Analysis Overview
SHA256
d572a3e702f57df2dd68da71520522dea73e0b71e4d7087361fafb8d3afa75a5
Threat Level: Known bad
The file 3d43c7a4be9da757591f4052c133b58f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Eternity family
Contains code to disable Windows Defender
Eternity
Modifies Windows Defender Real-time Protection settings
Detects Eternity stealer
NirSoft WebBrowserPassView
Detected Nirsoft tools
Disables Task Manager via registry modification
Reads user/profile data of web browsers
Windows security modification
Drops startup file
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
UPX packed file
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-13 02:22
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Eternity stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Eternity family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-13 02:22
Reported
2024-10-13 02:25
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Eternity stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Eternity
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe
"C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2248 -s 1124
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6muX+SLVfepJcK7ZJtwoeVF785WCnIoIuzIhyWNzKgwvuOrXCyijC3rKE0OC9XJFZ56fDgGKqTpMYXxm7p5+tZ4Ex1prba4YUN0IODgr5FUXGOh802CtM6AuQYF6lIYIA=
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/2248-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp
memory/2248-1-0x00000000000D0000-0x000000000076C000-memory.dmp
memory/2248-2-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2248-3-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2248-4-0x000000001BD30000-0x000000001C046000-memory.dmp
memory/2248-6-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2248-5-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2248-7-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2248-8-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2736-15-0x000007FEECDCE000-0x000007FEECDCF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tarmcucx.dnn\dd.exe
| MD5 | 86f99a591d58073029e3a9d74cdd7217 |
| SHA1 | 50495581f8969122e31ecf2647212e655aad8d15 |
| SHA256 | 5be174b8ccfec18e449b6f8358a4c51100fd1cbd36f82876f3cd2a4c21fe360d |
| SHA512 | 8e553e0fd9486761f548d98c46fe1e4e568ad2d0bef6a422e07b8900b6b0152b6544e74a3dec5208211a6ec807ddbfa107f465068338a1060ac66cb261888be6 |
memory/2816-20-0x0000000000E00000-0x00000000010DE000-memory.dmp
memory/2736-21-0x0000000002640000-0x0000000002648000-memory.dmp
memory/2736-19-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2736-22-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp
memory/2736-23-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp
memory/2736-24-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp
memory/2736-25-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp
memory/2736-26-0x000007FEECB10000-0x000007FEED4AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/2216-36-0x0000000000890000-0x0000000000B6A000-memory.dmp
memory/2216-37-0x000000001B390000-0x000000001B6D2000-memory.dmp
memory/2216-38-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2216-39-0x00000000025C0000-0x0000000002670000-memory.dmp
memory/2248-70-0x000007FEF5633000-0x000007FEF5634000-memory.dmp
memory/2248-71-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 5cf0b95f68c3304427f858db1cdde895 |
| SHA1 | a0c5c3872307e9497f8868b9b8b956b9736a9cdf |
| SHA256 | 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa |
| SHA512 | 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b |
memory/2248-73-0x000007FEF5630000-0x000007FEF601C000-memory.dmp
memory/2216-75-0x0000000002440000-0x000000000244C000-memory.dmp
memory/2216-74-0x00000000024E0000-0x0000000002510000-memory.dmp
memory/2216-77-0x000000001AB40000-0x000000001AB72000-memory.dmp
memory/2216-76-0x0000000002510000-0x000000000252A000-memory.dmp
memory/2216-78-0x000000001B100000-0x000000001B1A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | d90accebb3f79fe65cd938425c07b0ae |
| SHA1 | 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9 |
| SHA256 | aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e |
| SHA512 | 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 899d3ed011eb58459b8a4fc2b81f0924 |
| SHA1 | 80361f1e0b93143ec1ddfee156760f5938c85791 |
| SHA256 | 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954 |
| SHA512 | 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
| MD5 | 5242530a2b65089696f3cf8e5ee02ff7 |
| SHA1 | d604293148cdd953b3368c54920c043cffe9e1c1 |
| SHA256 | 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781 |
| SHA512 | 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
memory/872-112-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1532-122-0x0000000000400000-0x000000000041B000-memory.dmp
memory/872-118-0x0000000000400000-0x000000000045B000-memory.dmp
memory/1532-117-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\bhv34D6.tmp
| MD5 | 4f534897ed6b76d94e3a55c9b72e1369 |
| SHA1 | 710415a5e4d2d763fd6211f90817803f59d9bd3c |
| SHA256 | 9829a11bd564d8f37579016582683bb9989ba3d0a4f38689bdba83a05ccf8677 |
| SHA512 | 5e4bff61663750ae25c63e8a424f7d886bcd2ad68a120e9a0723a12a8ed62d5640860db05288c3c25f22524a30c4712ccf798436d700f5ee4b10b593f872e2c0 |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-13 02:22
Reported
2024-10-13 02:25
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
142s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Eternity stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Eternity
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfsvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d43c7a4be9da757591f4052c133b58f_JaffaCakes118.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe
