Malware Analysis Report

2024-08-06 13:49

Sample ID 240511-3wh4jaeg2v
Target 3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118
SHA256 2ad7b2fae758e64b4479a2773101f1f408bdc8b970860bc65bc361642a29aeee
Tags
azorult discovery evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ad7b2fae758e64b4479a2773101f1f408bdc8b970860bc65bc361642a29aeee

Threat Level: Known bad

The file 3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult discovery evasion infostealer persistence trojan

Azorult

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

AutoIT Executable

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Script User-Agent

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-11 23:51

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 23:51

Reported

2024-05-11 23:54

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-24NVE.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-PA1Q6.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-8QR71.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-51EMG.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-4I9SI.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-5Q4GB.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-8FLLM.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-8C7IA.tmp C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\CurVer C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Applications C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\CLSID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB} C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\ = "System.RangeException" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\CurVer\13 = "45424" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.zip\ = "ChameleonExplorer.zip" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "7878de2a8a4c9aad438ede79efde1ad4" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Applications\ChameleonExplorer.exe\DefaultIcon C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Drive C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\System.RangeException\CurVer\ins13 = "installed" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\DefaultIcon C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.zip\OpenWithProgids\ChameleonExplorer.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Applications\ChameleonExplorer.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\Directory C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\ChameleonExplorer.zip\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.zip\OpenWithProgids C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 2984 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 1152 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2984 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 2956 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 2956 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 2956 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 2956 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 2956 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 2956 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\cexplorer.exe

"C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp" /SL5="$60122,6397385,121344,C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.chameleon-managers.com udp
GB 142.250.178.19:80 www.chameleon-managers.com tcp
US 8.8.8.8:53 softopia.icu udp
US 8.8.8.8:53 neosoft-activator.appspot.com udp
GB 216.58.212.212:443 neosoft-activator.appspot.com tcp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp

Files

C:\Users\Admin\AppData\Local\Temp\cexplorer.exe

MD5 b2e5a8fe3ca4f0cd681b5662f972ea5f
SHA1 b7dbcfaee55ecbf0158431d85dabdd479ab449c7
SHA256 e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8
SHA512 40b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf

memory/1152-24-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1152-28-0x0000000000401000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NINNU.tmp\cexplorer.tmp

MD5 729bc0108bcd7ec083dfa83d7a4577f2
SHA1 0b4efa5e1764b4ce3e3ae601c8655c7bb854a973
SHA256 b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49
SHA512 49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

memory/2956-33-0x0000000000400000-0x000000000052D000-memory.dmp

\Users\Admin\AppData\Local\Temp\update.exe

MD5 a9f8a16a3d86e434de82e33dee0f8e3d
SHA1 98b18101101837a497c9bc01e412619a98da1ed7
SHA256 9e0f04dd02c41f0969beda8dbaf845be510bb5ff201a667c4fb7e1f34caab3c3
SHA512 008cbc9122ce3bbc39802efc9d58a2e037c1609ecc4176da2c657171ad3ba1714d217501e525083f6730e0b08db72f22c70de2f3d2864b628e11d972f3a4086e

\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

MD5 92a3d0847fc622b31f2d0c273a676c0e
SHA1 e642d694367cc98a8863d87fec82e4cf940eb48a
SHA256 9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89
SHA512 01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

memory/2756-94-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1916-95-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1916-114-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1916-115-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1916-116-0x0000000000400000-0x0000000001438000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

MD5 5b0ae3fac33c08145dca4a9c272ebc34
SHA1 940f504d835fc254602953495320bb92456177b9
SHA256 137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b
SHA512 015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a

memory/1784-121-0x0000000000400000-0x0000000001438000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new

MD5 96f92c8368c1e922692f399db96da1eb
SHA1 1a91d68f04256ef3bc1022beb616ba65271bd914
SHA256 161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9
SHA512 b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

C:\Program Files (x86)\Chameleon Explorer\Folder.dll

MD5 fb76f4f533203e40ce30612a47171f94
SHA1 304ba296c77a93ddb033d52578fcc147397db981
SHA256 3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6
SHA512 a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

memory/2956-142-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1152-141-0x0000000000400000-0x0000000000428000-memory.dmp

memory/964-138-0x0000000000400000-0x0000000000A39000-memory.dmp

memory/1044-144-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1044-143-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new

MD5 dd5ce4d765edd75eba6f311e6e0ea10a
SHA1 9ea7f6516e5ad0755b74463d427055f63ed1a664
SHA256 64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d
SHA512 d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new

MD5 de5f74ef4e17b2dc8ad69a3e9b8d22c7
SHA1 42df8fedc56761041bce47b84bd4e68ee75448d2
SHA256 b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32
SHA512 515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

memory/2956-161-0x0000000000400000-0x000000000052D000-memory.dmp

memory/1044-157-0x0000000000400000-0x0000000001438000-memory.dmp

memory/1152-162-0x0000000000400000-0x0000000000428000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 23:51

