nanocore | 32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
Size

452KB
MD5

167cc413faac757b6a7e57133ceedd0e
SHA1

1421d708f6eb6e08745172ea1d44f6af4857de0d
SHA256

32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3
SHA512

61873a138588e461744bdcc1a8ad01968ccd549a9408a707acb09946aa1b2422a8771de831911149aa7233094b6583917347f0f8694138fc135018909ed16ccd
SSDEEP

6144:qEJK6g8ITN45qFqshyrwZdWYXPoPyl5FM13iyDFsDTAb/j8Fft6WEgrYvXmH3cpN:qEJKNUEvhRZIIR5M3ipprYAXyRNCj+

Score

10^/10

nanocore evasion keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

manifest.duckdns.org:61970

Mutex

2004e655-d8f5-4f56-b1bd-1074cc528f1d

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-11-15T20:09:19.510421436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
61970
default_group
Monte Carlo
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2004e655-d8f5-4f56-b1bd-1074cc528f1d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
manifest.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

xTMUmRNSplXXLMhgma5.exeMSI8D82.tmpxTMUmRNSplXXLMhgma5.exeRegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe"	xTMUmRNSplXXLMhgma5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	MSI8D82.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe"	xTMUmRNSplXXLMhgma5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	RegAsm.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

xTMUmRNSplXXLMhgma5.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation xTMUmRNSplXXLMhgma5.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xTMUmRNSplXXLMhgma5.exe

description pid process target process

PID 3852 set thread context of 2932 3852 xTMUmRNSplXXLMhgma5.exe RegAsm.exe
Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description ioc process

File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe RegAsm.exe
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	xTMUmRNSplXXLMhgma5.exe

description	pid	process	target process
PID 3852 set thread context of 2932	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	RegAsm.exe
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	RegAsm.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI8D82.tmp	msiexec.exe
File created	C:\Windows\Installer\e5986ab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5986ab.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BAC.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

MSI8D82.tmpxTMUmRNSplXXLMhgma5.exexTMUmRNSplXXLMhgma5.exe

pid process

892 MSI8D82.tmp
3852 xTMUmRNSplXXLMhgma5.exe
4232 xTMUmRNSplXXLMhgma5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

3248 msiexec.exe

pid	process
892	MSI8D82.tmp
3852	xTMUmRNSplXXLMhgma5.exe
4232	xTMUmRNSplXXLMhgma5.exe

pid	process
3248	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3184 schtasks.exe
3324 schtasks.exe

pid	process
3184	schtasks.exe
3324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exexTMUmRNSplXXLMhgma5.exe

pid	process
4084	msiexec.exe
4084	msiexec.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2932 RegAsm.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

xTMUmRNSplXXLMhgma5.exe

pid process

3852 xTMUmRNSplXXLMhgma5.exe
3852 xTMUmRNSplXXLMhgma5.exe

pid	process
2932	RegAsm.exe

pid	process
3852	xTMUmRNSplXXLMhgma5.exe
3852	xTMUmRNSplXXLMhgma5.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exexTMUmRNSplXXLMhgma5.exeRegAsm.exe

