0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5

Analysis

max time kernel
123s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Size

50KB
MD5

1ac047159ae15480b88b41f69e8d3ee5
SHA1

8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
SHA256

0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
SHA512

d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
SSDEEP

768:MkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:hkQJcqwmIfj+ECJG/kvO

Score

9^/10

collection spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Executes dropped EXE 1 IoCs

Processes:

wmimgmt.exe

pid process

1320 wmimgmt.exe
Loads dropped DLL 2 IoCs

Processes:

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe

pid process

840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
840 1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

reg.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

wmimgmt.exe

description ioc process

File opened (read-only) \??\F: wmimgmt.exe
Discovers systems in the same network 1 TTPs 4 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exenet.exe

pid process

868 net.exe
1560 net.exe
2832 net.exe
876 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2552 tasklist.exe
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXENETSTAT.EXEipconfig.exe

pid process

688 NETSTAT.EXE
1480 NETSTAT.EXE
2792 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2556 systeminfo.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2824 PING.EXE

pid	process
1320	wmimgmt.exe

pid	process
840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	reg.exe

description	ioc	process
File opened (read-only)	\??\F:	wmimgmt.exe

pid	process
868	net.exe
1560	net.exe
2832	net.exe
876	net.exe

pid	process
2552	tasklist.exe

pid	process
688	NETSTAT.EXE
1480	NETSTAT.EXE
2792	ipconfig.exe

pid	process
2556	systeminfo.exe

pid	process
2824	PING.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exetasklist.exeNETSTAT.EXEwmimgmt.exe

description	pid	process
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeDebugPrivilege	2552	tasklist.exe
Token: SeDebugPrivilege	688	NETSTAT.EXE
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeRestorePrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe
Token: SeBackupPrivilege	1320	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.execmd.exenet.exenet.exe

description	pid	process	target process
PID 840 wrote to memory of 1320	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 840 wrote to memory of 1320	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 840 wrote to memory of 1320	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 840 wrote to memory of 1320	840	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 1320 wrote to memory of 2496	1320	wmimgmt.exe	cmd.exe
PID 1320 wrote to memory of 2496	1320	wmimgmt.exe	cmd.exe
PID 1320 wrote to memory of 2496	1320	wmimgmt.exe	cmd.exe
PID 1320 wrote to memory of 2496	1320	wmimgmt.exe	cmd.exe
PID 2496 wrote to memory of 2504	2496	cmd.exe	findstr.exe
PID 2496 wrote to memory of 2504	2496	cmd.exe	findstr.exe
PID 2496 wrote to memory of 2504	2496	cmd.exe	findstr.exe
PID 2496 wrote to memory of 2504	2496	cmd.exe	findstr.exe
PID 2496 wrote to memory of 2652	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2652	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2652	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2652	2496	cmd.exe	chcp.com
PID 2496 wrote to memory of 2420	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2420	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2420	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2420	2496	cmd.exe	net.exe
PID 2420 wrote to memory of 2640	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2640	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2640	2420	net.exe	net1.exe
PID 2420 wrote to memory of 2640	2420	net.exe	net1.exe
PID 2496 wrote to memory of 2736	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2736	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2736	2496	cmd.exe	net.exe
PID 2496 wrote to memory of 2736	2496	cmd.exe	net.exe
PID 2736 wrote to memory of 2408	2736	net.exe	net1.exe
PID 2736 wrote to memory of 2408	2736	net.exe	net1.exe
PID 2736 wrote to memory of 2408	2736	net.exe	net1.exe
PID 2736 wrote to memory of 2408	2736	net.exe	net1.exe
PID 2496 wrote to memory of 2552	2496	cmd.exe	tasklist.exe
PID 2496 wrote to memory of 2552	2496	cmd.exe	tasklist.exe
PID 2496 wrote to memory of 2552	2496	cmd.exe	tasklist.exe
PID 2496 wrote to memory of 2552	2496	cmd.exe	tasklist.exe
PID 2496 wrote to memory of 2556	2496	cmd.exe	systeminfo.exe
PID 2496 wrote to memory of 2556	2496	cmd.exe	systeminfo.exe
PID 2496 wrote to memory of 2556	2496	cmd.exe	systeminfo.exe
PID 2496 wrote to memory of 2556	2496	cmd.exe	systeminfo.exe
PID 2496 wrote to memory of 2684	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2684	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2684	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2684	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2708	2496	cmd.exe	find.exe
PID 2496 wrote to memory of 2708	2496	cmd.exe	find.exe
PID 2496 wrote to memory of 2708	2496	cmd.exe	find.exe
PID 2496 wrote to memory of 2708	2496	cmd.exe	find.exe
PID 2496 wrote to memory of 2712	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2712	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2712	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2712	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2472	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2472	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2472	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2472	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2648	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2648	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2648	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 2648	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 1244	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 1244	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 1244	2496	cmd.exe	reg.exe
PID 2496 wrote to memory of 1244	2496	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\ProgramData\Application Data\wmimgmt.exe
"C:\ProgramData\Application Data\wmimgmt.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\findstr.exe
findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
4⤵
PID:2504

