Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2024, 05:20

General

  • Target

    1651bcc888424d427c01013e8e798903_JaffaCakes118.dll

  • Size

    178KB

  • MD5

    1651bcc888424d427c01013e8e798903

  • SHA1

    9c41ee9dcfc7aef934bda221c5713598a8353107

  • SHA256

    c13d67f1836cacca25cf768824de9f481d6cc3e862bcae2bb0e086189cecd03d

  • SHA512

    89e3953e7de2f82182ce485d6840693591235bf9a4d58f558d0fee992d74c9ffe8dbf4154f80ad85a19702181475eb478c90f3eb29c345070ebacead6bb9e997

  • SSDEEP

    3072:x4yriLc3IcqB0NljYUvfT/SmNp94Z7yifCKXZ5q1n3hApWQrIcH2zAn:1uLRcZBPvukp4lCKXZ5q1Rqr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • UAC bypass 3 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 48 IoCs
  • UPX packed file 40 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1651bcc888424d427c01013e8e798903_JaffaCakes118.dll
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
        "p7q0EPZi"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
          C:\Users\Admin\AppData\Local\Temp\p7q0EPZi
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1544
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2640
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • UAC bypass
            • Drops startup file
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1920
            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1872
              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:624
                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2020
                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:1796
                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2916
                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetThreadContext
                        • System Location Discovery: System Language Discovery
                        PID:1980
                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                          12⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          PID:408
                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            PID:964
                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                              14⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1320
                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                PID:864
                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2116
                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious use of SetThreadContext
                                    • System Location Discovery: System Language Discovery
                                    PID:1424
                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1292
                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                        19⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of SetThreadContext
                                        • System Location Discovery: System Language Discovery
                                        PID:236
                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1360
                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                            21⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            • System Location Discovery: System Language Discovery
                                            PID:896
                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                              22⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2208
                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                23⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetThreadContext
                                                • System Location Discovery: System Language Discovery
                                                PID:2488
                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                  24⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2336
                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    • Suspicious use of SetThreadContext
                                                    • System Location Discovery: System Language Discovery
                                                    PID:2176
                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2708
                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetThreadContext
                                                        PID:2812
                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2828
                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of SetThreadContext
                                                            • System Location Discovery: System Language Discovery
                                                            PID:1740
                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2008
                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                • Suspicious use of SetThreadContext
                                                                PID:680
                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2524
                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Suspicious use of SetThreadContext
                                                                    • System Location Discovery: System Language Discovery
                                                                    PID:1704
                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2988
                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of SetThreadContext
                                                                        • System Location Discovery: System Language Discovery
                                                                        PID:2876
                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                          36⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2868
                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:1980
                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                              38⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1624
                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:1804
                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1296
                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Loads dropped DLL
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:904
                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                      42⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2852
                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:1552
                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                          44⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:836
                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:2288
                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1448
                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Loads dropped DLL
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                PID:2972
                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                  48⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1680
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Loads dropped DLL
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2992
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                      50⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Loads dropped DLL
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:1504
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Loads dropped DLL
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:2980
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:2632
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            PID:2924
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              PID:292
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Loads dropped DLL
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:2416
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                  PID:2824
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:3012
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                      58⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Loads dropped DLL
                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:2612
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                        PID:2592
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                          60⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1920
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Loads dropped DLL
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                            PID:1568
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                              62⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:1508
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Loads dropped DLL
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:2568
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:3020
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                    PID:1796
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                      66⤵
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      PID:2908
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                        67⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                                                        PID:2152
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                          68⤵
                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                          PID:2476
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                            69⤵
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                            PID:1664
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                              70⤵
                                                                                                                                                PID:2480
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                  71⤵
                                                                                                                                                  • Suspicious use of SetThreadContext
                                                                                                                                                  PID:2388
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                    72⤵
                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                    PID:1120
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                      73⤵
                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                      PID:1736
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                        74⤵
                                                                                                                                                          PID:960
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                            75⤵
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                                                                            PID:1712
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                              76⤵
                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                              PID:2168
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                77⤵
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                PID:880
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                  78⤵
                                                                                                                                                                    PID:1672
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                      79⤵
                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                      PID:888
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                        80⤵
                                                                                                                                                                          PID:1880
                                                                                                                                                                          • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                            C:\Windows\system32\svchost.exe
                                                                                                                                                                            81⤵
                                                                                                                                                                              PID:2512
                                                                                                                                                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                                                                                                                              81⤵
                                                                                                                                                                                PID:3036
                                                                                                                                                                                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                                                                                                                                                                  82⤵
                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                  PID:2072
                                                                                                                                                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275457 /prefetch:2
                                                                                                                                                                                    83⤵
                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                    PID:2680
                                                                                                                                                                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2072 CREDAT:275472 /prefetch:2
                                                                                                                                                                                    83⤵
                                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                    PID:2928
                                                                                                                                                                              • C:\Windows\SysWOW64\svchost.exe
                                                                                                                                                                                C:\Windows\system32\svchost.exe
                                                                                                                                                                                81⤵
                                                                                                                                                                                  PID:2384
                                                                                                                                                                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                                                                                                                  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                                                                                                                                                                                  81⤵
                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                  PID:2276
                                                                                                                                                                                  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                                    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                                                                                                                                                                                    82⤵
                                                                                                                                                                                      PID:1432
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe" elevate
                                                                                                                                                                                    81⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                                                                                                    PID:2176
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe
                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\jjwjnxqeieywgpvv.exe
                                                                                                                                                                                      82⤵
                                                                                                                                                                                        PID:2472
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                          83⤵
                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                          • System Location Discovery: System Language Discovery
                                                                                                                                                                                          PID:1904
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                            84⤵
                                                                                                                                                                                              PID:2024
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                85⤵
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                                                                                                PID:112
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                  86⤵
                                                                                                                                                                                                    PID:2536
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                      87⤵
                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                                                                                                                      PID:2028
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                        88⤵
                                                                                                                                                                                                          PID:2216
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                            89⤵
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            PID:2148
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                              90⤵
                                                                                                                                                                                                              • System Location Discovery: System Language Discovery
                                                                                                                                                                                                              PID:2900
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                                91⤵
                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                PID:2352
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                  92⤵
                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                  PID:1180
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                                    93⤵
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    PID:2904
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                      94⤵
                                                                                                                                                                                                                        PID:448
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                                          95⤵
                                                                                                                                                                                                                          • Suspicious use of SetThreadContext
                                                                                                                                                                                                                          PID:1512
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                            96⤵
                                                                                                                                                                                                                              PID:2504
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                                                97⤵
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                PID:1584
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                                  98⤵
                                                                                                                                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                                                                                                                                  PID:2496
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\vfjytefgnhugvybr.exe" elevate
                                                                                                                                                                                                                                    99⤵
                                                                                                                                                                                                                                      PID:2140

