Analysis Overview
SHA256
52e78449928063d1d867d0023a1e4aa7f211cf631538724411eb54f4b08fc411
Threat Level: Known bad
The file ca264140a1f253e55e891d883a7dbf74_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Credentials from Password Stores: Credentials from Web Browsers
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 03:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 03:37
Reported
2024-08-30 03:40
Platform
win7-20240704-en
Max time kernel
147s
Max time network
120s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Order20184 = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Order20184.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1352 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe |
| PID 2720 set thread context of 1176 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Windows\Explorer.EXE |
| PID 2836 set thread context of 1176 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Order20184" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Order20184.txt" | cmd"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
Network
Files
memory/2352-0-0x00000000741D1000-0x00000000741D2000-memory.dmp
memory/2352-1-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2352-2-0x00000000741D0000-0x000000007477B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
| MD5 | ca264140a1f253e55e891d883a7dbf74 |
| SHA1 | e6ab69e4269ddfe19da3b1c57c974969ce2e0030 |
| SHA256 | 52e78449928063d1d867d0023a1e4aa7f211cf631538724411eb54f4b08fc411 |
| SHA512 | 0c6349873736284cd7839ad32fdac93d04b341d81f649596aed2f4d22e756f8a24bcaa9e991a77fd1901e7a0c3445c5407b7795adf09cc8a1d63768ebfdf5dab |
memory/2352-8-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/1352-9-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/1352-11-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/1352-21-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2720-22-0x0000000000400000-0x000000000042A000-memory.dmp
memory/1352-25-0x00000000741D0000-0x000000007477B000-memory.dmp
memory/2720-23-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/2720-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2720-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2720-15-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2836-26-0x0000000000920000-0x000000000093B000-memory.dmp
memory/2720-27-0x0000000000400000-0x000000000042A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 03:37
Reported
2024-08-30 03:40
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Formbook
Credentials from Password Stores: Credentials from Web Browsers
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Order20184 = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Order20184.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JH_XAN4HUB = "C:\\Program Files (x86)\\H_rpll\\5jchlz_8ex.exe" | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4364 set thread context of 5104 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe |
| PID 5104 set thread context of 3424 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | C:\Windows\Explorer.EXE |
| PID 1620 set thread context of 3424 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\H_rpll\5jchlz_8ex.exe | C:\Windows\SysWOW64\msdt.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msdt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msdt.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca264140a1f253e55e891d883a7dbf74_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Order20184" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Order20184.txt" | cmd"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.kraftumzug.com | udp |
| SG | 184.168.116.226:80 | www.kraftumzug.com | tcp |
| US | 8.8.8.8:53 | 226.116.168.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.nashvillenewhomeguide.net | udp |
| US | 8.8.8.8:53 | www.silverdragonai.com | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.negateoils.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.ballinyun.com | udp |
| US | 8.8.8.8:53 | www.fitnessbubble.info | udp |
Files
memory/4928-0-0x00000000746C2000-0x00000000746C3000-memory.dmp
memory/4928-1-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/4928-2-0x00000000746C0000-0x0000000074C71000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order20184.exe
| MD5 | ca264140a1f253e55e891d883a7dbf74 |
| SHA1 | e6ab69e4269ddfe19da3b1c57c974969ce2e0030 |
| SHA256 | 52e78449928063d1d867d0023a1e4aa7f211cf631538724411eb54f4b08fc411 |
| SHA512 | 0c6349873736284cd7839ad32fdac93d04b341d81f649596aed2f4d22e756f8a24bcaa9e991a77fd1901e7a0c3445c5407b7795adf09cc8a1d63768ebfdf5dab |
memory/4364-9-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/4928-8-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/4364-11-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/4364-10-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/5104-13-0x0000000000400000-0x000000000042A000-memory.dmp
memory/4364-16-0x00000000746C0000-0x0000000074C71000-memory.dmp
memory/5104-17-0x0000000001140000-0x000000000148A000-memory.dmp
memory/5104-19-0x0000000000400000-0x000000000042A000-memory.dmp
memory/5104-20-0x0000000000C40000-0x0000000000C54000-memory.dmp
memory/3424-21-0x00000000085A0000-0x0000000008732000-memory.dmp
memory/1620-22-0x00000000003F0000-0x0000000000447000-memory.dmp
memory/1620-23-0x00000000003F0000-0x0000000000447000-memory.dmp
memory/3424-24-0x00000000085A0000-0x0000000008732000-memory.dmp
memory/3424-28-0x0000000008ED0000-0x000000000902C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Roaming\00O7C61Q\00Ologri.ini
| MD5 | d63a82e5d81e02e399090af26db0b9cb |
| SHA1 | 91d0014c8f54743bba141fd60c9d963f869d76c9 |
| SHA256 | eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
| SHA512 | 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad |
C:\Users\Admin\AppData\Roaming\00O7C61Q\00Ologrg.ini
| MD5 | 4aadf49fed30e4c9b3fe4a3dd6445ebe |
| SHA1 | 1e332822167c6f351b99615eada2c30a538ff037 |
| SHA256 | 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56 |
| SHA512 | eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945 |
C:\Users\Admin\AppData\Roaming\00O7C61Q\00Ologrv.ini
| MD5 | bbc41c78bae6c71e63cb544a6a284d94 |
| SHA1 | 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a |
| SHA256 | ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb |
| SHA512 | 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4 |
C:\Users\Admin\AppData\Roaming\00O7C61Q\00Ologim.jpeg
| MD5 | 91bbc507e03a2cf3e80a1f323d6b7a76 |
| SHA1 | 3cd2401dcfc370f8cf903e34ccddd06cadd57228 |
| SHA256 | 1d0a6e765c64e4aa9bcea41a007f26ccfb309800edd9b04e101b4494fc7440f0 |
| SHA512 | fcd15a70c3ab2ee3f528ae2086c37b926451abb6ae91a5698392b8908ef37b5da9725d035cfbbd5fc6b6f62ecfd79853991a2eead1d6bfa5d3cac0a2ba5d3954 |