13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Size

1.6MB
MD5

fe079c4129d51477df121333b64bbcd7
SHA1

0f5806f04a5376b372ad55a8ef5050dc8f815aed
SHA256

13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74
SHA512

31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf
SSDEEP

3072:0RsBiWyDJP1j11BJIcBzeFxFtMuqnBJIF+DbCu/bU+99:QxRJPnJwMu6dXCsQi

Score

8^/10

adware collection discovery persistence spyware stealer

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\recovery = "C:\\Windows\\system32\\pptpfwcpptp.exe"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\StubPath = "rundll32.exe C:\\Windows\\system32\\themeuichk.dll,ThemesSetupInstallCheck"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IconsBinary = 43003a005c00570069006e0064006f00770073005c00730079007300740065006d00330032005c0070007000740070006f0062006a0070007000740070002e006500780065000000	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\Version = "1,1,1,2"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ComponentID = "DOTNETFRAMEWORKS"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\DontAsk = "2"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\IsInstalled = "1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}\ = "Themes Setup"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Executes dropped EXE 37 IoCs

pid	Process
2724	pdbsqlctf.exe
1788	smss.exe
1972	smss.exe
1536	smss.exe
2132	smss.exe
1520	smss.exe
1924	smss.exe
2400	smss.exe
2768	smss.exe
2520	smss.exe
2608	smss.exe
1588	smss.exe
1864	smss.exe
1052	smss.exe
2816	smss.exe
2808	smss.exe
1860	smss.exe
1804	smss.exe
2864	smss.exe
3052	smss.exe
2064	smss.exe
1820	smss.exe
768	smss.exe
2112	smss.exe
1704	smss.exe
2340	smss.exe
2592	smss.exe
2604	smss.exe
3068	smss.exe
2480	smss.exe
2424	smss.exe
1072	smss.exe
1636	smss.exe
2868	smss.exe
832	smss.exe
1904	smss.exe
1116	smss.exe

Loads dropped DLL 38 IoCs

pid	Process
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe
2172	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pdbsqlctf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\recovery = "C:\\Windows\\system32\\pptpfwcpptp.exe"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\NoExplorer = "1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "AcroIEHelperStub"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\srvdispsrv.ocx	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\srvdispsrv.ocx	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\lsarasdns.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pooldhcpdisp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pptpobjpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cmsctfsrv.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pptpfwcpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pptpfwcpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\lsarasdns.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pooldhcpdisp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\pptpobjpptp.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cmsctfsrv.exe	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdbsqlctf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433755838"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000627c2b7cd3de59032034dffdfaab2c5ab5cbd55e95fafdba12d643a1baf1b56c000000000e800000000200002000000091decd523119535d3aa81ec68a142f9e541dfba3dafe7375df2e84a9d2d4dea720000000be6b82fae9c8d5a8e0694d61373b317565513192765e26aeb34199bb0b462cb640000000e0972b7908a38434d8aa8896571675dabb4f8840eb3af9d1371efbba9611ca88c7034910d201b79c6702d471f9538ae8eba114b86e56cc7110dbf0312d8100a1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0de082c3f12db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000791594cc72189d0a5893fc839ad0c70a01c3f4240a20bc33d99b6c71e9602b15000000000e8000000002000020000000ab2f4932a5c64ecde04d517e275bf2f7732453483be8d70638541e359cd18642900000006fa01456fd5d79b67a364ee58bc79b8df9a80f6fa6f2352de09b5fb3b85d8a185e82848260de74cf910ba12f864e2fbaf6f1bf7e7bb5bc72275c0d6b6d5b28c641e9742ecb90759fea26b3c9eaed1900c1f131cc78d10c7b8a2b27ff45f9e3c15c4f104ef18d5fc18a5283f6c1318cd8b0dd2e5434bd9e5043c19382f12954742a7534493d62b99b00a1b41683e0fbe740000000f4bc1c07e1a41f90b6a96bf83e8017204ef62317dcc67eab8ea9da565138ee92131d66bcb5b86389d8b85d9771fc94f13b107831c63de73037970225b72a74e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3CA8A2E1-7E32-11EF-BB30-566676D6F1CF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ThreadingModel = "Apartment"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ = "Adobe PDF Link Helper"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32\ = "C:\\Windows\\SysWow64\\srvdispsrv.ocx"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\VersionIndependentProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\ProgID\ = "AcroIEHelperShim.AcroIEHelperShimObj.1"	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Runs regedit.exe 1 IoCs

