Analysis Overview
SHA256
05cbb2a0501766018d1197101a6d4b55fcf6adc8eb6ec92692d93ea8d156135c
Threat Level: Known bad
The file d701b8fee63c28d1499e5329682d8a64_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
CyberGate, Rebhip
Boot or Logon Autostart Execution: Active Setup
Adds policy Run key to start application
Checks computer location settings
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-09 20:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-09 20:01
Reported
2024-09-09 20:04
Platform
win7-20240903-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
CyberGate, Rebhip
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD} | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\install\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
"C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe"
C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
"C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe"
C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
"C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe"
C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
"C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Roaming\install\server.exe
"C:\Users\Admin\AppData\Roaming\install\server.exe"
C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
"C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 452
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
"C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/320-0-0x0000000074171000-0x0000000074172000-memory.dmp
memory/320-1-0x0000000074170000-0x000000007471B000-memory.dmp
memory/320-2-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2huhuuyd.5pu.exe
| MD5 | 41f13d72ec9d9d5bec7b2b479d980367 |
| SHA1 | dad758c3d835cbae2d2188cc96ca70fa54f7234b |
| SHA256 | 6da5c29943d377b0bc1d98b126edae517462cac7e3b652698c61581a53038e40 |
| SHA512 | 827feb56f69f43644a2fc0a103008191a49cd18763922745a8d142f132654e676064d893b33f930b989ffe78dc820d68dc4c0c74eda9aea0f916decc35486d0d |
memory/2576-15-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2576-16-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2576-20-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lowaqibx.eaf.exe
| MD5 | 9650df97e914a968a82b8249603b3b02 |
| SHA1 | 85209e1ade9d492bbcc7a601a4975f0442be24a1 |
| SHA256 | e8f3ac651ab69fb7eee395c57bdccd464d066fccddd6cda346bf6c51a3f06ab4 |
| SHA512 | 5bed6a9476b8252e241c13b98c1f6c17f0325ace076a26b69c996ab96edcf65fb1c3b738faa30a1f3776a1e8cf8f147d8c3206e5198e1a8fd47698febd4700ea |
memory/320-22-0x0000000074170000-0x000000007471B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dkr3rhre.bvt.exe
| MD5 | f5a96a5138dcfe74209e5c8f37cd4bc8 |
| SHA1 | daa5bd26a7edd173fcf5957a545ce62f3df1fad6 |
| SHA256 | 863480837c0c8bcc3f4c12bb820607cde7a7c174f3ca3a7f838182ab35ac6a11 |
| SHA512 | 3a3bdab7d5de5d6f2a47f2d8488f4f81c5b048ffad2b0d7b1daeff12bce8c0c081d8e7768d8035148ae0049f8c0ac3ad39add04732aeea93905036cc3ae2f4e7 |
C:\Users\Admin\AppData\Local\Temp\oeaqiny2.ce1.exe
| MD5 | ab0cb4aa536bb64d49dd38fa9a86976f |
| SHA1 | 18922ebc6cfb2e5c011d49adebb76607ec855cbd |
| SHA256 | 369a308c7df00035d0f8032f3706f325116a9b81a5e912f3bc1f51d62d7bd5e8 |
| SHA512 | 314ad480a1f876e0e099057dec6c8ca6bc65655572102d4b1bfc5a37abb2490671d73906f313fef23b8873114bbced1335e1bc016423c1d6fb808fc951c9ca57 |