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        352bf97ab05953ab16502f111a374ef1

                                        SHA1

                                        3142221b2eedece1bdcb65dad23a410aeeb5df5e

                                        SHA256

                                        7fd2d35e763abb8663fba0bc6f4a13f33e9af635a5dfd4e469e08ac534be4f3c

                                        SHA512

                                        d083e61b05f4c8e42eeeaa8ef082cc52b2a80b3ea77d4605e81573fd044b5ff3ca0a78d72448071b28647470394042ff193de01ec97d6a5e1ccacbeb4506d03e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        af8fe744f63c896be8adf9e218ef587f

                                        SHA1

                                        8586a37098200a76daedf229b531e41b0bee8fef

                                        SHA256

                                        a8e42295d0269715097f8aa6f481cb30e3c8aad0e87a9dad9027e8763596c405

                                        SHA512

                                        b0ea32d030c9510bb7e3db10c10d5602a6d801adca67bc04ac19261b56df9c726d3648d3420224203432328cfcbef9f00068582eec7de6d9b622baf80f19d226

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        a0490f1478a5bff28a6e55ae312f3fa1

                                        SHA1

                                        5d5a56828cfcb3cf52f8540420bce4282d71184c

                                        SHA256

                                        434fef6ff97d5fdae762c62918aeaf2b8bb2991818d5c97a6eb702519fcca91d

                                        SHA512

                                        52906e2e21d963fab28f8a2ceb0c216174f6e8d84ddb8ca246ec413e8555f27020efd0984a52091a1c02d6be95c910347b5480e1f5cc6f376fbfb90d711f5bd7

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        05cab1289e0c82c2677586a6d2addd34

                                        SHA1

                                        6438c420a3535b0f044d4f73113fbe62b5bb3eb2

                                        SHA256

                                        2933e3788ca0ffbb4dc12753728299ca9ce4f1f5fd9cf37491c1f5c37e29156f

                                        SHA512

                                        6477e3018a7a669078ac30a112224ccd796e04bcf16d5f9ac55f482e15aa9dc74c1d1efb33fec8df182d2b2efa26ba86b00baad62bb8ca0099cfeccb5f53482b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        bc8bfa975330ac9c678fd85e65744725

                                        SHA1

                                        1fa27e522b02a20839fd38bb812438b7f06fa711

                                        SHA256

                                        c2408e939dd11a3b641e40d6fc7fee4ee145cc74de1ae32691d6cef5e5fd739c

                                        SHA512

                                        50cee180e19d93b9fd15d453775336d0028818596ce82523abb738ede8e1cf62c2b36bdfe2dd1593018734ebec42b4a605462a921d9f519d185a5d421e4db08f

