Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 15:17
Static task
static1
Behavioral task
behavioral1
Sample
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Resource
win10v2004-20240226-en
General
-
Target
167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
-
Size
452KB
-
MD5
167cc413faac757b6a7e57133ceedd0e
-
SHA1
1421d708f6eb6e08745172ea1d44f6af4857de0d
-
SHA256
32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3
-
SHA512
61873a138588e461744bdcc1a8ad01968ccd549a9408a707acb09946aa1b2422a8771de831911149aa7233094b6583917347f0f8694138fc135018909ed16ccd
-
SSDEEP
6144:qEJK6g8ITN45qFqshyrwZdWYXPoPyl5FM13iyDFsDTAb/j8Fft6WEgrYvXmH3cpN:qEJKNUEvhRZIIR5M3ipprYAXyRNCj+
Malware Config
Extracted
nanocore
1.2.2.0
manifest.duckdns.org:61970
2004e655-d8f5-4f56-b1bd-1074cc528f1d
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-11-15T20:09:19.510421436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
61970
-
default_group
Monte Carlo
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2004e655-d8f5-4f56-b1bd-1074cc528f1d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
manifest.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
MSI3C28.tmpxTMUmRNSplXXLMhgma5.exeRegAsm.exexTMUmRNSplXXLMhgma5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" MSI3C28.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" xTMUmRNSplXXLMhgma5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" xTMUmRNSplXXLMhgma5.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
xTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exedescription pid process target process PID 768 set thread context of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 2336 set thread context of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File created C:\Windows\Installer\f763b4c.msi msiexec.exe File created C:\Windows\Installer\f763b4f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3BF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\f763b4f.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f763b4c.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI3C28.tmp msiexec.exe -
Executes dropped EXE 4 IoCs
Processes:
MSI3C28.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exepid process 1452 MSI3C28.tmp 768 xTMUmRNSplXXLMhgma5.exe 2336 xTMUmRNSplXXLMhgma5.exe 2600 xTMUmRNSplXXLMhgma5.exe -
Loads dropped DLL 7 IoCs
Processes:
MSI3C28.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exeWerFault.exepid process 1452 MSI3C28.tmp 1452 MSI3C28.tmp 768 xTMUmRNSplXXLMhgma5.exe 2336 xTMUmRNSplXXLMhgma5.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2172 2600 WerFault.exe xTMUmRNSplXXLMhgma5.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1060 schtasks.exe 2356 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exexTMUmRNSplXXLMhgma5.exepid process 2468 msiexec.exe 2468 msiexec.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe 768 xTMUmRNSplXXLMhgma5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1264 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
xTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exepid process 768 xTMUmRNSplXXLMhgma5.exe 2336 xTMUmRNSplXXLMhgma5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exexTMUmRNSplXXLMhgma5.exeRegAsm.exexTMUmRNSplXXLMhgma5.exedescription pid process Token: SeShutdownPrivilege 3036 msiexec.exe Token: SeIncreaseQuotaPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeSecurityPrivilege 2468 msiexec.exe Token: SeCreateTokenPrivilege 3036 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3036 msiexec.exe Token: SeLockMemoryPrivilege 3036 msiexec.exe Token: SeIncreaseQuotaPrivilege 3036 msiexec.exe Token: SeMachineAccountPrivilege 3036 msiexec.exe