memory/2576-39-0x0000000074170000-0x000000007471B000-memory.dmp
memory/2964-40-0x0000000000FB0000-0x0000000000FF4000-memory.dmp
memory/1192-45-0x0000000002520000-0x0000000002521000-memory.dmp
memory/2760-44-0x0000000010410000-0x0000000010471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 02b2416f3c67b9610250754058ef3744 |
| SHA1 | 1767fb74c51b5b635c54a6d16b5880b7a5d94341 |
| SHA256 | 117c271e3e57d8eb834178f3d9e74770d8793783c33d50fb24b5b18f1a065831 |
| SHA512 | bd87befd3daec44472639799d80e12efa10f778124df3c9f1784e47a89bb5fd8277c124ed75778074c3d1d49dbcca4c87afa3861d4c9522e7a3cdc46ee332641 |
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 898cbb1175c4cb877fc6eae3c9753bfc |
| SHA1 | 90b9fa2ee1de371c0b5eea221dfbf86e6ce83205 |
| SHA256 | bc905c9f9288c8656f36e13bef7590ef2df7673d74405737a786eb096205bb32 |
| SHA512 | 8d8da36ca8b75ebc947f989015002ad3b9cdd96f84ef1014de385cafa915305668b5b89b16d4a9d2b59fb9ab3dbd40b7aca6aa5cebdc7ac72f6ff4098b5502ce |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d3e5a0574eeb3497209dfd1313728278 |
| SHA1 | f610b499e7c070b4d769b73c6aa269a4030c0434 |
| SHA256 | a7f1f9e82471db296b92f060cb3593a263adc34913798f423073cee946794d3b |
| SHA512 | e5bd409efaaa13066b96970d5e57e61832c88d3d728f8391650d959f2d55a1254fd93515e82e83cbec7740432ec35fcfaa6bf00fb41c18dcd4e2a2cee4cd361d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 31c637e945037ecc47b8e69b8b8b1f50 |
| SHA1 | 0df902e9cf1830c04f4a85bcb89cb2a842f26ce9 |
| SHA256 | 0865b5b0b4d4af0225bd3dad856def9a7afbc9a2e242635d0b45bdab01b8dfa5 |
| SHA512 | 34b4099b69eaf839d3b0a1401d2141081c99081c3d97fbe17a0754e8d18ea87d7e56649e3b7c5edda0d992856b81d4d2e365461767481e26d62223f081493907 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 554606143e6ef72bf6b126a3f1aa4a5c |
| SHA1 | c6b8dd16d5ca605cef9a902b70415b8eebe1f3a8 |
| SHA256 | b3a861f342249716395803ecbcdfe19f0a14c806976ee885d4c17a5c8ea2f05b |
| SHA512 | ba4f3af035d74dda3d242bba75f65f4ea75aba41001c36517caab51ae2f885e22df69abde13731dd3159a930cd73684b69b07d76bad3bf81eecc3e04cd4b89ab |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 25273b5bc6fb4a5ec32fa83eba3694c7 |
| SHA1 | 7392e9a71fbbdf28c388f086ab326509a6445bbc |
| SHA256 | 10de9fcaf29c11446320f0d35cb246367310196ee2fcced1a61c967e910e1282 |
| SHA512 | 92dc494fd8c2ebe7448c21bd5c518c237387d774f09096839a19ad4d15a97ba21e0aa24bc1f7968deff2c262cb2d44ca87c7e49a3dc097062764933dc1e0ebcf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a9b3abdf53252d4569c4909ed2d1d97c |
| SHA1 | da56e6eebc8bfaa2952e67eb63fcac98cc2a31f2 |
| SHA256 | d32dbfaae02d287dd652c1053933a9080196012da9a67bd018a0b0ee7bcc548a |
| SHA512 | b5d50a12dda70ddd8f77cce3a785173b82dfe3e4d151db9a574e1ee45f422496689ffec18395731bbd10a60f1367aa7bc1009761296145c772553a4e5f29dd98 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 118c455ca176f1446cee83526c02cc94 |
| SHA1 | 3c4d9676150414222922cf141993b45bcd9c26f7 |
| SHA256 | eb1d188dffab71b05217486993c41b782195ed8cd34982b27a4173bb46d9beed |
| SHA512 | d0b416f18fced1aa0eab30a508b391074f7cf2dfd47d70308f3fa92e8c7c9b8888cdbd3caf93944985448b64b011b8821c40762f393200bdcc1f70868edf63f5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 36380db486273385178b2775dc45e4e4 |
