dead559264ecd8be5c4819ef9e0049f54bc4a237432970a1e69c557657693325

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
Size

1.8MB
MD5

b094642fca0dc298bff1b3ca14d28c2e
SHA1

5a59693c52e521bc93744e55a7a71176ef355435
SHA256

dead559264ecd8be5c4819ef9e0049f54bc4a237432970a1e69c557657693325
SHA512

88525822e4bff15a2709c7d272cf5d32440d7320e48fd41a17b73bf6560b0877a2f9a2effd462fe8098f82239fb0cb75882e6fecc84822b5c3c1bcbb2d11f6a0
SSDEEP

24576:Dd9/GO8M8hjUGX9YPKYCbU+6JIZf+8AzZqVl69eh2rQ51lJ2ga6KnXJEsCVUKKC7:DXHwAQyKaJ6GNQn2Y2mNa62XJfKKS

Score

7^/10

collection credential_access defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Executes dropped EXE 14 IoCs

Processes:

teste1_p.exeq1.exemiragge.exefFollower.exeavto.exe6_ldry3no.exefFollower.exe4_pinnew.exe2_load.exe1your_exe.exeopeE6B0.exe1277124607.exesvchosty.exefFollower.exe

pid	Process
1744	teste1_p.exe
2724	q1.exe
2864	miragge.exe
2580	fFollower.exe
2360	avto.exe
2256	6_ldry3no.exe
2816	fFollower.exe
1424	4_pinnew.exe
540	2_load.exe
1268	1your_exe.exe
1740	opeE6B0.exe
804	1277124607.exe
1732	svchosty.exe
352	fFollower.exe

Loads dropped DLL 62 IoCs

Processes:

b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exefFollower.exeWerFault.exeopeE6B0.exeWerFault.exerundll32.exeteste1_p.exe

pid	Process
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2580	fFollower.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2188	WerFault.exe
2188	WerFault.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
1740	opeE6B0.exe
1740	opeE6B0.exe
1740	opeE6B0.exe
1740	opeE6B0.exe
744	WerFault.exe
744	WerFault.exe
744	WerFault.exe
2188	WerFault.exe
744	WerFault.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
1744	teste1_p.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

4_pinnew.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4_pinnew.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

teste1_p.exeavto.exeb094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exerundll32.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\Windows\\lsass.exe"	teste1_p.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\netc = "C:\\Windows\\svc.exe"	avto.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\opeE6B0.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\opeE6B0.exe "	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pmllklsys = "rundll32.exe \"hggfef.dll\",DllRegisterServer"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\yabaaasys = "rundll32.exe \"hggfef.dll\",DllRegisterServer"	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Boot or Logon Autostart Execution: Authentication Package 1 TTPs 1 IoCs

Suspicious Windows Authentication Registry Modification.

persistence privilege_escalation

Authentication Package

T1547.002

Processes:

rundll32.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages = 6d007300760031005f00300000006800670067006600650066002e0064006c006c0000000000	rundll32.exe

Drops file in System32 directory 17 IoCs

Processes:

fFollower.exemiragge.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	fFollower.exe
File created	C:\Windows\SysWOW64\hggfef.dll	miragge.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\navcancl[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ErrorPageTemplate[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]	fFollower.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	fFollower.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]	fFollower.exe

Drops file in Windows directory 4 IoCs

Processes:

teste1_p.exeavto.exe

description	ioc	Process
File created	C:\Windows\lsass.exe	teste1_p.exe
File opened for modification	C:\Windows\lsass.exe	teste1_p.exe
File created	C:\Windows\svc.exe	avto.exe
File opened for modification	C:\Windows\svc.exe	avto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process
2188	2256	WerFault.exe
744	1732	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2_load.exeb094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe1your_exe.exeopeE6B0.exe1277124607.exerundll32.exeteste1_p.exe6_ldry3no.exefFollower.exesvchosty.exefFollower.execmd.execmd.exeq1.exemiragge.exeavto.exefFollower.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2_load.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1your_exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opeE6B0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1277124607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teste1_p.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6_ldry3no.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchosty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	q1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miragge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fFollower.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

teste1_p.exeq1.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	teste1_p.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	q1.exe

Modifies data under HKEY_USERS 32 IoCs

Processes:

fFollower.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	fFollower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadNetworkName = "Network 3"	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	fFollower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionReason = "1"	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionTime = 406eaee64742db01	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fFollower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecision = "0"	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionReason = "1"	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionTime = 2044e4dc4742db01	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionTime = 40ac92e24742db01	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	fFollower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionTime = 406eaee64742db01	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecisionTime = 2044e4dc4742db01	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\0e-1a-be-f7-b3-20	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	fFollower.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDetectedUrl	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	fFollower.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C139CA58-755C-41C6-A7D9-75F6A9AEFDE4}\WpadDecision = "0"	fFollower.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20	fFollower.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-1a-be-f7-b3-20\WpadDecisionTime = 40ac92e24742db01	fFollower.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4_pinnew.exerundll32.exe

pid	Process
1424	4_pinnew.exe
1424	4_pinnew.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe
2032	rundll32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