Token: SeTcbPrivilege 3036 msiexec.exe Token: SeSecurityPrivilege 3036 msiexec.exe Token: SeTakeOwnershipPrivilege 3036 msiexec.exe Token: SeLoadDriverPrivilege 3036 msiexec.exe Token: SeSystemProfilePrivilege 3036 msiexec.exe Token: SeSystemtimePrivilege 3036 msiexec.exe Token: SeProfSingleProcessPrivilege 3036 msiexec.exe Token: SeIncBasePriorityPrivilege 3036 msiexec.exe Token: SeCreatePagefilePrivilege 3036 msiexec.exe Token: SeCreatePermanentPrivilege 3036 msiexec.exe Token: SeBackupPrivilege 3036 msiexec.exe Token: SeRestorePrivilege 3036 msiexec.exe Token: SeShutdownPrivilege 3036 msiexec.exe Token: SeDebugPrivilege 3036 msiexec.exe Token: SeAuditPrivilege 3036 msiexec.exe Token: SeSystemEnvironmentPrivilege 3036 msiexec.exe Token: SeChangeNotifyPrivilege 3036 msiexec.exe Token: SeRemoteShutdownPrivilege 3036 msiexec.exe Token: SeUndockPrivilege 3036 msiexec.exe Token: SeSyncAgentPrivilege 3036 msiexec.exe Token: SeEnableDelegationPrivilege 3036 msiexec.exe Token: SeManageVolumePrivilege 3036 msiexec.exe Token: SeImpersonatePrivilege 3036 msiexec.exe Token: SeCreateGlobalPrivilege 3036 msiexec.exe Token: SeBackupPrivilege 2564 vssvc.exe Token: SeRestorePrivilege 2564 vssvc.exe Token: SeAuditPrivilege 2564 vssvc.exe Token: SeBackupPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2376 DrvInst.exe Token: SeLoadDriverPrivilege 2376 DrvInst.exe Token: SeLoadDriverPrivilege 2376 DrvInst.exe Token: SeLoadDriverPrivilege 2376 DrvInst.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeDebugPrivilege 768 xTMUmRNSplXXLMhgma5.exe Token: SeDebugPrivilege 1264 RegAsm.exe Token: SeDebugPrivilege 2336 xTMUmRNSplXXLMhgma5.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe Token: SeRestorePrivilege 2468 msiexec.exe Token: SeTakeOwnershipPrivilege 2468 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3036 msiexec.exe 3036 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMSI3C28.tmpxTMUmRNSplXXLMhgma5.execsc.execsc.exexTMUmRNSplXXLMhgma5.exeRegAsm.execsc.execsc.exedescription pid process target process PID 2468 wrote to memory of 1452 2468 msiexec.exe MSI3C28.tmp PID 2468 wrote to memory of 1452 2468 msiexec.exe MSI3C28.tmp PID 2468 wrote to memory of 1452 2468 msiexec.exe MSI3C28.tmp PID 2468 wrote to memory of 1452 2468 msiexec.exe MSI3C28.tmp PID 1452 wrote to memory of 768 1452 MSI3C28.tmp xTMUmRNSplXXLMhgma5.exe PID 1452 wrote to memory of 768 1452 MSI3C28.tmp xTMUmRNSplXXLMhgma5.exe PID 1452 wrote to memory of 768 1452 MSI3C28.tmp xTMUmRNSplXXLMhgma5.exe PID 1452 wrote to memory of 768 1452 MSI3C28.tmp xTMUmRNSplXXLMhgma5.exe PID 768 wrote to memory of 1552 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1552 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1552 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1552 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 1552 wrote to memory of 1636 1552 csc.exe cvtres.exe PID 1552 wrote to memory of 1636 1552 csc.exe cvtres.exe PID 1552 wrote to memory of 1636 1552 csc.exe cvtres.exe PID 1552 wrote to memory of 1636 1552 csc.exe cvtres.exe PID 768 wrote to memory of 1896 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1896 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1896 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 768 wrote to memory of 1896 768 xTMUmRNSplXXLMhgma5.exe csc.exe PID 1896 wrote to memory of 340 1896 csc.exe cvtres.exe PID 1896 wrote to memory of 340 1896 csc.exe cvtres.exe PID 1896 wrote to memory of 340 1896 csc.exe cvtres.exe PID 1896 wrote to memory of 340 1896 csc.exe cvtres.