pid	Process
2092	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeBackupPrivilege	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
Token: SeDebugPrivilege	2724	pdbsqlctf.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1284	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1284	iexplore.exe
1284	iexplore.exe
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2724	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2724	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2724	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	28
PID 2944 wrote to memory of 2724	2944	fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe	28
PID 2724 wrote to memory of 2172	2724	pdbsqlctf.exe	29
PID 2724 wrote to memory of 2172	2724	pdbsqlctf.exe	29
PID 2724 wrote to memory of 2172	2724	pdbsqlctf.exe	29
PID 2724 wrote to memory of 2172	2724	pdbsqlctf.exe	29
PID 2172 wrote to memory of 1788	2172	cmd.exe	31
PID 2172 wrote to memory of 1788	2172	cmd.exe	31
PID 2172 wrote to memory of 1788	2172	cmd.exe	31
PID 2172 wrote to memory of 1788	2172	cmd.exe	31
PID 2172 wrote to memory of 1860	2172	cmd.exe	34
PID 2172 wrote to memory of 1860	2172	cmd.exe	34
PID 2172 wrote to memory of 1860	2172	cmd.exe	34
PID 2172 wrote to memory of 1860	2172	cmd.exe	34
PID 2172 wrote to memory of 1972	2172	cmd.exe	35
PID 2172 wrote to memory of 1972	2172	cmd.exe	35
PID 2172 wrote to memory of 1972	2172	cmd.exe	35
PID 2172 wrote to memory of 1972	2172	cmd.exe	35
PID 2172 wrote to memory of 1540	2172	cmd.exe	36
PID 2172 wrote to memory of 1540	2172	cmd.exe	36
PID 2172 wrote to memory of 1540	2172	cmd.exe	36
PID 2172 wrote to memory of 1540	2172	cmd.exe	36
PID 2172 wrote to memory of 1536	2172	cmd.exe	37
PID 2172 wrote to memory of 1536	2172	cmd.exe	37
PID 2172 wrote to memory of 1536	2172	cmd.exe	37
PID 2172 wrote to memory of 1536	2172	cmd.exe	37
PID 2172 wrote to memory of 2360	2172	cmd.exe	38
PID 2172 wrote to memory of 2360	2172	cmd.exe	38
PID 2172 wrote to memory of 2360	2172	cmd.exe	38
PID 2172 wrote to memory of 2360	2172	cmd.exe	38
PID 2172 wrote to memory of 2132	2172	cmd.exe	39
PID 2172 wrote to memory of 2132	2172	cmd.exe	39
PID 2172 wrote to memory of 2132	2172	cmd.exe	39
PID 2172 wrote to memory of 2132	2172	cmd.exe	39
PID 2172 wrote to memory of 1516	2172	cmd.exe	40
PID 2172 wrote to memory of 1516	2172	cmd.exe	40
PID 2172 wrote to memory of 1516	2172	cmd.exe	40
PID 2172 wrote to memory of 1516	2172	cmd.exe	40
PID 2172 wrote to memory of 1520	2172	cmd.exe	41
PID 2172 wrote to memory of 1520	2172	cmd.exe	41
PID 2172 wrote to memory of 1520	2172	cmd.exe	41
PID 2172 wrote to memory of 1520	2172	cmd.exe	41
PID 2172 wrote to memory of 2420	2172	cmd.exe	42
PID 2172 wrote to memory of 2420	2172	cmd.exe	42
PID 2172 wrote to memory of 2420	2172	cmd.exe	42
PID 2172 wrote to memory of 2420	2172	cmd.exe	42
PID 2172 wrote to memory of 1924	2172	cmd.exe	43
PID 2172 wrote to memory of 1924	2172	cmd.exe	43
PID 2172 wrote to memory of 1924	2172	cmd.exe	43
PID 2172 wrote to memory of 1924	2172	cmd.exe	43
PID 2172 wrote to memory of 1660	2172	cmd.exe	44
PID 2172 wrote to memory of 1660	2172	cmd.exe	44
PID 2172 wrote to memory of 1660	2172	cmd.exe	44
PID 2172 wrote to memory of 1660	2172	cmd.exe	44
PID 2172 wrote to memory of 2400	2172	cmd.exe	45
PID 2172 wrote to memory of 2400	2172	cmd.exe	45
PID 2172 wrote to memory of 2400	2172	cmd.exe	45
PID 2172 wrote to memory of 2400	2172	cmd.exe	45
PID 2724 wrote to memory of 2092	2724	pdbsqlctf.exe	46
PID 2724 wrote to memory of 2092	2724	pdbsqlctf.exe	46
PID 2724 wrote to memory of 2092	2724	pdbsqlctf.exe	46
PID 2724 wrote to memory of 2092	2724	pdbsqlctf.exe	46