description	pid	process
Token: SeShutdownPrivilege	3248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3248	msiexec.exe
Token: SeSecurityPrivilege	4084	msiexec.exe
Token: SeCreateTokenPrivilege	3248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3248	msiexec.exe
Token: SeLockMemoryPrivilege	3248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3248	msiexec.exe
Token: SeMachineAccountPrivilege	3248	msiexec.exe
Token: SeTcbPrivilege	3248	msiexec.exe
Token: SeSecurityPrivilege	3248	msiexec.exe
Token: SeTakeOwnershipPrivilege	3248	msiexec.exe
Token: SeLoadDriverPrivilege	3248	msiexec.exe
Token: SeSystemProfilePrivilege	3248	msiexec.exe
Token: SeSystemtimePrivilege	3248	msiexec.exe
Token: SeProfSingleProcessPrivilege	3248	msiexec.exe
Token: SeIncBasePriorityPrivilege	3248	msiexec.exe
Token: SeCreatePagefilePrivilege	3248	msiexec.exe
Token: SeCreatePermanentPrivilege	3248	msiexec.exe
Token: SeBackupPrivilege	3248	msiexec.exe
Token: SeRestorePrivilege	3248	msiexec.exe
Token: SeShutdownPrivilege	3248	msiexec.exe
Token: SeDebugPrivilege	3248	msiexec.exe
Token: SeAuditPrivilege	3248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3248	msiexec.exe
Token: SeChangeNotifyPrivilege	3248	msiexec.exe
Token: SeRemoteShutdownPrivilege	3248	msiexec.exe
Token: SeUndockPrivilege	3248	msiexec.exe
Token: SeSyncAgentPrivilege	3248	msiexec.exe
Token: SeEnableDelegationPrivilege	3248	msiexec.exe
Token: SeManageVolumePrivilege	3248	msiexec.exe
Token: SeImpersonatePrivilege	3248	msiexec.exe
Token: SeCreateGlobalPrivilege	3248	msiexec.exe
Token: SeBackupPrivilege	2896	vssvc.exe
Token: SeRestorePrivilege	2896	vssvc.exe
Token: SeAuditPrivilege	2896	vssvc.exe
Token: SeBackupPrivilege	4084	msiexec.exe
Token: SeRestorePrivilege	4084	msiexec.exe
Token: SeRestorePrivilege	4084	msiexec.exe
Token: SeTakeOwnershipPrivilege	4084	msiexec.exe
Token: SeRestorePrivilege	4084	msiexec.exe
Token: SeTakeOwnershipPrivilege	4084	msiexec.exe
Token: SeRestorePrivilege	4084	msiexec.exe
Token: SeTakeOwnershipPrivilege	4084	msiexec.exe
Token: SeBackupPrivilege	1968	srtasks.exe
Token: SeRestorePrivilege	1968	srtasks.exe
Token: SeSecurityPrivilege	1968	srtasks.exe
Token: SeTakeOwnershipPrivilege	1968	srtasks.exe
Token: SeBackupPrivilege	1968	srtasks.exe
Token: SeRestorePrivilege	1968	srtasks.exe
Token: SeSecurityPrivilege	1968	srtasks.exe
Token: SeTakeOwnershipPrivilege	1968	srtasks.exe
Token: SeDebugPrivilege	3852	xTMUmRNSplXXLMhgma5.exe
Token: SeDebugPrivilege	2932	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

3248 msiexec.exe

pid	process
3248	msiexec.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

msiexec.exeMSI8D82.tmpxTMUmRNSplXXLMhgma5.execsc.execsc.exexTMUmRNSplXXLMhgma5.exeRegAsm.execsc.execsc.exe

description	pid	process	target process
PID 4084 wrote to memory of 1968	4084	msiexec.exe	srtasks.exe
PID 4084 wrote to memory of 1968	4084	msiexec.exe	srtasks.exe
PID 4084 wrote to memory of 892	4084	msiexec.exe	MSI8D82.tmp
PID 4084 wrote to memory of 892	4084	msiexec.exe	MSI8D82.tmp
PID 4084 wrote to memory of 892	4084	msiexec.exe	MSI8D82.tmp
PID 892 wrote to memory of 3852	892	MSI8D82.tmp	xTMUmRNSplXXLMhgma5.exe
PID 892 wrote to memory of 3852	892	MSI8D82.tmp	xTMUmRNSplXXLMhgma5.exe
PID 892 wrote to memory of 3852	892	MSI8D82.tmp	xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 3460	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 3852 wrote to memory of 3460	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 3852 wrote to memory of 3460	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 3460 wrote to memory of 4008	3460	csc.exe	cvtres.exe
PID 3460 wrote to memory of 4008	3460	csc.exe	cvtres.exe
PID 3460 wrote to memory of 4008	3460	csc.exe	cvtres.exe
PID 3852 wrote to memory of 4464	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 3852 wrote to memory of 4464	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 3852 wrote to memory of 4464	3852	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 4464 wrote to memory of 4412	4464	csc.exe	cvtres.exe
PID 4464 wrote to memory of 4412	4464	csc.exe	cvtres.exe
PID 4464 wrote to memory of 4412	4464	csc.exe	cvtres.exe
PID 3852 wrote to memory of 3804	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 3804	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 3804	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 2932	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 2932	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 2932	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 2932	3852	xTMUmRNSplXXLMhgma5.exe	RegAsm.exe
PID 3852 wrote to memory of 4232	3852	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 4232	3852	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 4232	3852	xTMUmRNSplXXLMhgma5.exe	xTMUmRNSplXXLMhgma5.exe
PID 4232 wrote to memory of 2348	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 4232 wrote to memory of 2348	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 4232 wrote to memory of 2348	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2932 wrote to memory of 3184	2932	RegAsm.exe	schtasks.exe
PID 2932 wrote to memory of 3184	2932	RegAsm.exe	schtasks.exe
PID 2932 wrote to memory of 3184	2932	RegAsm.exe	schtasks.exe
PID 2348 wrote to memory of 376	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 376	2348	csc.exe	cvtres.exe
PID 2348 wrote to memory of 376	2348	csc.exe	cvtres.exe
PID 4232 wrote to memory of 4056	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 4232 wrote to memory of 4056	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 4232 wrote to memory of 4056	4232	xTMUmRNSplXXLMhgma5.exe	csc.exe
PID 2932 wrote to memory of 3324	2932	RegAsm.exe	schtasks.exe
PID 2932 wrote to memory of 3324	2932	RegAsm.exe	schtasks.exe
PID 2932 wrote to memory of 3324	2932	RegAsm.exe	schtasks.exe
PID 4056 wrote to memory of 5104	4056	csc.exe	cvtres.exe
PID 4056 wrote to memory of 5104	4056	csc.exe	cvtres.exe
PID 4056 wrote to memory of 5104	4056	csc.exe	cvtres.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\Installer\MSI8D82.tmp
"C:\Windows\Installer\MSI8D82.tmp"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
3⤵
- Adds Run key to start application
- Checks computer location settings
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C27.tmp" "c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMP"
5⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmp" "c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMP"
5⤵
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmp"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmp"
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"
4⤵
- Adds Run key to start application
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30B6.tmp" "c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMP"
6⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES327B.tmp" "c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMP"
6⤵
PID:5104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Installer Packages