| SHA1 | 1bed8d4e8d63f28668f67ba30bf06b1c78d5ee03 |
| SHA256 | 353b364faaa6e8a0f860579691f240818680474671c602bddfd6851d2f6152c2 |
| SHA512 | 7c4ada944570c64c8d395947d607d5771f64b54b7148ad003410220d8f65456914cea1ff51fff02dadba44e7278b07b379a702be59b376b347e2d8dd6e728329 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0d8d0a9d36253e5870fdb83bdf41e5d0 |
| SHA1 | 9f3013ad016f9bbfc7a850825c7f31986c7b4d4b |
| SHA256 | bb039e0126f8b81923830cdc30cf3e74240b94e4ffc36c64d0252723e82dbfae |
| SHA512 | 0f45a638787e91a33bcf7b01ccffdf31ce86e5f805cc2a8a5beab1a99126b2e5dd46c05ac450148bf6f678e15fdfb9eb061afcbd44cc337e72c993e734a2b6c9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6c0c88262f3f124818ab130e1d84f8e7 |
| SHA1 | f00d5bbd5155977471d46cdd1b97b45ad5a095ff |
| SHA256 | b4a8f91d44ed126a62021c84101d7715184ffa6a12f104f0894fcacf43c356c7 |
| SHA512 | e5de6bbcc3a81102544d8ba5ed9756c59ab285ae977055777a416c7485cde7681ae977467fba509242c9f174fd0dc249e67c2001248095e5790afba62797a57f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d37b36a5f219f97276f5587bc2e7f5cf |
| SHA1 | 5d8a5fd5ea0cc01adf3e63da69d63e57ffa02b6f |
| SHA256 | 7f103b8c471ccd0141a32c11f0e63fc556fb8fdc9145abfebbde78ebee5ff303 |
| SHA512 | 16b9219025951fc751b7ba76e35e46dd4b8e62a3df0d94796c9bc5e8e144d279aaeada61e453afe71aa61c1c4818857a26c5de4f39fa1098d88e722b566cf340 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 407c24d0aaadc4121f34530d101858a3 |
| SHA1 | 73865da00d4e629fb089d99fa1448f5ebdbf7950 |
| SHA256 | d84d668c0e2473b2d83643c8dcd4a6a213c9a3bd6844f00ceb7affac7fdc7116 |
| SHA512 | a8e65814c9e3c29a98446f297fb6e5e5f6402d7e8f1892e319a59058091b0d135210137d63b7a8e9f2af7177928ade5d5d0cb9b79b423bb9c91d2d291c485e90 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 28880813b00119362218c534e540b89c |
| SHA1 | 3447412e283c1d4612f3a697fc71093c862f938f |
| SHA256 | 6538a5c30467f6ae048709b9f7dda803f03a2a661a8e7f4cfc203f7f8d84271e |
| SHA512 | 44009b473705c8b1d44e3c95c1aaf71cb0cb3ec53a7714e7f2a1837b11fd7eb9aee6468730aec3b6d0ca38a196912f8deb42883eed6e72fd2eafee743f184721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e1d6e499788fa5da668734d87d30bd51 |
| SHA1 | 0d9063d9b579d421e0b0a384a66f37ea14428eb9 |
| SHA256 | b826ce9d7f5f324fb6d1ba93953ee77ff2200c620114ef42da6d1c988ac78b8f |
| SHA512 | 168c99ef72d4fccbb3f3e6d9563acbc038141ff7cf94643a4c97a856c3b80f6db3b5957c1b8069764c87afab6790602afc41545d6433e54373c356cd6589fa3d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3b63f2489a98cc26ca5622d17a345ef0 |
| SHA1 | 6fd6a05955b6869d860a0f6b1547b246a5e8f363 |
| SHA256 | 94cf736999b43ffd3bac00fc8683cd9f80d88a715b3c02197847a27193cf93ac |
| SHA512 | 9562aac80116c6d03237cf5eaa336fa22b143b53377914774ac0fa99ab2aa39e1de6521020f41df0aaae89008f4a6c404cc3b89483e01340f8159edae2bf7719 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 34477b911118687eec5442df97c6e12e |
| SHA1 | cd8ce1a03167dc9f974edf1636aae92bd148bd77 |
| SHA256 | 461b1d79fcfea079e00b5a41b6fc0ee78a40d6bcf23e7c134da57300605bf9b9 |
| SHA512 | 6f04e9ef87d422c376a43cf3a7ce14f2036e78308688c46c264b4397a8c9c72689cf3747dd7b6be231627a0aebd74b853cc4cf0d656af5e7e6b9d83dc32064ec |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ce0a516e66173413a15b034b2c6daf72 |
