0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5

Analysis

max time kernel
124s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Size

50KB
MD5

1ac047159ae15480b88b41f69e8d3ee5
SHA1

8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f
SHA256

0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5
SHA512

d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea
SSDEEP

768:MkpLA8BtBV0QJcW5wqInmNSfyvwx+BKXCJW+trdvsWCJn66kvOR:hkQJcqwmIfj+ECJG/kvO

Score

9^/10

collection spyware stealer

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Executes dropped EXE 1 IoCs

Processes:

wmimgmt.exe

pid process

60 wmimgmt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

reg.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts reg.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

wmimgmt.exe

description ioc process

File opened (read-only) \??\F: wmimgmt.exe
Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

3356 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5112 tasklist.exe
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeNETSTAT.EXE

pid process

3792 NETSTAT.EXE
224 ipconfig.exe
4828 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4544 systeminfo.exe
Runs net.exe

pid	process
60	wmimgmt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	reg.exe

description	ioc	process
File opened (read-only)	\??\F:	wmimgmt.exe

pid	process
3356	net.exe

pid	process
5112	tasklist.exe

pid	process
3792	NETSTAT.EXE
224	ipconfig.exe
4828	NETSTAT.EXE

pid	process
4544	systeminfo.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.exetasklist.exeNETSTAT.EXE

description	pid	process
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeRestorePrivilege	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeRestorePrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	3792	NETSTAT.EXE
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeRestorePrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe
Token: SeBackupPrivilege	60	wmimgmt.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exewmimgmt.execmd.exenet.exenet.exe

description	pid	process	target process
PID 348 wrote to memory of 60	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 348 wrote to memory of 60	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 348 wrote to memory of 60	348	1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe	wmimgmt.exe
PID 60 wrote to memory of 4488	60	wmimgmt.exe	cmd.exe
PID 60 wrote to memory of 4488	60	wmimgmt.exe	cmd.exe
PID 60 wrote to memory of 4488	60	wmimgmt.exe	cmd.exe
PID 4488 wrote to memory of 4920	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 4920	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 4920	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 4792	4488	cmd.exe	net1.exe
PID 4488 wrote to memory of 4792	4488	cmd.exe	net1.exe
PID 4488 wrote to memory of 4792	4488	cmd.exe	net1.exe
PID 4488 wrote to memory of 1332	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 1332	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 1332	4488	cmd.exe	net.exe
PID 1332 wrote to memory of 1184	1332	net.exe	cmd.exe
PID 1332 wrote to memory of 1184	1332	net.exe	cmd.exe
PID 1332 wrote to memory of 1184	1332	net.exe	cmd.exe
PID 4488 wrote to memory of 2008	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 2008	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 2008	4488	cmd.exe	net.exe
PID 2008 wrote to memory of 4928	2008	net.exe	net1.exe
PID 2008 wrote to memory of 4928	2008	net.exe	net1.exe
PID 2008 wrote to memory of 4928	2008	net.exe	net1.exe
PID 4488 wrote to memory of 5112	4488	cmd.exe	tasklist.exe
PID 4488 wrote to memory of 5112	4488	cmd.exe	tasklist.exe
PID 4488 wrote to memory of 5112	4488	cmd.exe	tasklist.exe
PID 4488 wrote to memory of 4544	4488	cmd.exe	systeminfo.exe
PID 4488 wrote to memory of 4544	4488	cmd.exe	systeminfo.exe
PID 4488 wrote to memory of 4544	4488	cmd.exe	systeminfo.exe
PID 4488 wrote to memory of 4852	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 4852	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 4852	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 2508	4488	cmd.exe	find.exe
PID 4488 wrote to memory of 2508	4488	cmd.exe	find.exe
PID 4488 wrote to memory of 2508	4488	cmd.exe	find.exe
PID 4488 wrote to memory of 3732	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3732	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3732	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3172	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3172	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3172	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 564	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 564	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 564	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 4456	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 4456	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 4456	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1084	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1084	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1084	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1808	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1808	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1808	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 464	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 464	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 464	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3628	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3628	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 3628	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 2360	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 2360	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 2360	4488	cmd.exe	reg.exe
PID 4488 wrote to memory of 1160	4488	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ac047159ae15480b88b41f69e8d3ee5_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348