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

Installer Packages

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5
Filesize
946KB

MD5
b73c6439a2302db41bb7737de87b8835

SHA1
a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b

SHA256
2f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f

SHA512
68e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
Filesize
113KB

MD5
ac692fdb7dc25fdea0c0a82819b9ca05

SHA1
2b94177f0144e34dbd39b847e6bc3305ba7fe080

SHA256
afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb

SHA512
04303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES30B6.tmp
Filesize
1KB

MD5
af4cf1330d8a44ca7b2391fdd160ab7d

SHA1
cdc622524760912559f3bf3b612d895db0701378

SHA256
4c7498a543055236bd47fe8f0b0e8796ad97790ff9ef07637e1a9a7442f98e24

SHA512
9e7c74f505ef332c45888b56a789dbabe916a080399cc6b7892eb4b475061e9ace17737b918eab4bf5a2a33e0a5c0c3827db03cbd673b6186d559e925faa90f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES327B.tmp
Filesize
1KB

MD5
e2108c198c1081d9cc3f293210a30b26

SHA1
d318d98cd46020b36b44ef3f152eba55072f3606

SHA256
801667d86d7394f40688091552ebf5665f10ba617800d791231b14fe04616cd4

SHA512
28a968b76cbc47bb9f44a648ab8fcedb56be0c9357b442def75ef2720afb6d685e5889961e17472ee6f24252c0fece6cbc0ff914fe8d36cb48e7eaa11a00a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9C27.tmp
Filesize
1KB

MD5
88b1054906e974e53fdf6b645607ef75

SHA1
fa7eefc1538bcd35c5bcf24ab9d5cf5efd41bfc1

SHA256
efae90c28f6c89bd044457b0b2bb42bd96fed5f083d42ed19452a4b6492c2ede

SHA512
f04b9e85f44f20e754a6e5ba45748519b218c412177d5e142e6427c63ef8a0823101be1e83c7b361b642a9b2dd671193ee65b8c0ba17ead0e4bd530c4cfa718e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmp
Filesize
1KB

MD5
897163bb9b11f8d7c5521fec0bf2df90

SHA1
4da9b13bddc5d3ea9a40ed019ae3882f6d2048f4

SHA256
6f902a0132035315a0523a06a8227e1fe48af17df40837d699e0c835f8639dcf

SHA512
937ed305bc16922022e63b47cd23f12cee1ef3e2923c85ad7fc88c5f16b0b39c3a1ab530233fbbb1f501101705a6948c5d6d2303d6dfa35f4546006886caeff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.dll
Filesize
634KB

MD5
37123fe217b5024ad55eb56b08bd0dd9

SHA1
5e0a65ba64379f5e0eed8dcc52dd160faadb510b

SHA256
855f78b05dc33014027203e5c54b5a3051396d930e421042e51324944aa1752f

SHA512
b3307db1cf4f5f18255009e4ca6faa74bf9e6ecd81f471b263f0f5693fbce1f554ed09fe1b89c601ea75b9919e14ac823b06d0b1235fc5dfbeb4c01d0afc3409

Download Submit
C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.dll
Filesize
634KB