| SHA1 | 3983c2c492dc5cda348672ea638301f5803d2e62 |
| SHA256 | 2fcda52ee553acb2524c40e94188b4b2ebee29ef960a84fba3a5e3e943105f6a |
| SHA512 | 07345ff3cd449eaa849991f08713854e9d7d3e2eec252097e72f962e8d7e5033b3206ccb353c75c1faa8218c341867997d943b885ff5dfd9e4f2a729e575f5ac |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | ca58c9211ade5585a695e2f82852bd99 |
| SHA1 | d95ce27b06908f5ce8db8a987922861c787c7be8 |
| SHA256 | a52321b17b57a34019c05f96df17ad0f0458377ed9b0f9a512c821fc003cb0dd |
| SHA512 | 1507ef228bb7d441276619406e0edc5cc62b26207e27e64fb3ae3dedd5f49f15d9437d01e7623e5a6a7de51d1b9f2c4d0ca0ed009714f46b82f828a3da210825 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8c0fd5c61c097651ef8720e6bfaeb6a6 |
| SHA1 | 945d5eb1b7e17a01f3a67424d12a29e2daa81290 |
| SHA256 | bdf6a76062320c5e82b52c3144393698a93fc6493f94d80d1fa78f9b1804fa1e |
| SHA512 | a371a447c13e8201847330494de07faf0557ef9a1d047ab8817aa7d55d54318bc9541537ba16717d739d1524bbf1b27ea395128b5ebacabbf5635734e771bb64 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 8d80afef69b8bef533296c15647c9793 |
| SHA1 | 5b9b8255ff12be54ca536fff9966e594919f7c3a |
| SHA256 | b25c00d74a4baa9b8e882b8ad0e28f4e20c70befeb91213d362647aed5070e5a |
| SHA512 | e5f192ed5e0b301bdc20a5b58ab5507bcb0cf70e9f905588b87f93a43c9fcde2314d64c4f3c2e0410d80c01a57a9ed86bd1e3fd80e904697e4aaab301e35e2c4 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 98f476c8537d042f5c4806ac22e0198e |
| SHA1 | c95d0aab434ff983e80df7ea3a9348748a8fa25f |
| SHA256 | f887c6c70dbcf276699dcc15142c66bb021786a906936df67fcba71d7e93568f |
| SHA512 | 0d4970a8776f2b0ce388273bf0b78cdc1db6ef898cbdc715e8da645fc3e9115dce66135386d5f9aa338dc629742b3dc611fe5faa9ec006d727bd9c50c2148756 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | c5bd7cd2f4e8df03def7b3e7282f54bd |
| SHA1 | dfe32baa80f2232265d74db30b5c9160d237efc8 |
| SHA256 | a3eafcb7fafa4585e6f71e6f8ce6fc9e7aa08103bd19a620c06b4db9458aeff2 |
| SHA512 | 809eb60c9769814cbc398b6d85ff4e016feee85d6059cde3e5dc0cdb7ea295d48ea8afdec7b15a1b204eaeb20328679c8d0ee5e714e071421d7540d260951195 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a237fb5a4ed8b2dc7e1e3e9581766044 |
| SHA1 | 3f62fee53f61f9e9d8f56f932da798e942456908 |
| SHA256 | 7c8f9096b3ca790522e4f1842ae18963b2bb8f76042e03b0aebf0a817746efeb |
| SHA512 | de9b03636e2b1794e610820922fa8e60f6af67dbd2a6b349188deb3db19775c586dc603aa76b3244c4502725c56080bb3e5258f4390df816317f36a4d4fb115b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-09 20:01
Reported
2024-09-09 20:04
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD} | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{K1FC87E1-723A-425T-R2WI-EK5C1S0T06LD}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart" | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012} | C:\Windows\SysWOW64\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J5EC30MH-EOM5-TL7S-2WC6-36436N054012}\StubPath = "C:\\Windows\\system32\\install\\server.exe" | C:\Windows\SysWOW64\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\install\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\install\\server.exe" | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| File created | C:\Windows\SysWOW64\install\server.exe | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\server.exe | C:\Windows\SysWOW64\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\install\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\install\server.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\install\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d701b8fee63c28d1499e5329682d8a64_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe
"C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe"
C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe
"C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe"
C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
"C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe"
C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
"C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\install\server.exe
"C:\Windows\system32\install\server.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2620 -ip 2620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 564
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
"C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe"
C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
"C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4720 -ip 4720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 976
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.server.com | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
| US | 52.8.126.80:80 | www.server.com | tcp |
Files
memory/1336-0-0x0000000074E72000-0x0000000074E73000-memory.dmp
memory/1336-1-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/1336-2-0x0000000074E70000-0x0000000075421000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4z3ufxvu.oxm.exe
| MD5 | 41f13d72ec9d9d5bec7b2b479d980367 |
| SHA1 | dad758c3d835cbae2d2188cc96ca70fa54f7234b |
| SHA256 | 6da5c29943d377b0bc1d98b126edae517462cac7e3b652698c61581a53038e40 |
| SHA512 | 827feb56f69f43644a2fc0a103008191a49cd18763922745a8d142f132654e676064d893b33f930b989ffe78dc820d68dc4c0c74eda9aea0f916decc35486d0d |
C:\Users\Admin\AppData\Local\Temp\5kibrl05.ymt.exe
| MD5 | f5a96a5138dcfe74209e5c8f37cd4bc8 |
| SHA1 | daa5bd26a7edd173fcf5957a545ce62f3df1fad6 |
| SHA256 | 863480837c0c8bcc3f4c12bb820607cde7a7c174f3ca3a7f838182ab35ac6a11 |
| SHA512 | 3a3bdab7d5de5d6f2a47f2d8488f4f81c5b048ffad2b0d7b1daeff12bce8c0c081d8e7768d8035148ae0049f8c0ac3ad39add04732aeea93905036cc3ae2f4e7 |
memory/4388-23-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4388-26-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/4388-28-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/2044-29-0x000000007157E000-0x000000007157F000-memory.dmp
memory/2044-31-0x0000000005330000-0x00000000053CC000-memory.dmp
memory/1336-32-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/2044-33-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/2044-30-0x0000000000A20000-0x0000000000A64000-memory.dmp
memory/2044-34-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/2044-36-0x00000000054D0000-0x0000000005526000-memory.dmp
memory/2044-35-0x0000000005310000-0x000000000531A000-memory.dmp
memory/2044-37-0x0000000071570000-0x0000000071D20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\f2mujhz4.q2e.exe
| MD5 | 9650df97e914a968a82b8249603b3b02 |
| SHA1 | 85209e1ade9d492bbcc7a601a4975f0442be24a1 |
| SHA256 | e8f3ac651ab69fb7eee395c57bdccd464d066fccddd6cda346bf6c51a3f06ab4 |
| SHA512 | 5bed6a9476b8252e241c13b98c1f6c17f0325ace076a26b69c996ab96edcf65fb1c3b738faa30a1f3776a1e8cf8f147d8c3206e5198e1a8fd47698febd4700ea |
C:\Users\Admin\AppData\Local\Temp\nlt10knw.duq.exe
| MD5 | ab0cb4aa536bb64d49dd38fa9a86976f |
| SHA1 | 18922ebc6cfb2e5c011d49adebb76607ec855cbd |
| SHA256 | 369a308c7df00035d0f8032f3706f325116a9b81a5e912f3bc1f51d62d7bd5e8 |
| SHA512 | 314ad480a1f876e0e099057dec6c8ca6bc65655572102d4b1bfc5a37abb2490671d73906f313fef23b8873114bbced1335e1bc016423c1d6fb808fc951c9ca57 |
memory/4388-55-0x0000000074E70000-0x0000000075421000-memory.dmp
memory/376-58-0x0000000010410000-0x0000000010471000-memory.dmp
memory/4864-64-0x00000000013B0000-0x00000000013B1000-memory.dmp
memory/4864-63-0x00000000012F0000-0x00000000012F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
| MD5 | 215fd6a04417b2c76ae3d22dd62a6134 |
| SHA1 | 5b76be62a791b5f2ea6eea2e1ef51562b2bc9d64 |
| SHA256 | 0cbf6e473c6b3f3bc1d6e07fe0a33bdca1da5e6e6c7be6876bc52970d52d4424 |
| SHA512 | f1892f63146d6b28d03a12460563d3b853035e952465c78845bcb794e3d2a61b23db88cd006772d4748964b8ac847403d5ac4c5b92243feb8cf2c091da913631 |
memory/1552-72-0x0000000010480000-0x00000000104E1000-memory.dmp
memory/1552-76-0x0000000010410000-0x0000000010471000-memory.dmp
C:\Users\Admin\AppData\Roaming\cglogs.dat
| MD5 | bf3dba41023802cf6d3f8c5fd683a0c7 |
| SHA1 | 466530987a347b68ef28faad238d7b50db8656a5 |
| SHA256 | 4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d |
| SHA512 | fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314 |
memory/2044-352-0x000000007157E000-0x000000007157F000-memory.dmp
memory/2044-353-0x0000000071570000-0x0000000071D20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 31c637e945037ecc47b8e69b8b8b1f50 |
| SHA1 | 0df902e9cf1830c04f4a85bcb89cb2a842f26ce9 |
| SHA256 | 0865b5b0b4d4af0225bd3dad856def9a7afbc9a2e242635d0b45bdab01b8dfa5 |
| SHA512 | 34b4099b69eaf839d3b0a1401d2141081c99081c3d97fbe17a0754e8d18ea87d7e56649e3b7c5edda0d992856b81d4d2e365461767481e26d62223f081493907 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 554606143e6ef72bf6b126a3f1aa4a5c |
| SHA1 | c6b8dd16d5ca605cef9a902b70415b8eebe1f3a8 |
| SHA256 | b3a861f342249716395803ecbcdfe19f0a14c806976ee885d4c17a5c8ea2f05b |
| SHA512 | ba4f3af035d74dda3d242bba75f65f4ea75aba41001c36517caab51ae2f885e22df69abde13731dd3159a930cd73684b69b07d76bad3bf81eecc3e04cd4b89ab |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 25273b5bc6fb4a5ec32fa83eba3694c7 |
| SHA1 | 7392e9a71fbbdf28c388f086ab326509a6445bbc |
| SHA256 | 10de9fcaf29c11446320f0d35cb246367310196ee2fcced1a61c967e910e1282 |
| SHA512 | 92dc494fd8c2ebe7448c21bd5c518c237387d774f09096839a19ad4d15a97ba21e0aa24bc1f7968deff2c262cb2d44ca87c7e49a3dc097062764933dc1e0ebcf |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | a9b3abdf53252d4569c4909ed2d1d97c |
| SHA1 | da56e6eebc8bfaa2952e67eb63fcac98cc2a31f2 |
| SHA256 | d32dbfaae02d287dd652c1053933a9080196012da9a67bd018a0b0ee7bcc548a |
| SHA512 | b5d50a12dda70ddd8f77cce3a785173b82dfe3e4d151db9a574e1ee45f422496689ffec18395731bbd10a60f1367aa7bc1009761296145c772553a4e5f29dd98 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 118c455ca176f1446cee83526c02cc94 |