Views/modifies file attributes 1 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2040	attrib.exe
2420	attrib.exe
2788	attrib.exe
2220	attrib.exe
1672	attrib.exe
2964	attrib.exe
1860	attrib.exe
1768	attrib.exe
1068	attrib.exe
760	attrib.exe
2360	attrib.exe
2964	attrib.exe
1736	attrib.exe
1540	attrib.exe
1660	attrib.exe
1748	attrib.exe
2856	attrib.exe
1480	attrib.exe
1516	attrib.exe
2688	attrib.exe
2556	attrib.exe
1372	attrib.exe
2756	attrib.exe
1748	attrib.exe
2648	attrib.exe
1488	attrib.exe
2036	attrib.exe
3060	attrib.exe
2712	attrib.exe
2612	attrib.exe
2996	attrib.exe
1848	attrib.exe
2784	attrib.exe
2544	attrib.exe
1860	attrib.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	pdbsqlctf.exe

C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe079c4129d51477df121333b64bbcd7_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\pdbsqlctf.exe
  "C:\Users\Admin\AppData\Local\Temp\pdbsqlctf.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_win_path
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1788
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1972
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1536
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2132
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1924
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2400
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2520
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2608
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1588
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1848
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2816
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2864
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2220
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2064
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1820
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:768
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2112
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1704
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:2604
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2424
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:760
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1072
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2868
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:832
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1904
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Users\Admin\AppData\Local\Temp\PDBSQL~1.EXE"
      4⤵
      Views/modifies file attributes
      PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\smss.exe
      "C:\Users\Admin\AppData\Local\Temp\smss.exe" 127.1 -n 5
      4⤵
      Executes dropped EXE
      PID:1116
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\win5.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Runs regedit.exe
    PID:2092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1284
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1284 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f51f6ea7e860cfa643edf2f1e15c5c77

SHA1
dd9f5fa8a87fecd19f135027d8f004d748f60dbd

SHA256
6c85285849ed4a344b183f1c18b9d85543dc6dc1aa8f0d429041bad0bf5d350d

SHA512
5b7c375904893c83e99b0f759c7e149e9debb1b04b3b57ddd904bb41890f73071302b2a9d363d771bd9f0958ef3d4e2fd880785c4435b698b25c8528115223bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365be129c678d42b1682700f54101e05