C:\ProgramData\Application Data\wmimgmt.exe
"C:\ProgramData\Application Data\wmimgmt.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /v:on /c C:\Users\Admin\AppData\Local\Temp\ghi.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\findstr.exe
findstr /s "YM.CGP_" "C:\Users\Admin"\..\*.txt
4⤵
PID:4920

C:\Windows\SysWOW64\chcp.com
chcp
4⤵
PID:4792

C:\Windows\SysWOW64\net.exe
net user
4⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net localgroup administrators
4⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators
5⤵
PID:4928

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4544

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
4⤵
PID:4852

C:\Windows\SysWOW64\find.exe
find "REG_"
4⤵
PID:2508

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office
4⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Common\UserInfo
4⤵
PID:3172

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Common\UserInfo
4⤵
PID:564

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\UserInfo
4⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\UserInfo
4⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\UserInfo
4⤵
PID:1808

C:\Windows\SysWOW64\reg.exe
reg query HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Common\UserInfo
4⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" /s
4⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts" /s
4⤵
- Accesses Microsoft Outlook accounts
PID:2360

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Mirabilis\ICQ" /s
4⤵
PID:1160

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger" /s
4⤵
PID:2612

C:\Windows\SysWOW64\net.exe
net user Admin
4⤵
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin
5⤵
PID:4324

C:\Windows\SysWOW64\net.exe
net user Admin /domain
4⤵
PID:2068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /domain
5⤵
PID:1464

C:\Windows\SysWOW64\net.exe
net group
4⤵
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group
5⤵
PID:1164

C:\Windows\SysWOW64\net.exe
net group /domain
4⤵
PID:2432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group /domain
5⤵
PID:4984

C:\Windows\SysWOW64\net.exe
net group "domain admins"
4⤵
PID:64

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain admins"
5⤵
PID:4640

C:\Windows\SysWOW64\net.exe
net group "domain admins" /domain
4⤵
PID:2324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain admins" /domain
5⤵
PID:588

C:\Windows\SysWOW64\net.exe
net group "domain computers"
4⤵
PID:1100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain computers"
5⤵
PID:3516

C:\Windows\SysWOW64\net.exe
net group "domain computers" /domain
4⤵
PID:2796

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain computers" /domain
5⤵
PID:4320

C:\Windows\SysWOW64\net.exe
net group "domain controllers"
4⤵
PID:3784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain controllers"
5⤵
PID:512

C:\Windows\SysWOW64\net.exe
net group "domain controllers" /domain
4⤵
PID:768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 group "domain controllers" /domain
5⤵
PID:4816

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:224

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\ARP.EXE
arp -a
4⤵
PID:1436

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -r
4⤵
- Gathers network information
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
5⤵
PID:1136

C:\Windows\SysWOW64\ROUTE.EXE
C:\Windows\system32\route.exe print
6⤵
PID:4520

C:\Windows\SysWOW64\net.exe
net start
4⤵
PID:4920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start
5⤵
PID:4792

C:\Windows\SysWOW64\net.exe
net use
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo n"
4⤵
PID:1184

C:\Windows\SysWOW64\net.exe
net share
4⤵
PID:3240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
5⤵
PID:1408

C:\Windows\SysWOW64\net.exe
net view /domain
4⤵
- Discovers systems in the same network
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:3008

C:\Windows\SysWOW64\find.exe
find /i /v "------"
4⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:3484

C:\Windows\SysWOW64\find.exe
find /i /v "domain"
4⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:3412

C:\Windows\SysWOW64\find.exe
find /i /v "¬A╛╣"
4⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:3192

C:\Windows\SysWOW64\find.exe
find /i /v "░⌡ªµª¿"
4⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\s.log "
4⤵
PID:1952

C:\Windows\SysWOW64\find.exe
find /i /v "├ⁿ┴ε"
4⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\t.log "
4⤵
PID:2432

C:\Windows\SysWOW64\find.exe
find /i /v "completed successfully"
4⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4224,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
1⤵
PID:1928

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv a7vBfw4tfkCMdwsUnG2r0A.0.2
1⤵
PID:3516