C:\Windows\SysWOW64\chcp.com
chcp
4⤵
PID:2652

C:\Windows\SysWOW64\net.exe
net user
4⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:2640

C:\Windows\SysWOW64\net.exe
net localgroup administrators
4⤵
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators
5⤵
PID:2408

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:2556

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
4⤵
PID:2684

C:\Windows\SysWOW64\find.exe
find "REG_"
4⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office
4⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
4⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
4⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
4⤵
PID:1244

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
4⤵
PID:2280

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
4⤵
PID:1652

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
4⤵
PID:1284

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
4⤵
PID:1896

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
4⤵
- Accesses Microsoft Outlook accounts
PID:1916

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
4⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
4⤵
PID:2312

C:\Windows\SysWOW64\net.exe
net user Admin
4⤵
PID:1912

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
5⤵
PID:352

C:\Windows\SysWOW64\net.exe
net user Admin /domain
4⤵
PID:2340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /domain
5⤵
PID:1672

C:\Windows\SysWOW64\net.exe
net group
4⤵
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group
5⤵
PID:2296

C:\Windows\SysWOW64\net.exe
net group /domain
4⤵
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
5⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net group "domain admins"
4⤵
PID:1316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain admins"
5⤵
PID:844

C:\Windows\SysWOW64\net.exe
net group "domain admins" /domain
4⤵
PID:1268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain admins" /domain
5⤵
PID:1124

C:\Windows\SysWOW64\net.exe
net group "domain computers"
4⤵
PID:3056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain computers"
5⤵
PID:2036

C:\Windows\SysWOW64\net.exe
net group "domain computers" /domain
4⤵
PID:2700

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
5⤵
PID:1936

C:\Windows\SysWOW64\net.exe
net group "domain controllers"
4⤵
PID:2568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain controllers"
5⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net group "domain controllers" /domain
4⤵
PID:2212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain controllers" /domain
5⤵
PID:2224

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2792

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\SysWOW64\ARP.EXE
arp -a
4⤵
PID:584

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -r
4⤵
- Gathers network information
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
5⤵
PID:1088

C:\Windows\SysWOW64\ROUTE.EXE
C:\Windows\system32\route.exe print
6⤵
PID:944

C:\Windows\SysWOW64\net.exe
net start
4⤵
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
5⤵
PID:2752

C:\Windows\SysWOW64\net.exe
net use
4⤵
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo n"
4⤵
PID:824

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:1876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:2112

C:\Windows\SysWOW64\net.exe
net view /domain
4⤵
- Discovers systems in the same network
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:1848

C:\Windows\SysWOW64\find.exe
find /i /v "------"
4⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:1632

C:\Windows\SysWOW64\find.exe
find /i /v "domain"
4⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:2804

C:\Windows\SysWOW64\find.exe
find /i /v "¬A╛╣"
4⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:852

C:\Windows\SysWOW64\find.exe
find /i /v "░⌡ªµª¿"
4⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:3020

C:\Windows\SysWOW64\find.exe
find /i /v "├ⁿ┴ε"
4⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:2888

C:\Windows\SysWOW64\find.exe
find /i /v "completed successfully"
4⤵
PID:1684

C:\Windows\SysWOW64\net.exe
net view /domain:"WORKGROUP"
4⤵
- Discovers systems in the same network
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\workgrp.tmp "
4⤵
PID:2972

C:\Windows\SysWOW64\find.exe
find "\\"
4⤵
PID:2988

C:\Windows\SysWOW64\net.exe
net view \\BISMIZHX
4⤵
- Discovers systems in the same network
PID:2832

C:\Windows\SysWOW64\net.exe
net view \\BISMIZHX
4⤵
- Discovers systems in the same network
PID:876

C:\Windows\SysWOW64\find.exe
find "Disk"
4⤵
PID:404

C:\Windows\SysWOW64\PING.EXE
ping -n 1 BISMIZHX
4⤵
- Runs ping.exe
PID:2824

C:\Windows\SysWOW64\findstr.exe
findstr /i "Pinging Reply Request Unknown"
4⤵
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
24.9MB

MD5
61497f4481d92cf6dac446edff9a5b70

SHA1
61106b5a70c88eb2ad3d0620ae874b2d24573ebb

SHA256
7435167e020c78cb45cbd2ddb67d9e44b46f96c42780bd7f86c1527e83d68f68

SHA512
59511cad2ad3affc3f809050233889edf7c9a8ed504a72793082fb336aac51cf0b802994d85b1deb3e2370c0b7e44156775afc9c1cec479878683340e07b1795

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
49B

MD5
3103966e5acefd242ce82692435208eb

SHA1
90a904725b2c6648e62b4f3fd0f86691bbfbce81

SHA256
1cea98800818eea5d1759a287e9fd9a92748d8df57494e59e4ca816968f91ff5

SHA512
6b12e75a27d700f1ce1e519d12712666f545ebfcb904daec694c9d937a4521d770a2723777651d6e50406e0509f799319df3b328475c52e012abdb2075da1656