4_pinnew.exerundll32.exe1your_exe.exe

description	pid	Process
Token: SeDebugPrivilege	1424	4_pinnew.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeDebugPrivilege	2032	rundll32.exe
Token: SeIncBasePriorityPrivilege	1268	1your_exe.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

teste1_p.exeq1.exeavto.exefFollower.exe

pid	Process
1744	teste1_p.exe
1744	teste1_p.exe
2724	q1.exe
2724	q1.exe
2360	avto.exe
2360	avto.exe
352	fFollower.exe
352	fFollower.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe6_ldry3no.exefFollower.exeopeE6B0.exesvchosty.exemiragge.exe

description	pid	Process	procid_target
PID 2860 wrote to memory of 1744	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	31
PID 2860 wrote to memory of 1744	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	31
PID 2860 wrote to memory of 1744	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	31
PID 2860 wrote to memory of 1744	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	31
PID 2860 wrote to memory of 2724	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2724	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2724	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2724	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	32
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2864	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	33
PID 2860 wrote to memory of 2580	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2580	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2580	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2580	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	34
PID 2860 wrote to memory of 2360	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2360	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2360	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2360	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	35
PID 2860 wrote to memory of 2256	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2256	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2256	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	36
PID 2860 wrote to memory of 2256	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	36
PID 2256 wrote to memory of 2188	2256	6_ldry3no.exe	37
PID 2256 wrote to memory of 2188	2256	6_ldry3no.exe	37
PID 2256 wrote to memory of 2188	2256	6_ldry3no.exe	37
PID 2256 wrote to memory of 2188	2256	6_ldry3no.exe	37
PID 2580 wrote to memory of 2816	2580	fFollower.exe	38
PID 2580 wrote to memory of 2816	2580	fFollower.exe	38
PID 2580 wrote to memory of 2816	2580	fFollower.exe	38
PID 2580 wrote to memory of 2816	2580	fFollower.exe	38
PID 2860 wrote to memory of 1424	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	39
PID 2860 wrote to memory of 1424	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	39
PID 2860 wrote to memory of 1424	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	39
PID 2860 wrote to memory of 1424	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	39
PID 2860 wrote to memory of 540	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	40
PID 2860 wrote to memory of 540	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	40
PID 2860 wrote to memory of 540	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	40
PID 2860 wrote to memory of 540	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	40
PID 2860 wrote to memory of 1268	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	41
PID 2860 wrote to memory of 1268	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	41
PID 2860 wrote to memory of 1268	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	41
PID 2860 wrote to memory of 1268	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	41
PID 2860 wrote to memory of 1740	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	42
PID 2860 wrote to memory of 1740	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	42
PID 2860 wrote to memory of 1740	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	42
PID 2860 wrote to memory of 1740	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	42
PID 2860 wrote to memory of 804	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	43
PID 2860 wrote to memory of 804	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	43
PID 2860 wrote to memory of 804	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	43
PID 2860 wrote to memory of 804	2860	b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe	43
PID 1740 wrote to memory of 1732	1740	opeE6B0.exe	44
PID 1740 wrote to memory of 1732	1740	opeE6B0.exe	44
PID 1740 wrote to memory of 1732	1740	opeE6B0.exe	44
PID 1740 wrote to memory of 1732	1740	opeE6B0.exe	44
PID 1732 wrote to memory of 744	1732	svchosty.exe	45
PID 1732 wrote to memory of 744	1732	svchosty.exe	45
PID 1732 wrote to memory of 744	1732	svchosty.exe	45
PID 1732 wrote to memory of 744	1732	svchosty.exe	45
PID 2864 wrote to memory of 2032	2864	miragge.exe	48

outlook_win_path 1 IoCs

Processes:

4_pinnew.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	4_pinnew.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1048