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 1264 768 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 768 wrote to memory of 2336 768 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 768 wrote to memory of 2336 768 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 768 wrote to memory of 2336 768 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 768 wrote to memory of 2336 768 xTMUmRNSplXXLMhgma5.exe xTMUmRNSplXXLMhgma5.exe PID 2336 wrote to memory of 704 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 704 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 704 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 704 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 1264 wrote to memory of 1060 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 1060 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 1060 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 1060 1264 RegAsm.exe schtasks.exe PID 704 wrote to memory of 1620 704 csc.exe cvtres.exe PID 704 wrote to memory of 1620 704 csc.exe cvtres.exe PID 704 wrote to memory of 1620 704 csc.exe cvtres.exe PID 704 wrote to memory of 1620 704 csc.exe cvtres.exe PID 2336 wrote to memory of 2328 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 2328 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 2328 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2336 wrote to memory of 2328 2336 xTMUmRNSplXXLMhgma5.exe csc.exe PID 2328 wrote to memory of 2104 2328 csc.exe cvtres.exe PID 2328 wrote to memory of 2104 2328 csc.exe cvtres.exe PID 2328 wrote to memory of 2104 2328 csc.exe cvtres.exe PID 2328 wrote to memory of 2104 2328 csc.exe cvtres.exe PID 1264 wrote to memory of 2356 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 2356 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 2356 1264 RegAsm.exe schtasks.exe PID 1264 wrote to memory of 2356 1264 RegAsm.exe schtasks.exe PID 2336 wrote to memory of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 2336 wrote to memory of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 2336 wrote to memory of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe PID 2336 wrote to memory of 3024 2336 xTMUmRNSplXXLMhgma5.exe RegAsm.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Installer\MSI3C28.tmp"C:\Windows\Installer\MSI3C28.tmp"2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E86.tmp" "c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp" "c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMP"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmp"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp" "c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC284.tmp" "c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMP"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 5446⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003C8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f763b50.rbsFilesize
663B
MD5e7a7a7d9cdf437084af0b9154f8e212d
SHA11ef50ae276874a597330e7ca670cf2c1a6aa798a
SHA256852e5cacd8a2e769eedb0389423842576723b191279394c345cbd7304aef1e31
SHA5125608a9bbc6e566cac1635c51009378a919ccb6fccf9b2d068a6aacdb33956019e589c03a532aacabbc84fe65d571924e4ca2d053bed1af0a4d616d81c86dc362
-
C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.dllFilesize
634KB
MD5854ee7e7aaa8698f36a216806bc04ca4
SHA131c3c0be81436b6bcedea29ea5602c0055118051
SHA2567e23d07a6474d6cfbb6a5685f2dd44e0a2d61fdd7ea1a1c9f349ce02a8f5602c
SHA51234b3a3da6d4268771c23d4ab63fd38ed4d916ce4030a1f1e2df6aa6db589dfe0cf0364717305120c2da8ed7e0bfd21d704ba33106fbe9d497a17858f806d72e5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5Filesize
946KB
MD5b73c6439a2302db41bb7737de87b8835
SHA1a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b
SHA2562f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f
