Malware Analysis Report

2024-08-06 13:49

Sample ID 240511-yxme5aaa29
Target 36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118
SHA256 24ab0e78ae8e2bd60d98a4e5e0af73a011ff3160151ae1e5510f49097cafaf21
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24ab0e78ae8e2bd60d98a4e5e0af73a011ff3160151ae1e5510f49097cafaf21

Threat Level: Known bad

The file 36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-11 20:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 20:09

Reported

2024-05-11 20:12

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 2292 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 2292 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 2292 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 2292 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe

"C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe"

C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

"C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe"

Network

Country Destination Domain Proto
NL 51.15.126.138:80 tcp
NL 51.15.126.138:80 tcp
NL 51.15.126.138:80 tcp

Files

memory/2292-0-0x0000000000400000-0x0000000000AE2000-memory.dmp

memory/2292-1-0x0000000002B40000-0x00000000031EF000-memory.dmp

memory/2292-3-0x0000000002B40000-0x00000000031EF000-memory.dmp

memory/2292-4-0x0000000000400000-0x000000000093D000-memory.dmp

\Users\Admin\AppData\Local\Temp\AU3_EXE.exe

MD5 95a4430eea1fae9a0fb59a5b25e3ebd9
SHA1 21acabef808e4554aa1fe41db03b8bbd1fa5183a
SHA256 f71f02bd8aa0723c8cb913bad1af212637f7689c8baaf4f99ff4445e3654b9c5
SHA512 0ee9963d8a639316b261fd021e8e5ccfb37b6417dfe775fa20f727e6e7df4084cb3d5da09ce46185c1569ae5425d85fa966c31e4aa2f19f3ca1f7c2082747794

\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

MD5 4c4f9c3f0dd763aae2de77d5354ee97d
SHA1 239398a5266c0a032eebb95c97542e29c0de00f8
SHA256 4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3
SHA512 a8c3133cb7e7e16e3348bb0193a1233ec93547fec340666068eb381e987964f018d8a3cadc8eb620f5ef614187995b80010e644a75ccb92c19faf43b70d3cd8a

memory/2292-25-0x0000000002B40000-0x00000000031EF000-memory.dmp

memory/2292-21-0x0000000000400000-0x000000000093D000-memory.dmp

memory/2292-19-0x0000000000400000-0x0000000000AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso913A.tmp\ioSpecial.ini

MD5 1b319c1bd6f828fd468ca6a50d7025bd
SHA1 7eae0e9ab3ea42ebab742466e350b4857d597607
SHA256 4e3aac5e1a774dd9b512119ab24de2892ce0f24a42fc67cd8a46978ac95a0071
SHA512 155b0c9f7c69a988d3a7620a27582dca8b3d8de100a857455fb66601d069cbc1de6ddfb6805f9e58da5d7828645daa393c26135041bef02494eab49efc0ee2ae

\Users\Admin\AppData\Local\Temp\nso913A.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nso913A.tmp\ioSpecial.ini

MD5 aeca22ad2a4bf84578777c0b3c3b0fdf
SHA1 73f2e0705083feeca141575e1004fa35a9961c7c
SHA256 81f327a0f59aa563ed27f6aacfe9b73067f2275f43439821d5ab5f5cab88c01d
SHA512 81a14731d65490ef745292e8dc9ee670c29286274bccb24d8d8756da0948caa37c316412c781e502ad64e96dcc9e6399063b3583ffceeaee23e4da73a2601016

memory/2136-102-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2136-106-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2136-108-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 20:09

Reported

2024-05-11 20:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe"

Signatures

Azorult

trojan infostealer azorult

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 3952 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 3952 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe
PID 3952 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 3952 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe
PID 3952 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\36558a5968ee5e507796e0b6b2bf13c2_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1036

C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe

"C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe"

C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

"C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1056

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
NL 51.15.126.138:80 tcp
NL 51.15.126.138:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x0000000000AE2000-memory.dmp

memory/3952-2-0x0000000002DC0000-0x0000000003475000-memory.dmp

memory/3952-4-0x0000000000400000-0x000000000093D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AU3_EXE.exe

MD5 95a4430eea1fae9a0fb59a5b25e3ebd9
SHA1 21acabef808e4554aa1fe41db03b8bbd1fa5183a
SHA256 f71f02bd8aa0723c8cb913bad1af212637f7689c8baaf4f99ff4445e3654b9c5
SHA512 0ee9963d8a639316b261fd021e8e5ccfb37b6417dfe775fa20f727e6e7df4084cb3d5da09ce46185c1569ae5425d85fa966c31e4aa2f19f3ca1f7c2082747794

C:\Users\Admin\AppData\Local\Temp\convert-pdf-to-word-plus.exe

MD5 4c4f9c3f0dd763aae2de77d5354ee97d
SHA1 239398a5266c0a032eebb95c97542e29c0de00f8
SHA256 4415cc989396ae301d103d11dd3aa7c90cbf9fb3a7aa49113a410efab8edebe3
SHA512 a8c3133cb7e7e16e3348bb0193a1233ec93547fec340666068eb381e987964f018d8a3cadc8eb620f5ef614187995b80010e644a75ccb92c19faf43b70d3cd8a

C:\Users\Admin\AppData\Local\Temp\nsa619A.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsa619A.tmp\ioSpecial.ini

MD5 2153091036c395d796024e233f29dd7b
SHA1 6e55bda4ea68022c7e99e462fa917273a2be326b
SHA256 214f94e623f25614bd0c7e873e4ad1606504c6d49d85be387b0c86aca445c8dd
SHA512 27b9f73f0225a59d8541a36695e12e57fd859c90959a129c5fe84921df8346847c0d77ae91b63af27ee352a66fabd7d627025ba0c11fd461c9760b626ebc8ffd

memory/3952-96-0x0000000000400000-0x0000000000AE2000-memory.dmp

memory/3952-97-0x0000000000400000-0x000000000093D000-memory.dmp

memory/5040-98-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5040-100-0x0000000000400000-0x0000000000420000-memory.dmp

memory/5040-102-0x0000000000400000-0x0000000000420000-memory.dmp