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\wmimgmt.exe
Filesize
50KB

MD5
1ac047159ae15480b88b41f69e8d3ee5

SHA1
8ccdee24418081f2dcd1429ce7c4d4dba0d7e42f

SHA256
0b39d040f8f48ac65ee300cbb86c0d23889f6a1bc1c00e37d51f9bd54cf8d8a5

SHA512
d91ea298d8522f831281fdbf7c3da4189497acf0e859ad1a700c632590a9ee9604e11e8a92d11ea8ebb1898e4b206c3a81d92ff0a25c3aadad49a46fe7bebaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
49B

MD5
3103966e5acefd242ce82692435208eb

SHA1
90a904725b2c6648e62b4f3fd0f86691bbfbce81

SHA256
1cea98800818eea5d1759a287e9fd9a92748d8df57494e59e4ca816968f91ff5

SHA512
6b12e75a27d700f1ce1e519d12712666f545ebfcb904daec694c9d937a4521d770a2723777651d6e50406e0509f799319df3b328475c52e012abdb2075da1656

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
12KB

MD5
3c336d6ce832f97a1da7141a451009c8

SHA1
3abaaa2bf5e707d64227aff18047f55cbd312df4

SHA256
c3e65e4f869e8bd398145692827e49a9646fcc477a30309b6c1406936c9a5b0d

SHA512
2ad575385099ca42d9702e40cd291b30de01fc8394f03e9f8b657540064f6e0907a8d039af70ae8a3efdeaf53fffb4543de73c3fab5f25411fca590603d8748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\INFO.TXT
Filesize
37.6MB

MD5
d229ecd9fcc96c18043e0d411f60825c

SHA1
62b136044ac317c0ca62e764f1e27ae9792ac362

SHA256
11d87ec78152ca2b5ab7e30584898a8c748e4a2b68c13a78a230c1c5b3eb5817

SHA512
9cb7d1fe19a10bc4dadf247ff21a380719f8357847a0d2d301a72d55f1c388dd9f0ac330c24228de4427d6491da318a8e497e9b3fd68c5fa5bb36c3469c79f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\L4SD\1D8E3D68.db
Filesize
231B

MD5
30ffa98235e39cef4e8e6a22a64f29a1

SHA1
ce6d47a4ae6cd83eaaaee812f5708dc8c095479e

SHA256
07d3abe9ae711dd6ea3305ab4d94867e6c5ae43edc8cad225d90ce4360b535cc

SHA512
f4b83f3b30d5cc458424569ee0f747c207125c80b898bbb1704d4b1e8cab6cbe60d74cbdaf5b03b31a3a79610cad05ce33f3ebd7efde086d66ed184616ceacce

Download Submit
C:\Users\Admin\AppData\Local\Temp\drivers.p
Filesize
15B

MD5
4ff8e80638f36abd8fb131c19425317b

SHA1
358665afaf5f88dfebcdb7c56e963693c520c136

SHA256
6b8ceb900443f4924efd3187693038965ad7edb488879305489aa72d78f69626

SHA512
d4e6e3d789bc76102c500b46a5aa799c5ebfc432a44117aa0b7c7512439d33a423630b963fb04cda1da17a7f6517b276a3e9298c17cbf795964090f4b9e5d8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghi.bat
Filesize
4KB

MD5
b91bc08162fbc3445c5424b77183b807

SHA1
52b2a60db40cdcc655648a65210ed26219c033e1

SHA256
7cec366268426139777f0776ba3cbce6a50f4112a96fa88190bee2ebe665275a

SHA512
2f19fe96209dcb4e189a8fecddcac40ebed8ce0c6999a469268b57e74e9e830a7b03c1d024c616797ae9029a4566fa96006f29e1fa042bca1534d1d815ae8b35

Download Submit
C:\Users\Public\Documents\Media\1D8E3D68.db
Filesize
64B

MD5
57e997b4250dd625b2046bba4e919a67

SHA1
f269b9365c90aa0eed151af92f91efdf7f424af6

SHA256
82020b595004adfc440998e78615fe683891ab2db5d46fde76c8a3dbe887ffea

SHA512
ca48e8490ed62d7cc89a99f802987a5bf8b58903c51415c152d010ccf355a66c1198b028be321034529b5ea1eda666ccc22173c740e4464485593916eded281c

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-83-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/348-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/348-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download