SHA1
16641cd6c1232be2082e52114c09b5df669dd61d

SHA256
ad887b82dc8faeba37cb48a4d5b7addd1b2df866468189b8ebc458ec679bba88

SHA512
1db342f8f6ed64524de4b82313e59b1d92669f6f0f5a2bfe72c765d04a7f51d3e9e0a686a0597d15fbb96544030b9ad1b32c76aa664360a33d6cf8a9fdc026cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7e81d38e378d0b701e8c860d4849e7a

SHA1
60b10c04e041bf1779ac04a6a0bb22f3ec62ba65

SHA256
455cd7a5e06e87b69d79975d7f4b4b307c4ef0350c67e3d6a5691dc6fb324023

SHA512
8220f427c35d5376fee38e90eb651ebe27fcac9ac825123b80ea44e0ecb99bdea5cd976df0addb39f4a7c26d4582485b124b477c7f1a79969fcedb17cf397555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36040301caf47fcf79125b7f62792f13

SHA1
05aea1eed4d36e9b3f9d300015ebab71eb70aeee

SHA256
39b659e6cac6946c2a962688cf93ca7354e40aecb54f0b0efef1cad9f3071a1f

SHA512
c9084507963fb6513661c01f6cd097d2b246b38d93c46f2eb261684f3b1984f30dd3c490ca1e0f07f08709bff0ab40f5e3c970bc1ef1944cbbe8332ad81ece33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
595be143a5105ad28bdbb276adfd0f5d

SHA1
30b9c88655974b0bd23617a6765c70b97cecd4e5

SHA256
9c2f9cdb9f1b6af99c9421981a8fe6fa8947ea604fc26e0fddd1a190daceb339

SHA512
cad6d7a6da6d6ce46ea4f0d19ec3f8a02c5ce6fd01ccee24ab7cd9b8ec1bb1c9d362eef10fbbebfd34632a811b6ef2808d6c7308c539b3ee6baef44eae8d60d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25f24ded4d5ff169efe8463cadf4663e

SHA1
d6f7816889191e3a725294c5f309ddae43ec0b29

SHA256
626a7f0e5379c0ffc6ef8c46ce357329020fe5dc9a952757a840a5fb07142e2e

SHA512
7c9b0b0720af809724a33a9f2e2e1c5b709f533171b0d6e40231eb0ca2d5ff3ca729547fcadaa18d369d2ff96a152320c9d8882b273239581d502a341e10a98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
763913079c03b240c92ca94fb5b2e504

SHA1
5aebef2c20be1d58ce5205da2caa2702cd1721f3

SHA256
f4631575f50882275523bd2450643b0d431d949555c53525f753d224a25182cd

SHA512
22416ab80b04f16e623baed1930ebc69453e96837f8eac0985ce0a5d0daba7414811a3498c0b80f7a3341069d4a37be9674c798ba00c593de050c695085ed423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46ea3af7dddad56113e6223100969e4a

SHA1
5da7bba5ce6d5ae78233bfea31d3d2c0e3b76304

SHA256
28226e5beab6664325d900e494e7c5ca1c677d372bea4fdc80d48c8b43942c59

SHA512
41ea2caf7e09a65624a36686e053fb43156a7f880b27b3ca1f996770e94646a767b8de83728244327e07255315a0f709e012a4dad9a6d0967da1fdaef69b6082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d29f2761063f40ec4ad173f66e8f539

SHA1
f7fe6e64eb8784341e7fa09377e13dd67d390d08

SHA256
2e91bd1a289110916163c39ddd5ff1aafcb744c54a5c86f35204d98643cec8be

SHA512
2ea5310fea748763fdc318e35890704fc2ecffe55355a131ba2f0f0f445bf7add1aefb16a648e4b113c725282412ebf12e70904ba6b4278a0e811e7d97dabfa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17ce3593f231225071e0a9844fcc72ba