Reported

2024-05-11 23:54

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
N/A N/A C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Windows\System32\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Chameleon Explorer\is-IC2MF.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-JRLR9.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-TT7DL.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-ETK6N.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-2A5HP.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-404MB.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\Folder64.dll C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File created C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File opened for modification C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-K9HVL.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
File created C:\Program Files (x86)\Chameleon Explorer\is-U988K.tmp C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\update.exe

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32 C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "7878de2a8a4c9aad438ede79efde1ad4" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\CurVer C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\CurVer\ins13 = "installed" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\CLSID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB} C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Applications C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.zip\OpenWithProgids C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.zip\OpenWithProgids\ChameleonExplorer.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\ = "System.RangeException" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive\shell\ = "open" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.zip\ = "ChameleonExplorer.zip" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\DefaultIcon C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.zip C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Applications\ChameleonExplorer.exe C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Drive\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\System.RangeException\CurVer\13 = "45415" C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Directory\shell C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.zip\shell\open\command C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 4056 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 4056 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\cexplorer.exe
PID 3840 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp
PID 3840 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp
PID 3840 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\cexplorer.exe C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp
PID 4056 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 4056 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 4056 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\update.exe
PID 3380 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 3380 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 3380 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 3380 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 3380 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 3380 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 3380 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
PID 3380 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
PID 3380 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3732449bb9b9aa4e68888f4f816d1b04_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\cexplorer.exe

"C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp" /SL5="$501DC,6397385,121344,C:\Users\Admin\AppData\Local\Temp\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

C:\Users\Admin\AppData\Local\Temp\update.exe

"C:\Users\Admin\AppData\Local\Temp\update.exe"

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 732

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

"C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update

Network

Country Destination Domain Proto
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.chameleon-managers.com udp
GB 142.250.178.19:80 www.chameleon-managers.com tcp
US 8.8.8.8:53 19.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 softopia.icu udp
US 8.8.8.8:53 neosoft-activator.appspot.com udp
GB 216.58.212.212:443 neosoft-activator.appspot.com tcp
US 8.8.8.8:53 212.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut4F1A.tmp

MD5 b2e5a8fe3ca4f0cd681b5662f972ea5f
SHA1 b7dbcfaee55ecbf0158431d85dabdd479ab449c7
SHA256 e71c48c03b8cfd37bf17e62460733a4bfe9c484e947fd9db291f65405a2ba9e8
SHA512 40b7140f5c182cd51cee142a2575bd70dc9bde311ad3952119fb9769b5ceeb467695aa5a66fc90520712d9a39458930efb965496d6443665b7597cfd66247aaf

memory/3840-21-0x0000000000400000-0x0000000000428000-memory.dmp

memory/3840-24-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K34PV.tmp\cexplorer.tmp

MD5 729bc0108bcd7ec083dfa83d7a4577f2
SHA1 0b4efa5e1764b4ce3e3ae601c8655c7bb854a973
SHA256 b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49
SHA512 49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

memory/3380-28-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\update.exe

MD5 a9f8a16a3d86e434de82e33dee0f8e3d
SHA1 98b18101101837a497c9bc01e412619a98da1ed7
SHA256 9e0f04dd02c41f0969beda8dbaf845be510bb5ff201a667c4fb7e1f34caab3c3
SHA512 008cbc9122ce3bbc39802efc9d58a2e037c1609ecc4176da2c657171ad3ba1714d217501e525083f6730e0b08db72f22c70de2f3d2864b628e11d972f3a4086e

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

MD5 92a3d0847fc622b31f2d0c273a676c0e
SHA1 e642d694367cc98a8863d87fec82e4cf940eb48a
SHA256 9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89
SHA512 01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

memory/4876-86-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1148-87-0x0000000000400000-0x0000000001438000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

MD5 5b0ae3fac33c08145dca4a9c272ebc34
SHA1 940f504d835fc254602953495320bb92456177b9
SHA256 137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b
SHA512 015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a

memory/4184-90-0x0000000000400000-0x0000000001438000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_new

MD5 96f92c8368c1e922692f399db96da1eb
SHA1 1a91d68f04256ef3bc1022beb616ba65271bd914
SHA256 161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9
SHA512 b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

C:\Program Files (x86)\Chameleon Explorer\Folder.dll

MD5 fb76f4f533203e40ce30612a47171f94
SHA1 304ba296c77a93ddb033d52578fcc147397db981
SHA256 3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6
SHA512 a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

memory/4864-107-0x0000000000400000-0x0000000000A39000-memory.dmp

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_new

MD5 dd5ce4d765edd75eba6f311e6e0ea10a
SHA1 9ea7f6516e5ad0755b74463d427055f63ed1a664
SHA256 64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d
SHA512 d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_new

MD5 de5f74ef4e17b2dc8ad69a3e9b8d22c7
SHA1 42df8fedc56761041bce47b84bd4e68ee75448d2
SHA256 b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32
SHA512 515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

memory/3840-129-0x0000000000400000-0x0000000000428000-memory.dmp

memory/5052-124-0x0000000000400000-0x0000000001438000-memory.dmp

memory/3380-128-0x0000000000400000-0x000000000052D000-memory.dmp