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b4986135a20f378142ee0f2f23dbd12a

                                        SHA1

                                        c505f8bacc83d7655d9a560c78b61df9114dad3e

                                        SHA256

                                        b9f6236838b5f4f09acf080ae0b7fd369093394f701e02697128565cb04c659b

                                        SHA512

                                        a468ffa1a0a545e8471a3dfd6718865f657d086a702e9de5774b2c505afb7c74bb837dfd5242c0c948c42d171c844cf04c2ed769e569ca55971c01c0b13b4daf

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        86d3e53e8ccf4b1ea0d1a38e64d98ed6

                                        SHA1

                                        8c228881194e0603647c2cc4466ff6f167a15100

                                        SHA256

                                        44ab65146531ab74fdfd086658f5e68fed0b6ed7313e075f859c57d19e4bba87

                                        SHA512

                                        2c21e95798d8cfb94b1c6e5fb7492ca9ec8107f45dd00c49594ac6635b59975a731e88ba3eadc4a89fb689e250d1c2bdbbce38a5311b709bcf3f38c410c5fc17

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e5ef84b1484de5c8617eee4a88fed568

                                        SHA1

                                        7f34570820bc5a26e3c8edbec858e836715375b5

                                        SHA256

                                        34825829383d667414a0684d23531bab2500b0e9a1603d93baa2eb32509a8856

                                        SHA512

                                        bd958c7812d51f28e57557024ea2c3ca91fe6e8b1bed2fcf74ce445ee1c735f550ad723d770905c9604cb843854833bbae7be322a023fce91975595dce37ec3e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        47904ae1d1d8d5db898b22b815a57f32

                                        SHA1

                                        2e90ef7fb6b025d2f4394e5838ed86d2b11f358f

                                        SHA256

                                        85541d32a54a611e80e7d8f0bfa46397ef5ae01fab7ecea1db5e954c2c681069

                                        SHA512

                                        a09230e15847de68d8a9b571add1553059bfd5a9785388ec4b0564fcb24224687784b5c0df16f6128a9054422d8db0b8357f2f847af920bad22441e9b8bc9866

                                      • C:\Users\Admin\AppData\Local\Temp\Cab74D4.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\Tar7536.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • \Users\Admin\AppData\Local\Temp\p7q0EPZi

                                        Filesize

                                        169KB

                                        MD5

                                        8d7fffdc5fa650429e06d7d7f9b9e639

                                        SHA1

                                        f072366e3522f1ae05704410af710f95daab57a9

                                        SHA256

                                        6f64930ab0dae493aa7adce4f1b8687b99d3b4a57b52f760acd1de61ce12a8e3

                                        SHA512

                                        91c4a6760117be43ecf73e035e1a07009af82a81aafe8f78f86938c341018b49e8f20a7ec71a27882ca31719d42ca764702e0be13a378d53fbc2f4bb910da8cf

                                      • memory/292-479-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/408-162-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/448-1190-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1120-592-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1292-215-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1320-179-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1504-451-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-14-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-93-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-17-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-10-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-12-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-57-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-13-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-21-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-18-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1544-26-0x0000000077070000-0x0000000077071000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1544-25-0x000000007706F000-0x0000000077070000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1544-24-0x0000000000270000-0x0000000000271000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1544-23-0x0000000000260000-0x0000000000261000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/1624-377-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1872-108-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1880-1097-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1880-645-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/1920-518-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2008-315-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2020-128-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2024-1129-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2108-20-0x0000000000400000-0x0000000000431000-memory.dmp

                                        Filesize

                                        196KB

                                      • memory/2116-193-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2116-198-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2168-617-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2336-263-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2472-1116-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2504-1203-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2524-332-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2632-466-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2640-30-0x0000000000050000-0x0000000000051000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2640-28-0x0000000020010000-0x000000002001C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2640-35-0x0000000000050000-0x0000000000051000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2640-41-0x0000000020010000-0x000000002001C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2640-34-0x0000000000070000-0x0000000000071000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2640-36-0x0000000020010000-0x000000002001C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2640-40-0x0000000000060000-0x0000000000061000-memory.dmp

                                        Filesize

                                        4KB

                                      • memory/2640-43-0x0000000020010000-0x000000002001C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2640-42-0x0000000020010000-0x000000002001C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2660-71-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-65-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-53-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-47-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-64-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-75-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2660-74-0x0000000020010000-0x000000002002C000-memory.dmp

                                        Filesize

                                        112KB

                                      • memory/2708-277-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2824-492-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2828-297-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2852-404-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2868-364-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2916-146-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/2988-353-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB

                                      • memory/3020-543-0x0000000000400000-0x0000000000434000-memory.dmp

                                        Filesize

                                        208KB