SHA1
a3c9c9c3e4b87485e4497c9f56b9683801893ac2

SHA256
d92270a4f59aae6cd89476193eac2d52cb021367d01c46945bf4f70984bcef13

SHA512
9ab33499291c3e22adbdc86e5c05073a119e5fbc82d5a8926970af2352c71099a62a086dc918716f4976372e22c1f9eaf84a36f414b29d9fa69fdeb8f387152d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5a912ab84a5530ee386327a0e7cd30f

SHA1
512a542861f63d76098a262d5cf9e09ed8eac00d

SHA256
8a6a173bf4ab7b8f464cfc81debe6addb732cf96d97a521d88eb31e0550ad0d4

SHA512
cc5ca18a60b80740393a7edacb615e2592cefa66b6ac0cb328efa74f8c51faa8ad5fade365c30e8110a467605b573ce9500460183c22702c451461b12ced6b49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b921fb8d2f57eb08dd9ba745bb298a

SHA1
af84ea23e40b17ec2b3489ecc721deca38053e08

SHA256
e639ae9bc4ba344287bd0e021faafffeef6ca67c54f081845b515beee7a5666c

SHA512
80e0453e7afa26dd6b68c8da106fc820067b784484a02df4c92a69986de4666f92d6961f04b7983c267f235e662280ca8968a6c297d0edc1d751c881b839d2db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46e4c9d7a80557c21144f2795b48956a

SHA1
b405dcd4c6cb165b4169573de5754b3c3b6a75c3

SHA256
bdcac3edfe23ca20128514b01c2c1d89a4c5697ee18e7a8697c83ad9718f7b8c

SHA512
d58304409221de5f69d036b99df0150bbb4be8e1d41077790989ca3e571ea4c13e713588d54496650eb34a90952c1fd15a98938ff43e97189db224502274c9f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad4153909e1f8aaa5a7af342743d79be

SHA1
635a622d352602b820e0aed236e48fdf6720a0e1

SHA256
36d91c3570af8c943c6add84f1726c8388bef547d8d8a442f96fcde47daef967

SHA512
d24c1cb00b71a764ab77a6d6861c427359c82a6fc6c690af9aad7dd6e34a0a6edd4ce74bb33a87c8d719bfd678e8ed4b0a56d07106b843acce3764a751928d0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8ce861e3676b9ca7e1717d2452e979d

SHA1
a23e27a58bd1d10e9b432b2daf8569a5c2ab10d7

SHA256
65559d5212c0f7086f05e791a3bbd000199eb03a4485ce975d5eb8705820edbc

SHA512
ebbf4e00d9399d1933dcbf40159adaad9d611b5e4530788e79b2b0cca958177a23ed031e7c1b3939248309305e9895878cc10b866ca30b66b4ad150f9990d659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e42905dcd0d29b73e11f60ae3ae6217

SHA1
c7ba6fa0e92ec773fbe702e7ae1e8bf2b22e4759

SHA256
6a0b59d256d37850bbeb3a92ea47fce46263e382e1bd699db7a3adcd623c6006

SHA512
5bb4a297cc0a37564912e1b52dea68ced4d9d908a2331fa558feabc88006317d1aee5aef50b9bdeeb0286c7ee12eec938b6092762524d1b4dc83090db65107a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b806020b440842020c94a38954e275e

SHA1
d8bdf57dbcfa4ccd63f78624fac3219d11d28a9b

SHA256
94f58ba395897a9bd9a223daef62b48d5e051d49777c6d774d73883edb84aec1

SHA512
2a556a744dbc8368323b6e4250f519561d885619a4b98d2e2560d3ed1bb36cd90d6529dec4d2ebc9f5535ffe69285db4caeb910b7a42b7b3c1efe007d0ab1250