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b094642fca0dc298bff1b3ca14d28c2e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\teste1_p.exe
  "C:\Users\Admin\AppData\Local\Temp\teste1_p.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\q1.exe
  "C:\Users\Admin\AppData\Local\Temp\q1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\miragge.exe
  "C:\Users\Admin\AppData\Local\Temp\miragge.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\hggfef.dll",a
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Boot or Logon Autostart Execution: Authentication Package
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- C:\Users\Admin\AppData\Local\Temp\fFollower.exe
  "C:\Users\Admin\AppData\Local\Temp\fFollower.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\fFollower.exe
    C:\Users\Admin\AppData\Local\Temp\fFollower.exe /install /silent
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2816
- C:\Users\Admin\AppData\Local\Temp\avto.exe
  "C:\Users\Admin\AppData\Local\Temp\avto.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe
  "C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 148
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe
  "C:\Users\Admin\AppData\Local\Temp\4_pinnew.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_win_path
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\2_load.exe
  "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del "C:\Users\Admin\AppData\Local\Temp\2_load.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:264
- C:\Users\Admin\AppData\Local\Temp\1your_exe.exe
  "C:\Users\Admin\AppData\Local\Temp\1your_exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1YOUR_~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\opeE6B0.exe
  "C:\Users\Admin\AppData\Local\Temp\opeE6B0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\svchosty.exe
    "C:\Users\Admin\AppData\Local\Temp\svchosty.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:744
- C:\Users\Admin\AppData\Local\Temp\1277124607.exe
  "C:\Users\Admin\AppData\Local\Temp\1277124607.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:804

C:\Users\Admin\AppData\Local\Temp\fFollower.exe
C:\Users\Admin\AppData\Local\Temp\fFollower.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Authentication Package

T1547.002

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\jwrlgbvd[1].htm

Filesize
125B

MD5
45a9a2084a44d18bd0f446d6855908e4

SHA1
2b00aab2d6fd2e8fe429facce198d7093559adf1

SHA256
2ef87fbd5f3ec904bc116f3654421f4c53dc5438bbf36fa029dc8af8813f9646

SHA512
5e5d0c962cfa6faffafd32e10d1e38d90e12c184ab77d72907108b98bf73bdee685300c44ffae937203c7f74ecb8110794b542a4c3ba4831c9b3bafc77dc4d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_ldry3no.exe

Filesize
66KB

MD5
4f962b62e1be70c59004a44e640063fc

SHA1
2efdd5d612404da765c1b434b10eeac2b7d581ed

SHA256
dc92965176d6393beb35307e6e947c6f1b368717cbd03826cefc64ddec8e1485

SHA512
f1217bb04f01ac298661c65dfa25b99b518046d1e2cff589f719ca4925019af867cf8dd87fac90f99661e24a01261f89a0e2566b3e775859409243be067d4dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\opeE6B0.exe

Filesize
276KB

MD5
fdbe0a4f95e7852466faa062bd10c8b1

SHA1
c6c2827afd118ff6734561d0abd08976c2e6cd33

SHA256
767581150749701da6a6dc25dec9b197e569082e9053eae0da6c46ec7a438dff

SHA512
edbe308e6218eea3f4cc5099d4328244fa7229b6c89e2365936a82dc1f19405c7499f3561ea91d98741db4e4a515f3867ce137081e7d8af6359c46aa2d1dca31

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosty.exe

Filesize
227KB

MD5
4db61e0460163f913926fe8a2efd2689

SHA1
e63e8061e52d43eb0ad327bc0b819e0b6f334243

SHA256
f1cf4845cc4edad35e7f8ff570f8007b77298fb61d4c752761f4f04513acaee2

SHA512
9c9523a496d2ad613f88dd17aae4b166b545f9628fc174d4bdf7dff8cb7427649b6531900453378226d2040341bba0962f6937fa86c88c1a184c5e0bcbcce077

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
\Users\Admin\AppData\Local\Temp\1277124607.exe

Filesize
95KB

MD5
fc2188001099e9756dd787c32e8e2e60

SHA1
00e9f93df29ee37df3be0a03cd943c2014bbd8e0

SHA256
5a9ac28b1b76f6ed60f6e1f7afd3315290c4d9167515d2f3363021055969f4c1

SHA512
eae201c323b41558c8a8ba7847b7bb8eef368e766348172dc45b098ba8a3b370a41a464af3d4d4b64b79b3bc1bfc78b73abc38eb56ed310606fe1a9deee082f8

Download Submit
\Users\Admin\AppData\Local\Temp\1your_exe.exe

Filesize
17KB

MD5
fa6114d13bf1a0fad025f7f11b6c73a9

SHA1
111fd558fedead3a62c2f9442390b9bb1db3c909

SHA256
f280a4004140bc425ecde897e5deec4ede596ba02f786d9a75aa98c3c6564432

SHA512
c768638fe0e9f49740f3247e0e85eb5f9694a940bb171316b5fad076ab99b8d70c3d292f3b077c5b5e3b2eeda9cc5e54f7c531bdfad4e6324b6a18fcb4d106f2

Download Submit
\Users\Admin\AppData\Local\Temp\2_load.exe

Filesize
11KB

MD5
d16c07fa2572af8d30fa52ca79b3b552

SHA1
fc224030b42a368dedafcfd9394cbbe1aa509c04

SHA256
029edc4d0f874142645cbcca0c262f603150bf4d2b22a0b2f09ed728eca0db74

SHA512
e464b3ca9d06799c4d7c8b64259f27d59704f472552603d73a8c703b878b02803d6952f1ea24ef3dd1fd40d4fd625a8c7632c523146e986727fe0e6cb6593a17