SHA51268e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exeFilesize
113KB
MD5ac692fdb7dc25fdea0c0a82819b9ca05
SHA12b94177f0144e34dbd39b847e6bc3305ba7fe080
SHA256afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb
SHA51204303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba
-
C:\Users\Admin\AppData\Local\Temp\RES3E86.tmpFilesize
1KB
MD5639a0352bb86776e2fe927bc28860a68
SHA1a46f06e3b7e3c98f0672f1617b9064983919f043
SHA256b54b0c17c4caf83004d101395a9adf30c9e1067dcc579f55031ad8fdfe53ffc0
SHA512e579d68187039202a2391e3fb4e5a42a032d577ded17e1cd4472c5931e57dec238643f9b763a95dedcc427857e4ed2b3834625fe79f6afad32b5436f24182eb9
-
C:\Users\Admin\AppData\Local\Temp\RES3F13.tmpFilesize
1KB
MD5a8fdafd9115969805b0acffda3eb6593
SHA152f9448a7853759b473a664676bec4c5b71ce8c4
SHA256bef9f45371d81f46eccfc020547c85a1407c9da648f82f504f01c2fedaf7dabc
SHA512a7802d510903b1bc4d537332127786ef9beef14996b3bd82227c5aa5a62afdfd2626d98207846370bbb261eb27721df84560ff63aa4486b955e1cd74f8f3c289
-
C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmpFilesize
1KB
MD52205da7b6ea8ee1b778595d2d5ab8193
SHA15a3a68b93d5bcfaca9aeeef50b298a51eaf61b25
SHA256128dcc56c464bf2af20abf0e9ad3b78d7fab54607c59cc07e0cd525733f0ea5b
SHA51274d47ef7e4abc718db5383b3495c3b6031b739b70515a7c5143274843785070d2b76ee2a8fabd19407755f9c31c996a8a8dbaaa5f2d356f627105dfe3c016331
-
C:\Users\Admin\AppData\Local\Temp\RESC284.tmpFilesize
1KB
MD5d9df7d277a854099892ee95063185aa0
SHA134dc0820c1f932b41ae0567eef4f9cd2cd26745e
SHA2566fd1ae8cca2f1cd7553d88c1788331e689d800b17cc2559e86a86a6e3aa79e24
SHA5121dfce99fce8c07f098a12a95920c8614bb2e29080152a8c1587793fe39701f7d39e08c507a7530289021831d25bd904c40495cea49246a51a0398c0d891795a4
-
C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.dllFilesize
634KB
MD5f58992a3e62df69180849eeab6fdfc67
SHA1205a342d25b7a9ccd05bca235b56fab598e6fb1c
SHA2564e67d65da09e3eb168f4d3c3e9d09bb47acfda97a5183e68cbdf23f10319bf8c
SHA512a2f63d28d56ecfe587af0fe3649ef3d376ffb685789314f9f3dada2fc3d61de9b4cde423aac79e6f5910817c75a23b44b4e65c2b3c7c67021bc09a98a699a563
-
C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.dllFilesize
634KB
MD5bdffef07a18efb3e823a07ff2d9aa059
SHA1b45d813c206ab421667efb3487387c9e2a2fe1fa
SHA256b7aa834d86476c35ec8c5a10f5436c72c05593e3c4382fda0d6d8e4745c8d2dd
SHA5126c9121a6ea2b49775c4c077c83af94093a322da27579c5c282f7b71eb51b8e90e3f2567db8bf396ea7e89dad78222217c125009f3b9abbba0021d27b4b58b0b4
-
C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.dllFilesize
634KB
MD523e80110ba883fd0acfc2f706c216388
SHA19c4032b9ab3b8347931ae5236aa5a24daf682ee2
SHA256c93192360deefcb18ecf7c0246e109ff1ca9662b4394b9f131bcfe91f6ff149a
SHA512b64da09fcc1b1a8f5bfee7e7eddff977875f302a776df909ddeb911d34376a385d6b42f86f51e6251f6173e931041198601b40b893d5a0612fd19786a781f8ec
-
C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmpFilesize
1KB
MD54b7ef560289c0f62d0baf6f14f48a57a
SHA18331acb90dde588aa3196919f6e847f398fd06d1
SHA256062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8
-
C:\Windows\Installer\MSI3C28.tmpFilesize
425KB
MD57997a52983aa768553d9e039f011e9a8
SHA19b2955a38238fdc5c5511dbb8c578c63a9e19495
SHA2561ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0
SHA5122682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083
-
\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdlineFilesize
302B
MD5ed4fcac88c13828307e5a5a7d470c221
SHA1e9da0176b6c158d63e00ee09de1f7e614a0c8e37
SHA25677a0e08592f9fefbf6f5e62b83073dfdccd12a28719a63ae0deb024d6ab8f2d9
SHA512dd3b9f6508c5f669b7a5d313631a6530f320fcf67c7adfcee3056ee8ae6cbe9d43385557ca454453315835d296ef12ba1a0c2e5d24e929f9069fe794b1d52855
-
\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMPFilesize
652B