"C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe"
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6muX+SLVfepJcK7ZJtwoeVF785WCnIoIuzIhyWNzKgwvuOrXCyijC3rKE0OC9XJFZ56fDgGKqTpMYXxm7p5+tZ4Ex1prba4YUN0IODgr5FUXGOh802CtM6AuQYF6lIYIA=
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 173.231.16.77:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 77.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/1200-0-0x00007FFCFB9A3000-0x00007FFCFB9A5000-memory.dmp
memory/1200-1-0x00000000001B0000-0x000000000084C000-memory.dmp
memory/1200-2-0x0000000002A70000-0x0000000002AC0000-memory.dmp
memory/1200-4-0x000000001B7D0000-0x000000001BAE6000-memory.dmp
memory/1200-3-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/1200-5-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/1200-7-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/1200-8-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n2exwt2m.pe0\dd.exe
| MD5 | 86f99a591d58073029e3a9d74cdd7217 |
| SHA1 | 50495581f8969122e31ecf2647212e655aad8d15 |
| SHA256 | 5be174b8ccfec18e449b6f8358a4c51100fd1cbd36f82876f3cd2a4c21fe360d |
| SHA512 | 8e553e0fd9486761f548d98c46fe1e4e568ad2d0bef6a422e07b8900b6b0152b6544e74a3dec5208211a6ec807ddbfa107f465068338a1060ac66cb261888be6 |
memory/1200-20-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/2200-19-0x00000144D0D50000-0x00000144D102E000-memory.dmp
memory/3044-21-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/3044-22-0x000001AF78730000-0x000001AF78752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewaoahct.et5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3044-32-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/3044-33-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/2200-34-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/3044-49-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/2200-52-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
memory/2632-55-0x00000220FF390000-0x00000220FF66A000-memory.dmp
memory/2632-56-0x000002209A190000-0x000002209A4D2000-memory.dmp
memory/2632-57-0x0000022081810000-0x0000022081816000-memory.dmp
memory/2632-58-0x00000220FFA80000-0x00000220FFAF6000-memory.dmp
memory/2632-59-0x000002209A4D0000-0x000002209A580000-memory.dmp
memory/1200-90-0x00007FFCFB9A0000-0x00007FFCFC461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 5cf0b95f68c3304427f858db1cdde895 |
| SHA1 | a0c5c3872307e9497f8868b9b8b956b9736a9cdf |
| SHA256 | 353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa |
| SHA512 | 5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b |
memory/2632-93-0x000002209B070000-0x000002209B07C000-memory.dmp
memory/2632-95-0x000002209B080000-0x000002209B0B2000-memory.dmp
memory/2632-94-0x00000220FF9C0000-0x00000220FF9DA000-memory.dmp
memory/2632-92-0x000002209A150000-0x000002209A180000-memory.dmp
memory/2632-96-0x000002209B0E0000-0x000002209B182000-memory.dmp
memory/2632-97-0x00000220FF9A0000-0x00000220FF9A8000-memory.dmp
memory/2632-101-0x00000220FFA50000-0x00000220FFA6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | d90accebb3f79fe65cd938425c07b0ae |
| SHA1 | 9df3812a88d87dd419cd9e89afa5fb1d71be0dc9 |
| SHA256 | aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e |
| SHA512 | 44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
| MD5 | 899d3ed011eb58459b8a4fc2b81f0924 |
| SHA1 | 80361f1e0b93143ec1ddfee156760f5938c85791 |
| SHA256 | 5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954 |
| SHA512 | 802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05 |
C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg
| MD5 | 5242530a2b65089696f3cf8e5ee02ff7 |
| SHA1 | d604293148cdd953b3368c54920c043cffe9e1c1 |
| SHA256 | 239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781 |
| SHA512 | 7aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | c3c5f2de99b7486f697634681e21bab0 |
| SHA1 | 00f90d495c0b2b63fde6532e033fdd2ade25633d |
| SHA256 | 76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582 |
| SHA512 | 7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8 |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
memory/4692-134-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
memory/3344-137-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
memory/3344-148-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4692-146-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cookies1
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\Cookies3
| MD5 | 2a66151ff8f4df4f996d99abb362e793 |
| SHA1 | 2bf1b19229b46e3da870b76b2bf6136e5378393d |
| SHA256 | 810a70cc17ddfcb562826f2d0c8317d95500e6532bed141cdccc5a15333622ef |
| SHA512 | 92d9391591a989d714b6ae9bbe5659993d5047847e0248fccdf1b628153686b5adc32839c93068625a28fb256d69342d0bdbb2e5e9bc1613416a651bb434250b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\bhvE6D6.tmp
| MD5 | 391f49090a831c187485fe2f5dc11c1b |
| SHA1 | dd10d034009bb5caf506797ec50c3728a2c40064 |
| SHA256 | 4491fb5c75d5ec6e7b69a6a09921eeefe8480a1891819b4398e20bd71020b763 |
| SHA512 | 019d00adc0e44741f84b7a3785769222d1636c4939ad56c65d6b25d1da9b94d30a2e4dd5a9e977d182ddf11f64f57e22591269c1e3f253144927a49606090279 |
C:\Users\Admin\AppData\Local\Temp\Admin_History.txt
| MD5 | b19b7a517f2a815566fce3026313bf39 |
| SHA1 | cf243c4fc48c3d04802fd91c0da5ce525990dc53 |
| SHA256 | bb644a745eb2a2269a686e4031ad2446a96473c49f329baea00a68ca514f264d |
| SHA512 | 856043f4dc358ac526037089245e5866920eda888566c3f86a4b6dbcaf7b35f05977f5144ff2ec428d0dbbe15f93bd59205327d686b49da2c83917661ee60197 |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |