darkcomet | f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4

Analysis

max time kernel
122s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Size

1.4MB
MD5

5968bd1843bca9ec5b655c9fdf219e8e
SHA1

c44f9696d0ff3ac324c549615fe06d52899e199b
SHA256

f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4
SHA512

c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19
SSDEEP

24576:Gu+mLlxpqrdJwkbVYG3HklghoOLGTEANNOIZauPVTOMUC:mElxYBJwwqGUl1kcEYauPV

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdos32.exe"	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1600	attrib.exe
3044	attrib.exe

Executes dropped EXE 3 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exemsdos32.exe

pid	Process
2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
536	msdos32.exe
1420	msdos32.exe

Loads dropped DLL 6 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

pid	Process
2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
536	msdos32.exe
536	msdos32.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	msdos32.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exemsdos32.exe

description	pid	Process	procid_target
PID 2432 set thread context of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 536 set thread context of 1420	536	msdos32.exe	45
PID 1420 set thread context of 1744	1420	msdos32.exe	46

Drops file in Windows directory 3 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\MSDCSC\	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
File created	C:\Windows\MSDCSC\msdos32.exe	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\msdos32.exe	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exeattrib.exeIEXPLORE.EXEvbc.exevbc.exeiexplore.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.execmd.exemsdos32.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.execmd.execvtres.exemsdos32.execvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdos32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdos32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b06a6fe3a221db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000bc82b350ac95a3cfd8078528c2ee4fa1a3619216b98171af2b5af85695c2e273000000000e8000000002000020000000b09f05bc3a30d00a9fc39e8ac772f0444fc795e3a6d3100cb42e49a9e13e3aa190000000c3138f285df419ca3963494cd023aa93890108a71679a86d13f005ff87615f7aa2e88654f440e9a0649d267b625358d61c333df716ba5cdc44f7c8f34b1774ad3650ad2046066b755dce81aa55c3b02239dac4e9512cafbe6bebfe6dd48c3f4e16b791a681edf18dd1768e485815f3958508503390894b9333cb88ea857c0b652ee9c0765ed52dc184d7cafcc936db7c40000000e013597726876004944ea742aac9468c7ab3c3f7e6671f9adb2dab673d72c4dca321616d9a7c658ca751627a90ef6ca96429a76ba185b27e799897bca5eb9b89	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000ccd43acdfbccf69d33240691486f5e4e251a473451010862d0f62546c30bb429000000000e8000000002000020000000cf148e2f8620b6ecbc21b95f33814c4c28f94143a46b67cfe960fe6ad136bac920000000b3ef7999487c5ebffd2516285aff91ee1569afcf053a28a9ec0a7700d52c5bdc400000005f887968e5e5366184fba82a58e30e754292fb6577f906a9083d4329033ad1c0121a870752dd8e304de90d3820d8cde4ce0a4ad8c020f1bf44a0fe13c782c81c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435447972"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0BFBD901-8D96-11EF-833B-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeBackupPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeRestorePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeDebugPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeUndockPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 33	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 34	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 35	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1420	msdos32.exe
Token: SeSecurityPrivilege	1420	msdos32.exe
Token: SeTakeOwnershipPrivilege	1420	msdos32.exe
Token: SeLoadDriverPrivilege	1420	msdos32.exe
Token: SeSystemProfilePrivilege	1420	msdos32.exe
Token: SeSystemtimePrivilege	1420	msdos32.exe
Token: SeProfSingleProcessPrivilege	1420	msdos32.exe
Token: SeIncBasePriorityPrivilege	1420	msdos32.exe
Token: SeCreatePagefilePrivilege	1420	msdos32.exe
Token: SeBackupPrivilege	1420	msdos32.exe
Token: SeRestorePrivilege	1420	msdos32.exe
Token: SeShutdownPrivilege	1420	msdos32.exe
Token: SeDebugPrivilege	1420	msdos32.exe
Token: SeSystemEnvironmentPrivilege	1420	msdos32.exe
Token: SeChangeNotifyPrivilege	1420	msdos32.exe
Token: SeRemoteShutdownPrivilege	1420	msdos32.exe
Token: SeUndockPrivilege	1420	msdos32.exe
Token: SeManageVolumePrivilege	1420	msdos32.exe
Token: SeImpersonatePrivilege	1420	msdos32.exe
Token: SeCreateGlobalPrivilege	1420	msdos32.exe
Token: 33	1420	msdos32.exe
Token: 34	1420	msdos32.exe
Token: 35	1420	msdos32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
1268	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1268	iexplore.exe
1268	iexplore.exe
848	IEXPLORE.EXE
848	IEXPLORE.EXE
848	IEXPLORE.EXE
848	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exevbc.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.execmd.execmd.exemsdos32.exevbc.exe

description	pid	Process	procid_target
PID 2432 wrote to memory of 2072	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2072	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2072	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2072	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	31
PID 2072 wrote to memory of 2204	2072	vbc.exe	33
PID 2072 wrote to memory of 2204	2072	vbc.exe	33
PID 2072 wrote to memory of 2204	2072	vbc.exe	33
PID 2072 wrote to memory of 2204	2072	vbc.exe	33
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2432 wrote to memory of 2832	2432	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	34
PID 2832 wrote to memory of 2264	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	35
PID 2832 wrote to memory of 2264	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	35
PID 2832 wrote to memory of 2264	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	35
PID 2832 wrote to memory of 2264	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	35
PID 2832 wrote to memory of 2860	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	36
PID 2832 wrote to memory of 2860	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	36
PID 2832 wrote to memory of 2860	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	36
PID 2832 wrote to memory of 2860	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	36
PID 2860 wrote to memory of 1600	2860	cmd.exe	39
PID 2860 wrote to memory of 1600	2860	cmd.exe	39
PID 2860 wrote to memory of 1600	2860	cmd.exe	39
PID 2860 wrote to memory of 1600	2860	cmd.exe	39
PID 2264 wrote to memory of 3044	2264	cmd.exe	40
PID 2264 wrote to memory of 3044	2264	cmd.exe	40
PID 2264 wrote to memory of 3044	2264	cmd.exe	40
PID 2264 wrote to memory of 3044	2264	cmd.exe	40
PID 2832 wrote to memory of 536	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	41
PID 2832 wrote to memory of 536	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	41
PID 2832 wrote to memory of 536	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	41
PID 2832 wrote to memory of 536	2832	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	41
PID 536 wrote to memory of 1752	536	msdos32.exe	42
PID 536 wrote to memory of 1752	536	msdos32.exe	42
PID 536 wrote to memory of 1752	536	msdos32.exe	42
PID 536 wrote to memory of 1752	536	msdos32.exe	42
PID 1752 wrote to memory of 2120	1752	vbc.exe	44
PID 1752 wrote to memory of 2120	1752	vbc.exe	44
PID 1752 wrote to memory of 2120	1752	vbc.exe	44
PID 1752 wrote to memory of 2120	1752	vbc.exe	44
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45
PID 536 wrote to memory of 1420	536	msdos32.exe	45

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1600	attrib.exe
3044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\z2gdastq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD0E6.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
- C:\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1600
- - C:\Windows\MSDCSC\msdos32.exe
    "C:\Windows\MSDCSC\msdos32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9_o6ifkh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEB97.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2120
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\msdos32.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\msdos32.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1420
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1268
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1268 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
836043eb6a0181e4eb8b42d315def759

SHA1
efdc1dd397765b169748fd19268ccf56c4ffd9d4

SHA256
413c64f67f5371dc9a6613c1158e88b3443d01ad1d5899c7ab7459b8c4aa72f2

SHA512
f7074ee86b9b120e7c2c12ff5c53370beeed2625786dd4421bc8b65b37be600bebcd8d264a7d16914101be5da1180270db9c71870ebecd874ba68511762dcf84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d55e901f257f58f38fdfc1cae5764b31

SHA1
d0614b5429917fd881d82d7a6793b7be4f8a1201

SHA256
d62868008fe7f06793fe1a5f853685f3081ca28be89ba7210312baebf1cd648c

SHA512
0126d1ffd886aaa28c805907542e1ac4a7bce29c5adb94f79b095134b75a76b9c489e3a585ad894e169ecf7849b4d0974a53a198d8292c86af26a9c6c2d1c2c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
351a7d7496bf7bbb0937df6348416708

SHA1
be1fa65d91b89438027e00c9f305e036420bc7d4

SHA256
ea857ed619b39fc4341aeaec8eb8ccade874d97b10c53e66e656d784fa7dad77

SHA512
c4a62692860c77a86bc831e000c318798c2c47cab763da4479ab14553e6b5cdca86b31a29138ff5e2d1527f28e389fa9ca5b86298a23e46460f7758092d949f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcd6ef11362907632afda7f8eb35bd7a

SHA1
c0c9aa7f4444233975f280c078175e062cdb4c62

SHA256
b26f56ba4e0505a919dc5f6c92b1c473fb64f3387fe804d4a9fafda745dc5635

SHA512
c3d8797c92906070fc28ad78d38306af1b46e0de5358774ba9235a414fa7af05da0358b53ae7561dfabcbd3337a0d586169541c88b4c67dca8a8fda2ebfbd943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb6d23beb1376c7ec68a90ea715a505d

SHA1
881a32e2c5da3963b9149e68004a0fbe64135012

SHA256
d32129961febfd59eb9fd9d52b7dfb4e9f83330bcdb58d525d99e4e8d74a0c95

SHA512
e65ae13b88cc2420bc86b02c44e67239268964423e74d3afd33f24a81401b8cdfe7cd81a9b2f6b1b9b7064dd84196c80b9dc67bf8f9a9b79a4e72a0306d33af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72058144b0bd9bffb2b65c42eb0e031d

SHA1
c0d9346336bd3cae814dbbdd0f76ef7f806f4223

SHA256
bcf97684a0ac0dd0dcea92a143d8bb49a761132bba92099a9f7247a432f8b3c6

SHA512
63cadc0378749e08190c4f9a1280d1b1c4c7ed6cfd562a699e6da2962653470516966793c228e456864617577f8586d48e53fd076df61ff3cd2b4a204b54bc99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a4a143c65def4fa572f08bfdd9a77fd

SHA1
b966168f9f91a720f5343051f0e6d5a9fcd6e134

SHA256
3c8c75d0014213e065f9c407051457affd1e68ad8aa128520f50038b068030af

SHA512
0f92043cdbb9ed5dccc42c4f2bfef112e3b2daa5ec0044ce78e2804f3d89872b5e039da3ca929d403b3c36683363f1be400a2e7752ff1e1fd46e85ae336c3e94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ccc173ba4c4520d689a2c61d478ab07

SHA1
a758fd4561cad49972ebad43997069f1bc36b94f

SHA256
884f788f32b0849a89fe7ba551df0c8efd2989256f6ee61f0212fe1b0203487b

SHA512
7e2df425c56c8718a2c3fa3404930e992d6cb69aba845b5ec9138de16887325870a653e5212724c14a1fc79a9aac50028d24117666731bcdd55087bb5838bf50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
218cd54fda217f3462e9e8195fd5073b

SHA1
510ed66ba2c637cc7bf77ac821997e5c6fd42c16

SHA256
95181200b6c132abc629bf64cf00da932e1fc7c22eb59bd30261488005c2cf9d

SHA512
543a5cf58eb6ca43f1b2ea69d5f40b48b1b024b8ef0a2829daa7c93e127066d1feff54bc5092c8f6ad19639dcb3b9df71c7cd5a9098cfbac92e0aa1bf18ad6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f8e80daaab9406bdb5e0b150f64a63a

SHA1
a403cb503de6f7aedf679025cc12413d4fe072a8

SHA256
c24d7ee6df6e6ccf24c90f42568b50dddf210adca959d122c79fa0c1fb458035

SHA512
a94a5b195826b280c6979de6761c641c3f282180b471f0f416884db58c03e05e73d3922dc038d25c4d3382fe02ebbe55b7046c7bbfc159ebab2588a1c1d40071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37502a8bb2f2af04911f3790ccf17f64

SHA1
bc2efc9c4165434f63728979251fe07a85cf95a2

SHA256
6ff8e8bd3e2afbf735cc1371951211b5f67ca48ca21a8f0464a6861145285101

SHA512
06127e222ca99c0bceea26f9fd64e8f0f7b4b551f98cdd43f6e7ae7fbab3d457016d01dfe8c576e12aff842460731104cd1dca28929dbbee421627bbad046ee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e277c5ded7ac0e7582b1998a0eef5bb4

SHA1
b69564880c17ef16111e4fdff2c1c0721d240ad8

SHA256
4550497bd1ffc6381d1e7208df35a314a46fa2472c8c718a2bb43bf2d2cb8eb4

SHA512
58c04ed2fda6124afa35c7685c85ac4090755f5c1ba46485cb0df4ee222bdd02d50cebf906c6c26b2fa3f3fdae3b2b0dbad4d118d5502933fdc1f9cf8ac77ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1e6e5ba93cfbba78e67a62429d70b5

SHA1
7bcb39565578f0601dfaf9744ecca115cb8ee78e

SHA256
f410c18500dad22d120c24d288e845db6e9a42d48021e75cd40e29ff7b95aa9b

SHA512
5763c60672a6fb01fc2d6630417d388d717510c35e6e24c273d818221260d42333a163f17b911388d9462d017430474415964f8b71bb0b17ca9faa2e57332994

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f1af8fcae5ae3c0d626585d8ab89db9

SHA1
03a4c4dac3563b2b9ab3b0438edb2b17ef3ffa1a

SHA256
29bf2e1de1126115b24af521f8aa4811f57b3ce60bd941d7c98286d1b1e7b6ba

SHA512
508689f50c6f4a549c859fa119f0e99d5b83f7a852fd3daa4b661d5211121124baa1eb4465103ee84ed4a766e553fb2c1027fe128c5b0f6d05e90cbe7548b936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
974fc51f6b64938fab2f8e18ea8351df

SHA1
3fcbaa2613ac30b749f495e147436a1ebf517196

SHA256
5ac477ceb92a3ca5f0fb2943a721c54cf36be85d08756a97fe72b4060209f438

SHA512
981da68583c661ace7c87b60cb3e2f8ffbf469be3462e2594618edac08ff134cab7615d352a77ccd87bb3fb1191b30486dfed2aaf76e16fcd306a0490a18abc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
152022bd99b76ce5d82c09f262f600c3

SHA1
24a6b71214f6e60002eda151afa638b07ce0cc0c

SHA256
5bb5faf3c1013f8410b0333d68008493fc021e1ab61740682b0a6a309e4693f6

SHA512
63f703b6718322bc8c202f35b5747c81e7028ba02cc397b197c8057f3e53b857f98aa108243d52562cfb33bb430a588be33b849a7176d1c9d827e910f8628836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50d8a3ec20f8372a4015c8fd65350dba

SHA1
c330f23a7b4a057961e6585733cb0f5ed19828e0

SHA256
40231bce0f243b1d202534a8c5f03660437b636f9f58ccffc8296f081c3c647a

SHA512
3b34184d95796bc182fbf9ddbd9baba0fa3975f13ca924c6517381adf6ff922309fa0e764c556732c6c5b6ab6f1f9e4be423e0ce3cf212c357788a59b5020925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adf6c484fd21168d8c1dd1f17276c45a

SHA1
7cfde03450435b7fd0caaab1beb20f476098ce45

SHA256
357b456d9642871f04cc5e3a34dbe132f649cb962376c88b594a8e8dfbbb5ff0

SHA512
3e165cd2875701c9786ef26fdf71e826b73189b1f9b7c442117ed5dce146653abd137ff08174f4c5e2955bbf3ed677f5e9050b62aa7ce63852636ae45e50f541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8123d05777879f2b0d028892663d083f

SHA1
8344523f4945fe6d90a0f15b2e377c202503d9d2

SHA256
67f6d625d96c24b40f9a6f81dff0a211360b1aebb17a49b6763699b2b93b2710

SHA512
6b58b1084cd70d09c8cade70973d4dc7da6a268ef5f58a148a7e947a0d617b22aa259d56bdd7192d788d8b17c655f2fd0946de5d7398e4b16456cfbd5215ee17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef8f8d8fd3503a12480555d00acd793e

SHA1
0d9783c17ac1502de5fa494044a3ff29318b09fb

SHA256
4c3b4b2e946763cc373e085a30df86217329f7f24a10dd84834c41a8aacc3255

SHA512
4478fd731089bb6efe1491330128bf9e904a8d51a42065f5ce3b605243346b47ad3041d36447774df1a1ae8a8554f9b7a2cf33aacdf9767892701d7c0d2f419d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afccf2c365a8c39aa0de3672ae52ae76

SHA1
a36373700125a2d26a02e77f000f708725a00237

SHA256
766085291ef50fe895659cf78b91a2ac21c347aec72d6339db3b71eda85a8047

SHA512
3ce25755360a2aa7a7c95d09b8bef29c9ed1886130f966ab44f6ed15c3a1b1d9232e3c2ddd1c49d6078ef80b195de72ac2fa240d9b8dc1276e917ea0cbc547a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f5a8dbe99c8001fd99a50d94aa18d90

SHA1
c67df72acd345d616d8589727bb400cf1c669b80

SHA256
a7a79f1e75a7514eaf4af4f8387373dbe2322f955e26962e634ed7cd0e1b8a4a

SHA512
ccd9de741ed5821d7513f0a7a5f9de74fb2fd05344632465f9674adc70ab18a576b9427e113eae6a33458f97bc335d962066606c2e75af58527c4bbd14728ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
090b13c0d490ca93a57eed9e431481a7

SHA1
cc9d375a329907580df79ecd696e7febb1e9dc83

SHA256
f086b8003b3113704a5d5bdc757ff7e92140a67e394c3284d138850f27ea3d5f

SHA512
84062f7648c144518d912b2ea3ce49f3290c420f73268c6e26f2e0dbcba16377524def671a1a0d7382370212faf4d7571130b297e6d538856861909b566e8ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9727b2093668b3d62cefbe7ac1bd8cfc

SHA1
ac7edabad4e32013295bdab722771b941acc61cd

SHA256
50612ecead74c31a63ed1a1cf2d52f5c654ea4f83b2910ce409e840279a8829b

SHA512
b917649234f6520b5ef2fbbc6db24319b7ff1f633735ef4736fb0266254fbb8d3e0c73413373ef9d2a6dfb954cd66f71d5c00debda76f9f12218144efcf9c895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4721d52ef6379de12cbe85f3b7831884

SHA1
9755b6976949776aa674c52176e456932872ef71

SHA256
2b42dd6626c4ba921d36f7aaa32b7a362039d7796aeb464a330d7a5f6ed6f16a

SHA512
b58bbe0d406d0d26ce79cf8a3013f67857e6da2080d4434573a701158abe84ade12a0f8caf6205c264edc12b833d52696c2a671d778e05618ae7e5f88d90ae60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0579083c3045007bca637bedd5f5d7f4

SHA1
d6b414e31fda99d4a2f4ae8cac0c531f399cff88

SHA256
6773bc98b36b265cfdb3ba2f37ba10a6d206c1db951ab7d56a9d6afaa6c2819e

SHA512
e624b131fba28e549db1d6554552793f29d57b3ad096fd3dc3de46b95a1203ee17f753e0dcb209731737ca9044aad0310bf6f111bc238b05afae79c3d72d9a08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236cfd7ddff688d25b98f2bea4cb4873

SHA1
3773ec31e304ca10c8f9e5dd3ea2a2aea788ac2a

SHA256
76ba66ddf4f0b749d65b2695058846f46a60507fc44bff68d2546df830852254

SHA512
2ade1c0aa2f87840e002ad90fd2ac79fad17873e4d423783495027dcd12d5804a6ab5ae55637558443e71251b97b5aa5b2080ea4736f1d8c7477f6188ab622c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9f8434b93c8c9a08fda7b1a4026f5f

SHA1
df3296b901687e9913d808e0a378f85e5a457465

SHA256
4fe3b16a992ceac0130f428a08d9077985e9907f52861089ac82183d19828544

SHA512
0f64213f4a05a15c8171622d42e05d4b315b135ae541a397217f64d9b9cdeca57975e97ba3c7d1d8e1c19139d85adac9f97cc71e30d21045dec852d519d4ba46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f14cd16888f7c12e50a7025fda768059

SHA1
3e5da49584fefbc9f790f267ea3aebf56ab10f84

SHA256
21689f56a4a93ac0ff34e6311a721d1cd2aede490009853f6f55137861b437ff

SHA512
ba9a93ce179a03587b9a2c64397a93e6438dff41f0e76088a76d3369380b9176d646c240497d32c9550ccb9819267ae4c6e5432374426177fa823595fcbb51b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_o6ifkh.cmdline

Filesize
246B

MD5
37448130c3ab7d4694e3791e804738ce

SHA1
1f11c7dac4cc577259d8a23ad4670f665cf2b014

SHA256
73a7c756fb5b9e375ac55d54058633e759b158266884325a910c5cf652e68527

SHA512
4a65a0d3d85d5b1411675f1e1beafdadb894ceff7f54d35fa0a9742dac444d20da64a7f1386ff627aafef18edc8dc170efc2c61ff945022abb183fc1beb0102b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9_o6ifkh.dll

Filesize
6KB

MD5
f9408a76f4fa7eeecefa501c6364f548

SHA1
0c2f9d9f0dcb43066527b303b286f6a748548126

SHA256
6c04e263381a933b84b226b78cdba35d6992498d915609f74bc10bc1fe9c12dc

SHA512
427281ad87d6029dfc499dfc5b67cba811156edab4110820e1e81aa8794976eb2c315ddf337ca4d86da277daa70c0857c2a2da47c038a547228c5b3e55046604

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFEA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0F6.tmp

Filesize
1KB

MD5
3f15cef8c2c292fee0d597f6427a72a4

SHA1
aec4a998fe479c6a19075f9ded36b9731210e782

SHA256
3bee272f0a743544da349d863e385a3895b7d28ab1ac62f54e6bd0f9541d6acd

SHA512
fba3a5fa3f0384cbc86226839114e3c2b2cc55475829f9695bd49ee2c52149a4e1da5e7796996ed7ed4f03ddbed7c5e0a9d46a87b0f4a604fa68cc0be854860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEB98.tmp

Filesize
1KB

MD5
2a240f69a2562d6ed3a64b2b92f002f0

SHA1
04bc1ec9a4a5f94e912183e29ee3ccfece1d92a7

SHA256
009b31cb7aa1a51ca0e57a57a9f23bc628f5ea5562571d304b5f490ac42e8cdf

SHA512
acf22c3d77d5b9225dc0bc877114b6241c8776e719698ea1af285212f0595304788c05d2a2f7f1e071036669f029266e8615fcb1bdffdb7ec3954400ef200de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar105D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
f17d8db32bda0a541cddd5de71035ee8

SHA1
c9ba9f0a6c24b99f96a0af32a5f7f811308dcc64

SHA256
bc349fd04f613b9a07b3c8b54c2c408510c8aec0e7917ac3f9a05d6908c999c2

SHA512
90973da8722f6218dda5293eb90bc1f4c4c8a3c5bd4d4bccb287a9aff4a5f6582888af6293210e191e23c701b372f5ff0a8cc75b8c7328a15c5970dc7b87ea55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD0E6.tmp

Filesize
652B

MD5
63a1eda58cb2c8874072cdec6f3ae27b

SHA1
23d19750248ba890dca8a1b3cb8bd5f00492d95e

SHA256
12641769f60897dfb36e1e7aad79ca901170b1a82f892407d4b7e6b8c86af7df

SHA512
f104cc80692c7a18b3003a0156f30a2f66165d695bed5f2c7dd3b864b6745777cffbf46e2bc1f70fa22d4b5c5717696c081354a49b699901ead2272b19a105bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEB97.tmp

Filesize
652B

MD5
61ce9028a4ade69f20b24a05ebee0048

SHA1
3c56b22a3c96d82816770bec0738f83b7010bbb6

SHA256
82a3bd50bfe5ede01a8b34b78f99cb7f73359f222c2ddacecff9c65276966b52

SHA512
4dcb65739262b79dac77bffae3ee29a8a7b6d97d00558a2c5d12281a336198d5b6c44ace13b374cf0b0165e0871baf4f1742616186b0b4109922ca96113c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2gdastq.0.vb

Filesize
666B

MD5
a40f41925008597deb9a75218634e675

SHA1
146f93c94a7c3d84a4dbc1efeddd2aa0d7a5456d

SHA256
9e1b80bb2db37bfc093ff795c06f28d62ca0026cbe34ecdf674cb2effe3aef21

SHA512
b8aee23b2be41e8537daed7f528a2ad60a4303e541020bf639f56319ceec2b5c568c83ca90fe593549294a35cef8b107bd2c72bb2f6c2959b17e47110e4d744d

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2gdastq.cmdline

Filesize
246B

MD5
a36f86d76bca23291651e9499b74f03d

SHA1
335359176537db0b704c8d046fa8c64d9868a7d1

SHA256
030380260ff7e286452a99e642762590159d3ff486d597f7d77ab8304096a340

SHA512
03cc95db25226246577a01bfa14c418424ce86aa0b6bb19be15ed99554408c9b98e14eeb3001efb980e952ecdc4ab1e8870d01f89922bbf4093066c431183c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2gdastq.dll

Filesize
6KB

MD5
91cd1e5dae596b1695fafe0e827e8d12

SHA1
b6268fd855f527e8d2d332d80baa3b3edfc31063

SHA256
15de83afa21829f8574d7f672199df39e1e6abdf0fd25e516ab647cb58d10a6a

SHA512
528110ffd5a6ec4960bc0be8d1a1151b6a66e48aeb6e5630a203a62d301bf401e00214c4003ea52e65dd6055d978255925caa19f758301f07feaa2de6ef063ac

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
\Windows\MSDCSC\msdos32.exe

Filesize
1.4MB

MD5
5968bd1843bca9ec5b655c9fdf219e8e

SHA1
c44f9696d0ff3ac324c549615fe06d52899e199b

SHA256
f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4

SHA512
c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19

Download Submit
memory/1420-92-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1420-94-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1420-96-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1420-93-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/1744-95-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/2072-7-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-16-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-0-0x00000000744A1000-0x00000000744A2000-memory.dmp

Filesize
4KB

Download
memory/2432-31-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-2-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-1-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-28-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2832-30-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2832-62-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2832-32-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download