdbe5d731d11b097bf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d06e7aab4bd8b278a4ad2303300d4b92

    SHA1

    73bd81dffacbd667095f7ce77ba5396aea389a02

    SHA256

    f0b3e45a636214655b6501f2e42ed5d16cb9eaa213517c69322dd1921b1b15d6

    SHA512

    0cf9145219f05fd9f40e39490c2c0d6a8bebc0a05e0a90541ddd9bf9c8454aaf9bf6cf40b63e08157ec978f294ac8ea6fb055a2ea8ce4c0c040cf83175478a23

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    69106580deeb278e4dc724a5afd25a44

    SHA1

    e221289a44a70a2877d52905df832bab3cfb0909

    SHA256

    6642fd76a7cad7dc0bcc6dc99bcb2343eb17470faf2a5d43d1214cf18020243f

    SHA512

    0e9c0058c350dcf7b7bab0fc6dc180c71cec6ec12b1a6f00f8cd84782338287010928c1f76808fa73171c1ecc1a7506e4a5a460ed0600de0ce532b079274b983

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7002feeb272cb8e5accda07cad1e553a

    SHA1

    5a6941fb265e84f70ef54d2c5efc6a3954c88dd5

    SHA256

    7e71ed8358152d47e5bacdce01de226170ce647124d1de8018c1016eda3f9605

    SHA512

    b5ffcd4bc6ab968cd249474d79d17471564980530fb2e73172eb84401e784e8f05a80e48304ed92d53c0060632704be29b67d0734cdcc9344344dcf794eb077e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9735db742beea52608512fd3a9258019

    SHA1

    1fc306e171480146d8a0a3d067c368f25bd230c6

    SHA256

    cf65059d209bbc1374cd6e0bf821eaba3b06f7fbe6b36df498adb36e6253a55a

    SHA512

    f3f0e4f9d03af199e6f8780af6631ab962a81f23a1d249056397731495ca1e9a20374b3a89acfeee735ffe967761f9a261f3d9c8fa6b9abeeecb6af7cd4e89c0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6891ed11b569902d92eb72d2ffaa50b1

    SHA1

    f4060702e93c17ba633ef5a514af9aff1f266b43

    SHA256

    e123d349dc355940004af9e9bf7ba8f7e724ce780a98da8e19d281082c630e96

    SHA512

    9624530101c9fe3019285e96d93b22efa6cc5799fcdc3923ab05e19a4e387c5727d84b1cf7eadfae6dbdbe9081281d74dd2226e44a210dca844d1f64b6cb439c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f439e2f47f9c810070d05d82e525d23e

    SHA1

    99e0543eb7d56fb9056d2bec6bb33242862ed505

    SHA256

    338ad4c7e6e7dde0edc887b5a87aefcde8a2df22fbdaecb4a4893e1417a494c6

    SHA512

    987b1d6a04757fca84c8d9dae15da472715bba5c751b72bea6102c6a204156d39ebab63db79a1d77eee4a2389bb47f431fc1c7f7e241fb023ef90830e5a15381

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c788d13be41edcba7242b76d63790e68

    SHA1

    9c4bbf1056944947f2d8057df0b2683e155cac15

    SHA256

    b23c9541902e12c692aa3c68447a4c6b0ecbe93569e1c2ea84657c83fc66a9b6

    SHA512

    d9f25a4307c466a5810c929e482fce375ded00448f609be2f8ba851a560ade959cbbc752b0d5faeef902e248767e456718df8a6a26231dd328e23f52217809e1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    81629d93b039abdd27d0e0a06a10ff23

    SHA1

    f5b3ecce0cb26d3a7ab2e39f1adec1aab836af7a

    SHA256

    cc4d912bc9d37265f87c139cc2d77727a855a6d543fcf9fa114fc9ec47b85170

    SHA512

    ed7e8304b079ba5de6d400eb7a39d6ea008b9cd90f426ed03710dff322338d32f07d8c40bf2e647a40d01933cc4da5c4abff8cff87ea110eb4197037760dc431

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8f2354b219eb82a26464bb9dc70b261e

    SHA1

    fee26f4b9dc155495cea0ed644cd9c5e5ef08e9a

    SHA256

    9eb130abb452428d80ce9e2ca5d315eb855dd96866b903905459f641a02b04c7

    SHA512

    edebadd1d5be750191a7a1f90dcf6bc0323c9eede0cd09c155f3568d989d25fcb906d9caa3bc92596ca7bcc5231539121b6828a947b70f3be40479eafd791057

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7b0aa2d293d7fef373175c7980b3eb42

    SHA1

    eb1197d2c8aa364d82ebd2c8a86597242117c1ad

    SHA256

    2c1175a9db3665dd5670089eb218f387f5875efeff43dfe00ebe4eca4411c5a3

    SHA512

    7b2c43cdced9bf6b9e72746ac5152bac94cc70d5cc1a2c70d47ca677a3726944a674510227028b303bdf359d1f48b902b9b410f3e36540ce5dd1f890b0c365da

  • C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

    Filesize

    168B

    MD5

    e7efc2c945a798b4dab3fe50f1524592

    SHA1

    0bb937ccd89e40c91c0e58b376873ef909fe805b

    SHA256

    624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

    SHA512

    e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

  • C:\Users\Admin\AppData\Local\Temp\CabF569.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF5DA.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\bot.log

    Filesize

    3KB

    MD5

    dcc1a81a57e1fbb8bf78f9c433dcbdea

    SHA1

    295a7b0cff84469ae1fccce701b0d4d4baa9b7a5

    SHA256

    800a580bc2c70ee9bd3d88c5c2f533b5274ba932a3d47abc8d0c07e3534e1903

    SHA512

    606b5a655b46f26766a06977cbd6c1be63b7e500a616c253ab5576b76a410addd82307f2c28393e877838f0861c968ae8c50e40bfe588bb8fd242fe6e67af95a

  • C:\Users\Admin\AppData\Local\Temp\bot.log

    Filesize

    4KB

    MD5

    2827c127b204b9ddb028d7243f37f712

    SHA1

    16815194abc6c3e06e4675294d0a19576fee17e7

    SHA256

    b7344988ab734e48c7e106fce25eb3172c537b4852e71d99a7c23a85cbfb09b5

    SHA512

    8e3a833a4f6770a70b68735f25197a6c4ed0f51952c9c143f3f13ba3786ac4d62956153a017f975d5fe20cad3140ead03985b1bc1564c967876278527271ba63

  • C:\Users\Admin\AppData\Local\Temp\win5.tmp

    Filesize

    240B

    MD5

    ee926df00618b73a370f2dbcbe19ebeb

    SHA1

    eb775efca19c657d4cc02d21190db4f522ae750d

    SHA256

    6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

    SHA512

    6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

  • C:\Windows\SysWOW64\ctfmonsvc.exe

    Filesize

    2.3MB

    MD5

    c847b7a2cf4a720d70aeef5b253b1f36

    SHA1

    c8485fb5223eb30d867348f9480e2121f57f9f1c

    SHA256

    7015fbbe40d9041e72fe13f794cdcfc3555f54edbe209bd6fcd6b71a30d22129

    SHA512

    3d028a371848406f8d1d4b8ce9939c93ec5ceeb2dce9830b54e20e7ca8492cb83148c679b465292b0307d8cf6a57681709d657d90338a68cd68f6beba273158c

  • C:\Windows\SysWOW64\svcsqldhcp.ocx

    Filesize

    4KB

    MD5

    3adea70969f52d365c119b3d25619de9

    SHA1

    d303a6ddd63ce993a8432f4daab5132732748843

    SHA256

    c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

    SHA512

    c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

  • \Users\Admin\AppData\Local\Temp\infopoolproc.exe

    Filesize

    104KB

    MD5

    bf839cb54473c333b2c151ad627eb39f

    SHA1

    34af1909ec77d2c3878724234b9b1e3141c91409

    SHA256

    d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

    SHA512

    23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

  • \Users\Admin\AppData\Local\Temp\smss.exe

    Filesize

    15KB

    MD5

    6242e3d67787ccbf4e06ad2982853144

    SHA1

    6ac7947207d999a65890ab25fe344955da35028e

    SHA256

    4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

    SHA512

    7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

  • memory/1568-305-0x0000000000270000-0x0000000000272000-memory.dmp

    Filesize

    8KB

  • memory/2680-0-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2680-255-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

  • memory/2680-276-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB