Malware Analysis Report

2024-11-13 18:41

Sample ID 240711-ylldpateqd
Target 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118
SHA256 3e97b2fc541b3a23e2fb612f7b272a9619b25cd446e288bbb0a4c94944712513
Tags
xtremerat evasion persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e97b2fc541b3a23e2fb612f7b272a9619b25cd446e288bbb0a4c94944712513

Threat Level: Known bad

The file 3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

xtremerat evasion persistence rat spyware upx

XtremeRAT

Detect XtremeRAT payload

Xtremerat family

Modifies firewall policy service

Boot or Logon Autostart Execution: Active Setup

Adds policy Run key to start application

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 19:52

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 19:52

Reported

2024-07-11 19:54

Platform

win7-20240705-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\abc1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abc1.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\wolf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2352 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2352 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2952 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2952 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2952 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2952 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2760 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3008 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2840 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2952 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\abc1.exe

"C:\Users\Admin\AppData\Local\Temp\abc1.exe"

C:\Users\Admin\AppData\Local\Temp\abc2.exe

"C:\Users\Admin\AppData\Local\Temp\abc2.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp

Files

memory/2352-0-0x000007FEF574E000-0x000007FEF574F000-memory.dmp

memory/2352-1-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

memory/2352-2-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

memory/2352-3-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc1.exe

MD5 82805e4f9baddb787a2f94635c47e4a3
SHA1 fac7ba94e0d2ce74da1219753847f6bcbde80df5
SHA256 0ba4cbfab6470cdf91b616be53af002a6d99329abc45371e63dfc39493a2f0f6
SHA512 9d41d79a812a5620515e4f27584c91bb116678111458e91ce361fb31f4f4cbb4383a6861333bf19be18a76b5620827a1220c8a4e7d2c355af38588d13ebb2681

memory/2100-13-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc2.exe

MD5 c2a608b49ee909733839cb54a07ecffa
SHA1 cc8dac87a9c71fab0468cd66a399a73004ea745c
SHA256 e4fc7a02a191853604cc170c97b05e12eb4d8bb468aeecff1b5a6690fd7bcaf6
SHA512 518eb069fcbcac2c504dd3c73840acdc950ee3911d0a852139e58fac3650a889fa17722588b71d51180fab6e6e36b463fdff28b1792c91d8d56f5f5a9ab32eaa

memory/2352-23-0x000007FEF5490000-0x000007FEF5E2D000-memory.dmp

memory/2812-24-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2812-26-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2952-27-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2100-28-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-29-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-31-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-32-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-33-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-35-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-36-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-37-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-41-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-44-0x0000000000400000-0x000000000045D000-memory.dmp

memory/2100-45-0x0000000000400000-0x000000000045D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 19:52

Reported

2024-07-11 19:55

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\abc1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\abc1.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\wolf.exe = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F} C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A4195D6B-BE6B-ABD8-EDEA-BFEDAF11B12F}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\wolf.exe" C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2920 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2920 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc1.exe
PID 2920 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2920 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 2920 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\abc2.exe
PID 4116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 4116 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\abc1.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 3004 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Windows\SysWOW64\svchost.exe
PID 2424 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2424 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 792 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 792 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 792 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5100 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5100 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5100 wrote to memory of 3940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4276 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4276 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4276 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2424 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\abc2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3a819e1ce4c18ecce8115195043a0c50_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\abc1.exe

"C:\Users\Admin\AppData\Local\Temp\abc1.exe"

C:\Users\Admin\AppData\Local\Temp\abc2.exe

"C:\Users\Admin\AppData\Local\Temp\abc2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\wolf.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\wolf.exe:*:Enabled:Windows Messanger" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\abc1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\abc1.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2712 -ip 2712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 492

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp
US 8.8.8.8:53 wolfwolf3007.no-ip.org udp

Files

memory/2920-0-0x00007FFD257D5000-0x00007FFD257D6000-memory.dmp

memory/2920-1-0x000000001BB90000-0x000000001BC36000-memory.dmp

memory/2920-2-0x00007FFD25520000-0x00007FFD25EC1000-memory.dmp

memory/2920-3-0x000000001C1A0000-0x000000001C66E000-memory.dmp

memory/2920-4-0x000000001C710000-0x000000001C7AC000-memory.dmp

memory/2920-5-0x00007FFD25520000-0x00007FFD25EC1000-memory.dmp

memory/2920-6-0x0000000001570000-0x0000000001578000-memory.dmp

memory/2920-7-0x000000001C830000-0x000000001C87C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc1.exe

MD5 82805e4f9baddb787a2f94635c47e4a3
SHA1 fac7ba94e0d2ce74da1219753847f6bcbde80df5
SHA256 0ba4cbfab6470cdf91b616be53af002a6d99329abc45371e63dfc39493a2f0f6
SHA512 9d41d79a812a5620515e4f27584c91bb116678111458e91ce361fb31f4f4cbb4383a6861333bf19be18a76b5620827a1220c8a4e7d2c355af38588d13ebb2681

memory/4116-18-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abc2.exe

MD5 c2a608b49ee909733839cb54a07ecffa
SHA1 cc8dac87a9c71fab0468cd66a399a73004ea745c
SHA256 e4fc7a02a191853604cc170c97b05e12eb4d8bb468aeecff1b5a6690fd7bcaf6
SHA512 518eb069fcbcac2c504dd3c73840acdc950ee3911d0a852139e58fac3650a889fa17722588b71d51180fab6e6e36b463fdff28b1792c91d8d56f5f5a9ab32eaa

memory/2920-29-0x00007FFD25520000-0x00007FFD25EC1000-memory.dmp

memory/2712-30-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2424-31-0x0000000010000000-0x0000000010048000-memory.dmp

memory/2712-32-0x0000000010000000-0x0000000010048000-memory.dmp

memory/4116-33-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-34-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-36-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-37-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-38-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-40-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-41-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-44-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-45-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-47-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-49-0x0000000000400000-0x000000000045D000-memory.dmp

memory/4116-50-0x0000000000400000-0x000000000045D000-memory.dmp