MD5
e65a84b05a013eaf8b961c460703ef08

SHA1
a58e189f24f3cd8af9e1bc9285380df9dc35f0ae

SHA256
2d288f6b2fb3adcbbbf3bf0d0f62ed9543d41812448f9be5328df975b8139dee

SHA512
bf0cd8dfd2485bf6111c26922767b3925dab8b8eb45aee4eb6a7d99ab3da191e621c65cb0004eccd3de11d4b686cf02fcc3c4d1fb7fde37ed077146fead1a906

Download Submit
C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.dll
Filesize
634KB

MD5
552d7717ddbc0f3a748fafd6f8bf6377

SHA1
2f6a69435938352135cdb1b2df7c1ccc65d7a079

SHA256
e27caae87a6c48761a81821d6ea054c39da899386c5928bea78243af14dce353

SHA512
1d1677e89d4b38a1231f552df62dc39983d8e78791ee68298ee69f03f0341a24131822be6a4c2c12f32f5f20744d4c8f2701ba2043b95e1b09d7ff0abe3bfb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.dll
Filesize
634KB

MD5
0c492c980ddb428f872950f260632a79

SHA1
507cd7344da40b9992633810df94cd65f2b3c863

SHA256
62f5e559b6c5d65cdb3f60951b08891eb87f31b3b5ed1287e853af67f10c0670

SHA512
227824c1c9b7e914fdb36e30e2883f0f50d0e6b8cadef77b72e1761ff85966e69ed43abae5275663e0f400229818e0deb8fbaff5a5c63e6f63b79fdfd700da72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmp
Filesize
1KB

MD5
48ef7fa9033389ad7929d7a6b9d10298

SHA1
9db6cb7325c8bdf66a15f7b5f34703709a45aeb6

SHA256
0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15

SHA512
ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmp
Filesize
1KB

MD5
0339b45ef206f4becc88be0d65e24b9e

SHA1
6503a1851f4ccd8c80a31f96bd7ae40d962c9fad

SHA256
3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83

SHA512
c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

Download Submit
C:\Windows\Installer\MSI8D82.tmp
Filesize
425KB

MD5
7997a52983aa768553d9e039f011e9a8

SHA1
9b2955a38238fdc5c5511dbb8c578c63a9e19495

SHA256
1ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0

SHA512
2682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.7MB

MD5
a67436841d3cc8087f817f9617a94991

SHA1
0108b407817dcc61ae7f645941ea962bafb5cef3

SHA256
ad2b8737549a33a903b83532c62e12c7b46ef9ffdec82b7b19afd490d7072fec

SHA512
21f635ef3f76acdad828e93e1c368d82f4d4c8b70b0a7478959ce784f37b3ba4a2fbd9961761f3ad3b9b0f6961dc9036e2c487a4b61db7c10c547adf5073b399

Download Submit
\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{424f01d8-38b7-4964-9359-de78fed1d63a}_OnDiskSnapshotProp
Filesize
6KB

MD5
5535ca3b838d7b7c4c8d534907c07586

SHA1
510b4cea6def78d1366a01f5d38c8a0cf23d4eb4

SHA256
7ef2dc7d320158979ee849b85b9a7c807e9775bcee92b156b193ac942b6d1080

SHA512
c970b815e6da6fde6f4f0d4470d7c28ff2708c705a4f7fce0345dfbc4d4293991bd54602bdc7ea3388a78fbcf8cd72d00c6c2ba6691c7aae91344578c0b1bec5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMP
Filesize
652B

MD5
bf4e841fb044af93af010115e32e94ec

SHA1
f3a40d11e7a1f21aa742134defce0c9e6c0a9157

SHA256
1975377087a0961a6a5c039e73084a9b7b6493984d0065be7cb036a2244718db

SHA512
7728951df5a1e271d90c68101bb77c109a552796e373141d7c53dd65c4bb832115d97d4e7823760cd8cbaf4b418588fbea7be5939c5f7772b005a92e848cfec4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdline
Filesize
302B

MD5
21cb17ab6f72104c6f3a8f6c7cc570e1

SHA1
952d90c9f3e5451677b6fb0d94408318ead9a7f5

SHA256
624a77bac480091fd0f5d3202debf94ae9c31f611ea6c8be752a7341023d123f

SHA512
576b3a674a70fc5fb759329b299b45bab6eee75c989c29a3de3500b5d1e58ba70d3eb064e3e5e3079670c19b59fdf311c9ef508fb1d76b5288df5f4acf08e1b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMP
Filesize
652B