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.tmp.cmd

Filesize
168B

MD5
e7efc2c945a798b4dab3fe50f1524592

SHA1
0bb937ccd89e40c91c0e58b376873ef909fe805b

SHA256
624acac79fdcfe30592f5321b4ab73d360f393dbcdbe8daa50fcce63c710f5dc

SHA512
e75840979404587aa15fd4d1e46707c33e32dca086ca72c7666045e14191e29857d06dc8ba737e69925c71b2e2d6a5ee3b63c36ecd2f32ae515f85a985d8f257

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA94.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
3KB

MD5
fd16ba506331210bdd2547eebbc14232

SHA1
a0313d86716fa50437393bf5e0d8271af529670c

SHA256
5e7b72773b5b8e8f734ba6acb5917d8e99a60bbc41940b3311768c2882ca42c2

SHA512
3adda2fa8f498e876831adef6d8a497052901ea53fde1fc580a45921155b033b5ae62c2e0b18952085db859325c79fc12684c058f2e8fcdfb5e00e8f32590f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\bot.log

Filesize
4KB

MD5
28227ea153ba09349f9dea5521c28082

SHA1
3771d4cf3e80bb8c5548ef3eac12fcc3f6775169

SHA256
780944102661676a43601187b2d8da9d48759d062a7afac214c323a26f87b91b

SHA512
f33cd9afcdbbe3e5a0b6cd6b31a6ead97c8791278b3bef50cb1a6b772b6794e06621295dc2b7fbea1bf39f179e65bc08722c6ac0d9c6eae52f1aef032c30baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\win5.tmp

Filesize
240B

MD5
ee926df00618b73a370f2dbcbe19ebeb

SHA1
eb775efca19c657d4cc02d21190db4f522ae750d

SHA256
6aa561c0cd6879efa55a085e9020c4827f4e51e8b44902e72b908d06bb454c32

SHA512
6b4d1f2d897b6876755d1a6370f849d1241bbb9d462a5347b0b157bb4b7efe80c0d171e14e0277bd72dfbcdf31cdc055e500341a6e0c444513cb47cddecaaf54

Download Submit
C:\Windows\SysWOW64\lsarasdns.exe

Filesize
1.6MB

MD5
fe079c4129d51477df121333b64bbcd7

SHA1
0f5806f04a5376b372ad55a8ef5050dc8f815aed

SHA256
13a080c9caacae77e705d5d7cd24cdeb0d45f3e74e26475e0a0898161eccca74

SHA512
31787f83322a4f0fb919b630d5b05c28398ca4cbbac3965af6852417e7b2ef1362083a7edff5b984131e5de97e9ff707047ca4955bf1ea21ac92f2a51a5bffbf

Download Submit
C:\Windows\SysWOW64\srvdispsrv.ocx

Filesize
4KB

MD5
3adea70969f52d365c119b3d25619de9

SHA1
d303a6ddd63ce993a8432f4daab5132732748843

SHA256
c9f5a19c7b11fd866483adc93aa5bc4bd3515bd995ca79297b227e3e5ef1a665

SHA512
c4d836fcbdab4c859a6fc0f849d1e41e98c7e23fc0fe0fe0a09cb68e9a57d60b2ae9ad46762d7a5e05db28d6179bd431ef179ee1f9ff016db74cc3b1d74ed7f8

Download Submit
\Users\Admin\AppData\Local\Temp\pdbsqlctf.exe

Filesize
104KB

MD5
bf839cb54473c333b2c151ad627eb39f

SHA1
34af1909ec77d2c3878724234b9b1e3141c91409

SHA256
d9cfcd9e64cdd0a4beba9da2b1cfdf7b5af9480bc19d6fdf95ec5b1f07fceb1d

SHA512
23cb63162d3f8acc4db70e1ecb36b80748caaaa9993ee2c48141fd458d75ffb1866e7b6ca6218da2a77bd9fcb8eed3b893a705012960da233b080c55dc3d8c3d

Download Submit
memory/2724-300-0x0000000000390000-0x0000000000392000-memory.dmp

Filesize
8KB

Download
memory/2944-271-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2944-250-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download