Download Submit
\Users\Admin\AppData\Local\Temp\4_pinnew.exe

Filesize
30KB

MD5
114ca1e3b9563b7b75bdb96be8233d1b

SHA1
8ee976de146acf88e9f2a0a8cf22f18d113a6798

SHA256
61c35c1b66ce901c290738a188eccf9afc9ce21fed56b16a749e85fc50e9dd99

SHA512
c72e3eae7ee5b98f0cd645e9f995bd951b5bb091bc5818d780b6b1cca20a8677eedbb2b8f4dd4c951f492c21ba5523ab66020334ecec492d67c272e33352a7ba

Download Submit
\Users\Admin\AppData\Local\Temp\avto.exe

Filesize
228KB

MD5
1a157330b5b2c4ed3d5ef0d752cf39b9

SHA1
15c495bbf7e3474ab59de59b88293579752daf8f

SHA256
0c37d98cae1309e1c4812c49b96264ec8f06a89d4946fbd5d27988c4f67138a3

SHA512
bd17105cb9b612b39571f5d131dddef449e0d4e216745a378136a5999a3bf86871dee7b6f0b4c4c6c34c117bb3ba2c9223555aa253d3f6710d8b123bfadce5b1

Download Submit
\Users\Admin\AppData\Local\Temp\fFollower.exe

Filesize
255KB

MD5
daca3b8df21385a7f7da2cbe87e25473

SHA1
b9f8f39a782a48a02c5040c2979428646a509964

SHA256
adb97459bc45aeec7e36176908c401fc9ac79f033cd1a6d81d49a6aa8a7ade2f

SHA512
be7e4e7263711147f347368f7beac47e13716d19aae8766f2b410d0b63f006332862b9d2f5a31920c537c22d20baf33fb0d06b69384be5be959672faff436632

Download Submit
\Users\Admin\AppData\Local\Temp\miragge.exe

Filesize
112KB

MD5
de6d1888f8ce084db991f1ff2def63d7

SHA1
3292421654a9c3f8388bae23510f04e34326a9a2

SHA256
ddd0dff16bc4e976696555393dc563df7620a8e65cfd8e55e50f6ef944da8930

SHA512
b4a04f419fd094849458db65391ef0c4770d7e1c41e476b9faf5194c67d71002e5ef03df276670769b6b76ecfa124953981ae6075d898466af1e3135b021de4e

Download Submit
\Users\Admin\AppData\Local\Temp\q1.exe

Filesize
226KB

MD5
ba626834aec1cdf939a8f860ffdbaafc

SHA1
6611d5a0e22bb7178c43fafcd99667260bcf3bcc

SHA256
36cfd6d209dbd30e7a1303ee7361c8e36cab7c4d462828b2e2e8f3de43ffa3de

SHA512
cdf53cb9b78392bdca303371f6f49bf75e0e86d91b2a839bd0c629982ef83eb861368de6a133ae70f2bbf7b1f0d535dd7488586c827f975eebb49f87ef2ba696

Download Submit
\Users\Admin\AppData\Local\Temp\teste1_p.exe

Filesize
274KB

MD5
30515e54f452f5d61bf17ad3bfbc349d

SHA1
3bced23c675c28027564691965a92d3112f26666

SHA256
c64a5eea7dcc7780cfafd877fb0c4a62ed30fe003eab94a7b697d4c5ad805cb9

SHA512
c5032574e39bb74cddbbbbb57076df2e6ac86f9ff14c3d6b6955bdff27258c851d0b585bf3f607bd4e9424ba530ccf0ebd705766fc489eb4e6e56b560edc5544

Download Submit
memory/352-386-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-372-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-319-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-226-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/352-351-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/396-203-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/540-224-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/540-259-0x0000000000400000-0x000000000090E000-memory.dmp

Filesize
5.1MB

Download
memory/804-200-0x00000000010C0000-0x00000000010DB000-memory.dmp

Filesize
108KB

Download
memory/804-198-0x0000000000090000-0x00000000000A9000-memory.dmp

Filesize
100KB

Download
memory/1268-225-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1424-223-0x0000000013140000-0x0000000013181000-memory.dmp

Filesize
260KB

Download
memory/1740-197-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1744-360-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-219-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1744-205-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-31-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-49-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-35-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-381-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1744-290-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2032-202-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2032-228-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2256-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2256-100-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2360-206-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2580-199-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2724-362-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-34-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-217-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-214-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-346-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2724-39-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2816-155-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2860-2-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2860-0-0x0000000001ED0000-0x0000000002098000-memory.dmp

Filesize
1.8MB

Download
memory/2860-185-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/2860-184-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/2864-215-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2864-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download