MD5
dbbd4c9e25d1d62cc91e6a2b22e5206a

SHA1
c6894b91256092d14466a23f8abae41db2a8ad4c

SHA256
065a44fbde4ca4c150800b58f7905ef46d1199d81a65b1ed729029c03c54b9a8

SHA512
cf64612881d006f0dd52a07c8f7f952ee696bbd3692738ce3b59218e1aec55b25ac0f2d31f8cafec6b4fed6a3aced38018d62b3879e5741c35864037268f7662

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdline
Filesize
302B

MD5
c19a0fdeb33cbfba9aafd88d480b909d

SHA1
9283bc5cb8ce5fb20e9f17df165fae4162a87fd2

SHA256
95819c24d969f9e6609c3b57d82c558ba7e3f194cef83761ae3e9f4b684838d0

SHA512
4d5ae2e07bd8ed3bc4a83219d0b5019c0b9b1b047bf835853e9f06da258b60466443dadcf462acbcba53f50d012a1f5b20dde2431512804752be8a81746bef33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMP
Filesize
652B

MD5
f7261ab3cceb63493c4f6c191830aea6

SHA1
c352ad41fd0e434ff2b79e7f5c5743b1fe82b3e2

SHA256
fae4270c31c739d0c19863a8979b8cf0b7e223bcb32d2b241e22e2299a828518

SHA512
7642527a33d9456ae89b2dd4ef2b7af72c8e94245e9e1097d83c7ee25101b63f259716703a74968a2f9bc43fc255b2263db2c806c216054f1eb31b3c1285dfa7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdline
Filesize
302B

MD5
f0ea6027fbb2696f916d2751fc028d9f

SHA1
e2e8e0af5b75f0f6582575ef2874d0b164b14878

SHA256
e7d15be1932b9fa62938ee2e9c16d6c4921f5e60cbb387dffc86f491b9f38b32

SHA512
0e2ebcaf5aaeb0c9a94d7d737aa5d2adf50ca23afc89aa3a34518625dd9e083e879d1c0da9122dc097682225ed88813351819ffb3c70bb0ae56122865ba25308

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMP
Filesize
652B

MD5
00430f871f23c197e7d871a961eceb50

SHA1
52c3424fd44fd8841186bbbe830b9fee72ef05b4

SHA256
202e0b06663ef699874324adafc35b611c9086ab8b480a6e47abad623332c6bb

SHA512
2922742c6d0c6d4622cdba1c304ff0339886809a09fb61763b93b518ba301982530054b2a654c33a53399a704ad9aa90a215f7048eadc05116bf2b1ab4a10fb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.0.cs
Filesize
946KB

MD5
b5d745ad124400fe21ea0c07e7d0e8bc

SHA1
4e8cb83eb077c46240e9c0c372a3404763c6c132

SHA256
a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e

SHA512
a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdline
Filesize
302B

MD5
6ed631aac772250a157f00a5c1cebbc6

SHA1
c22b94d1263169a5e6cff6f28fd38c17d9134fe6

SHA256
701c309daf9beabc6b6e78a6c821dfd87e575ef9a4fba143bb3ec8e3cb098bc2

SHA512
4419b241a4dd708f3df124d6639a381fcf5862e7c41b4656d1945d0b46edc09f4a3aa797ee06f17d301fc2c26a8daa12f007eda8489030eacefde624299fb559

Download Submit
memory/2932-62-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/2932-61-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/2932-60-0x00000000057B0000-0x0000000005842000-memory.dmp

Filesize
584KB

Download
memory/2932-59-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2932-97-0x0000000005900000-0x000000000591E000-memory.dmp

Filesize
120KB

Download
memory/2932-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2932-101-0x0000000005E20000-0x0000000005E2A000-memory.dmp

Filesize
40KB

Download
memory/2932-92-0x00000000058F0000-0x00000000058FA000-memory.dmp

Filesize
40KB

Download
memory/3852-37-0x0000000004E00000-0x0000000004EA4000-memory.dmp

Filesize
656KB

Download
memory/3852-53-0x0000000004F40000-0x0000000004F82000-memory.dmp

Filesize
264KB

Download
memory/3852-51-0x0000000004EA0000-0x0000000004F44000-memory.dmp

Filesize
656KB

Download
memory/3852-23-0x0000000000510000-0x0000000000532000-memory.dmp

Filesize
136KB

Download
memory/4232-79-0x0000000004850000-0x00000000048F4000-memory.dmp

Filesize
656KB

Download
memory/4232-99-0x00000000048F0000-0x0000000004994000-memory.dmp

Filesize
656KB

Download