| SHA1 | 3c4d9676150414222922cf141993b45bcd9c26f7 |
| SHA256 | eb1d188dffab71b05217486993c41b782195ed8cd34982b27a4173bb46d9beed |
| SHA512 | d0b416f18fced1aa0eab30a508b391074f7cf2dfd47d70308f3fa92e8c7c9b8888cdbd3caf93944985448b64b011b8821c40762f393200bdcc1f70868edf63f5 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 36380db486273385178b2775dc45e4e4 |
| SHA1 | 1bed8d4e8d63f28668f67ba30bf06b1c78d5ee03 |
| SHA256 | 353b364faaa6e8a0f860579691f240818680474671c602bddfd6851d2f6152c2 |
| SHA512 | 7c4ada944570c64c8d395947d607d5771f64b54b7148ad003410220d8f65456914cea1ff51fff02dadba44e7278b07b379a702be59b376b347e2d8dd6e728329 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 0d8d0a9d36253e5870fdb83bdf41e5d0 |
| SHA1 | 9f3013ad016f9bbfc7a850825c7f31986c7b4d4b |
| SHA256 | bb039e0126f8b81923830cdc30cf3e74240b94e4ffc36c64d0252723e82dbfae |
| SHA512 | 0f45a638787e91a33bcf7b01ccffdf31ce86e5f805cc2a8a5beab1a99126b2e5dd46c05ac450148bf6f678e15fdfb9eb061afcbd44cc337e72c993e734a2b6c9 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 6c0c88262f3f124818ab130e1d84f8e7 |
| SHA1 | f00d5bbd5155977471d46cdd1b97b45ad5a095ff |
| SHA256 | b4a8f91d44ed126a62021c84101d7715184ffa6a12f104f0894fcacf43c356c7 |
| SHA512 | e5de6bbcc3a81102544d8ba5ed9756c59ab285ae977055777a416c7485cde7681ae977467fba509242c9f174fd0dc249e67c2001248095e5790afba62797a57f |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | d37b36a5f219f97276f5587bc2e7f5cf |
| SHA1 | 5d8a5fd5ea0cc01adf3e63da69d63e57ffa02b6f |
| SHA256 | 7f103b8c471ccd0141a32c11f0e63fc556fb8fdc9145abfebbde78ebee5ff303 |
| SHA512 | 16b9219025951fc751b7ba76e35e46dd4b8e62a3df0d94796c9bc5e8e144d279aaeada61e453afe71aa61c1c4818857a26c5de4f39fa1098d88e722b566cf340 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 407c24d0aaadc4121f34530d101858a3 |
| SHA1 | 73865da00d4e629fb089d99fa1448f5ebdbf7950 |
| SHA256 | d84d668c0e2473b2d83643c8dcd4a6a213c9a3bd6844f00ceb7affac7fdc7116 |
| SHA512 | a8e65814c9e3c29a98446f297fb6e5e5f6402d7e8f1892e319a59058091b0d135210137d63b7a8e9f2af7177928ade5d5d0cb9b79b423bb9c91d2d291c485e90 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 28880813b00119362218c534e540b89c |
| SHA1 | 3447412e283c1d4612f3a697fc71093c862f938f |
| SHA256 | 6538a5c30467f6ae048709b9f7dda803f03a2a661a8e7f4cfc203f7f8d84271e |
| SHA512 | 44009b473705c8b1d44e3c95c1aaf71cb0cb3ec53a7714e7f2a1837b11fd7eb9aee6468730aec3b6d0ca38a196912f8deb42883eed6e72fd2eafee743f184721 |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | e1d6e499788fa5da668734d87d30bd51 |
| SHA1 | 0d9063d9b579d421e0b0a384a66f37ea14428eb9 |
| SHA256 | b826ce9d7f5f324fb6d1ba93953ee77ff2200c620114ef42da6d1c988ac78b8f |
| SHA512 | 168c99ef72d4fccbb3f3e6d9563acbc038141ff7cf94643a4c97a856c3b80f6db3b5957c1b8069764c87afab6790602afc41545d6433e54373c356cd6589fa3d |
C:\Users\Admin\AppData\Local\Temp\XxX.xXx
| MD5 | 3b63f2489a98cc26ca5622d17a345ef0 |
| SHA1 | 6fd6a05955b6869d860a0f6b1547b246a5e8f363 |
| SHA256 | 94cf736999b43ffd3bac00fc8683cd9f80d88a715b3c02197847a27193cf93ac |
| SHA512 | 9562aac80116c6d03237cf5eaa336fa22b143b53377914774ac0fa99ab2aa39e1de6521020f41df0aaae89008f4a6c404cc3b89483e01340f8159edae2bf7719 |