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
6KB

MD5
b5f6f7bce10ae1725b81ec1ff4bd115e

SHA1
9e088d92dbe32181e8983432060265900deb5e53

SHA256
6077c080dfeff57bf2969197f9a8037dc71a615a35d17fa9f011ad4d3a991689

SHA512
848c43c910bc111483506f73f3f4b9c3d08e4cf9bd433fa98ca018cdc6fcc748dfe6b1d992fbc54050887aa3e2fb664a1ae2f5471ca6876b2732d488ce388b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p
Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat
Filesize
4KB

MD5
b91bc08162fbc3445c5424b77183b807

SHA1
52b2a60db40cdcc655648a65210ed26219c033e1

SHA256
7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

SHA512
2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifd30E4.tmp
Filesize
427B

MD5
adcd7eca1c0a9cb88bb378ecfff7dc96

SHA1
74072ce3797e59d7b4726f22572d4cd7cb7a05e9

SHA256
f59d2d3053eaecffa1a2db314d3f49b55cf198f8e8d547858abeab011cae311a

SHA512
20875354bbb4aa31c62a62a05bd371151475d6a76c9008fb04c3c582b7fab6ed43e98f69bbcd21520dc94c2290a74ca09e836eb26a41bc8075f8633889ab5426

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log
Filesize
153B

MD5
b256c8a481b065860c2812e742f50250

SHA1
51ddf02764fb12d88822450e8a27f9deac85fe54

SHA256
b167a692a2ff54cc5625797ddc367ba8736797130b93961d68b9150aef2f0e12

SHA512
f425ae70449d16bdb05fcc7913744fb0a81ab81278735d77ce316007b8298ad3c3991a29af67b336420f7dca94702271e59186174b5b78b5cdab1f8ce0163360

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.log
Filesize
64B

MD5
e29f80bf6f6a756e0bc6d7f5189a9bb2

SHA1
acdd1032b7dc189f8e68b390fe6fd964618acd72

SHA256
8bfe9f81e5c82cbfe69203c993009c22f940f20727fa8cb43773958bf0eba7c7

SHA512
f390fc82bdeb43721aa08f3666a4ed7d9ad4a5c1ff91be6967336417a5a5b7968b945773f68effcbe961072b801c3681455cf98b956cd802eba24190bd54268e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.log
Filesize
72B

MD5
59f2768506355d8bc50979f6d64ded26

SHA1
b2d315b3857bec8335c526a08d08d6a1b5f5c151

SHA256
7f9f3cbab32b3a5022bed245092835cb12502fa2e79d85c8c45d478918ee6569

SHA512
e9aa231d19cb5f93711cd3ffee4a6bd8764b21249ed7eb06ff34bcb457cd075384a0858ea35a99280bff16c01875a4ed79598a6503fcf5262da6f0849b5b1028

Download Submit
C:\Users\Admin\AppData\Local\Temp\workgrp.tmp
Filesize
234B

MD5
39c3461c18f16f6d33a1f59b1366f46e

SHA1
87cb4392a0786097183655fb14ccbd444692706b

SHA256
c487fc705469efcd45b67a72244d7daffed5bdf0145cab16797857c8e8fc0bd5

SHA512
c0faa6906d34cfe0bb04ad428d6c7fb8923f920b9c04e975be567fedd66ac969c653ffd85221f3f702eb878b5a0128c6484dda7a6b3c22ef383071739e9b60de

Download Submit
C:\Users\Public\Documents\Media\03CB4D33.db
Filesize
3.6MB

MD5
05a10f96393665d6a36f4376ce85dd4d

SHA1
3e483ac8b29f6de6599da695170e23d72551e39a

SHA256
c318e18d37c8c21b28c1b334715d3bcda51c35a83a9f82b2669f0c570cc5c049

SHA512
45fb88e90551c6ccc0e7bc5b8ddad0041ac771f73ba9efd9578e87b0af1283bea2c281b4539a411f86a05003616b42599c5e85ec0588a9be0536928f13b06676

Download Submit
C:\Users\Public\Documents\Media\03CB4D33.db
Filesize
64B

MD5
9253a4a7dfce7928b94334cd625600e7

SHA1
c0a5e46265d069026dd27db41c3808b32d86b224

SHA256
d5b56b4788cbb952938c4bd23ce70ce8d0152e86fb59b0cc37fd9827f4cdd554

SHA512
8b8f995af25c4956e82eb6e4ebafd7b2821309c4906fb4813591fadd95bdc64bf20998db1459cec02fa5035b3c6b1f0a0379d058d3d1da8e3438b2307fde4fa2

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\wmimgmt.exe
Filesize
50KB

MD5
1ac047159ae15480b88b41f69e8d3ee5

SHA1
8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f

SHA256
0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5

SHA512
d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea

Download Submit
memory/840-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/840-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1320-11-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1320-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download