MD52c3d4ee93d95073e227eea419ee2637f
SHA1420bb20ff5a0af396c28250563462d3e894ae795
SHA256cfe40698224866b71ad5a869431b480f27209a3bb548202011a240afbe5ce1c3
SHA5120842bed4c880a924a48c6e8fc33d15fd07cd1f3f695e448670aab71b785fbde9a2691c3edd17c1931a086313be9bc0fe9a9f67b90c8673db682fa563741c93bd
-
\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMPFilesize
652B
MD592732d290af70c29cdf086e1a6cbb9c3
SHA19ec199bfc03557c44198adeb5b2dcdc4a450ca34
SHA2563e2b041b83dc5ab47f390007ea1eb222ba9f0ec44be9cc6a6867357761f2d9be
SHA512b39633a440edd5bc4f3cdcc30f40f8ea5cf53e8abb4be36188ffe814dd84c3c7bf4a58094f95af468961f0ac39f44f2835c725b9c58c953d8f0bdbc238c85246
-
\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdlineFilesize
302B
MD558c47230a4e55a4c823a08d159b6baa9
SHA1f27eaf76518513417ed145a3f87939d610fdf580
SHA256ef2d3be7549cceb3b9c5058d2779a428c8b8aec1641da8be3a2df4fc88894375
SHA5125721784d9c8a7008cd6b36e4ba68a82cc029eeb6c0b2cf94ee41c3837aaa0a1e3a1abcda1221a3fe85c686e49962eca00af55e56f0f779fa97223af61ebc67a3
-
\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMPFilesize
652B
MD5bbbfc0c7cfb2a35078e9fb488da66763
SHA185a630981c7462f25c27435d7fcd023a16549dc2
SHA256db971468e03b47d3f1a210824fa4f12109e9f64815a17bb44360a9eff4d5a42f
SHA512324af00d603a795ce71a6db02961d6e490cbf298f9f63b6c4b55247ba4c23c68974e4e8a44005c7efb6992419258e687779227729debf011fbe3e7d3d71a64ad
-
\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdlineFilesize
302B
MD5983af9b59193e486329ec722bde0e040
SHA14617a51ba213dd9b2551f3a383d555cda8ac2362
SHA256465c49b5ee7cd2dcd1f9fb0fbb3887a172ab1e16025823054c682b813708c66a
SHA512e06a869ccc9159476b78505c88ec4097daf0c9342aeeff5a8d8d29326afcf71a970de919cd3cfd049c6ce8a614afa6a29456692c291439f326c478fe6047fea5
-
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMPFilesize
652B
MD5db87782e895cd82cdc24175299fff756
SHA167e3edb45a7f5dd3e0094ae569846e6ee65ab8fd
SHA256683da3abc12d803970f3ded9ac0f7f7c54ec7fbd3c7c82296e497b9108f3a179
SHA51266d7bd60fbbae0337f4c474702280d15de0fc0e9f130df46c8bb86a8b682c16170a220f2cedadc5d451a863be9de173788364e8905657a1471e2afaec8676b52
-
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.0.csFilesize
946KB
MD5b5d745ad124400fe21ea0c07e7d0e8bc
SHA14e8cb83eb077c46240e9c0c372a3404763c6c132
SHA256a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e
SHA512a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b
-
\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdlineFilesize
302B
MD56636a9d89510980dc39f569b20e2c31f
SHA14df4e32b1c300cd2ced3bf78079b609320a37e5a
SHA2569b8fae8d9d15056ee2d4998598ced5015a65e7ab49d3a33a64b0b5d5c923ffe5
SHA5124b629c21c7ca6492f7c7a9e210e28c820d1feb0f95d496a435fe3142a6b17e631d42c3fa904929a8a3c65258aab1e5c59fbaa2b2b6c1b7ded4af635e1340bbc9
-
memory/768-37-0x0000000000940000-0x00000000009E4000-memory.dmpFilesize
656KB
-
memory/768-51-0x0000000000CF0000-0x0000000000D94000-memory.dmpFilesize
656KB
-
memory/768-53-0x00000000009E0000-0x0000000000A22000-memory.dmpFilesize
264KB
-
memory/768-23-0x0000000001290000-0x00000000012B2000-memory.dmpFilesize
136KB
-
memory/1264-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1264-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1264-98-0x00000000007E0000-0x00000000007EA000-memory.dmpFilesize
40KB
-
memory/1264-99-0x00000000007F0000-0x000000000080E000-memory.dmpFilesize
120KB
-
memory/1264-100-0x0000000000810000-0x000000000081A000-memory.dmpFilesize
40KB
-
memory/1264-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2336-92-0x0000000000C30000-0x0000000000CD4000-memory.dmpFilesize
656KB
-
memory/2336-94-0x00000000003C0000-0x0000000000402000-memory.dmpFilesize
264KB
-
memory/2336-77-0x0000000000B40000-0x0000000000BE4000-memory.dmpFilesize
656KB