Malware Analysis Report

2025-08-11 07:35

Sample ID 241015-1z6b5azbra
Target 4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118
SHA256 ab085e99a17a68e32f9c530278cf8a997ca9b7a9a9c3b951256acc37be5f6322
Tags
bootkit discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ab085e99a17a68e32f9c530278cf8a997ca9b7a9a9c3b951256acc37be5f6322

Threat Level: Shows suspicious behavior

The file 4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence upx

Executes dropped EXE

Loads dropped DLL

Writes to the Master Boot Record (MBR)

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:06

Reported

2024-10-15 22:08

Platform

win7-20240903-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7} C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\InfoTip = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ShellFolder C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\TypeLib\ = "{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

"C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.jd9.net udp
US 8.8.8.8:53 config.ie.sogou.com udp
US 15.197.225.128:80 www.jd9.net tcp
US 8.8.8.8:53 ping.ie.sogou.com udp
CN 36.155.167.208:80 ping.ie.sogou.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

MD5 006bcf6d8e9bcda4ad8323f3622e245b
SHA1 45b88bd752ea8853a3aebf5779ae47666253251c
SHA256 8854b97a765d20e2f15cc2da23bd78584bc3f67ec05a7e3f16020690f25d3821
SHA512 4008fbce2719618acd2a4f852a601517935a018f56ff361c4c08a88fb1446f2e35652c8128ed86b313bd198966ffb8892c6ee7000132551d396dbcb40ba48ec0

\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\inetc.dll

MD5 8d8fdad7e153d6b82913f6fdc407d12c
SHA1 aabbeed33cd5221e4cb22aab6e48310df94facfd
SHA256 e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b
SHA512 42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

memory/1264-19-0x0000000000400000-0x00000000004AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoB52D.tmp\md5dll.dll

MD5 a7d710e78711d5ab90e4792763241754
SHA1 f31cecd926c5d497aba163a17b75975ec34beb13
SHA256 9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512 f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

memory/2104-9-0x0000000001D20000-0x0000000001DCB000-memory.dmp

memory/1264-26-0x0000000000910000-0x00000000009BB000-memory.dmp

memory/1264-33-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-36-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-37-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-38-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-39-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-40-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-41-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-42-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-43-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-44-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-45-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-46-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1264-47-0x0000000000400000-0x00000000004AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:06

Reported

2024-10-15 22:08

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\InfoTip = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer\Command C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ShellFolder C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\TypeLib C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7} C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}\TypeLib\ = "{ABEE4922-5D43-4883-8E87-AC1AAC4F2DA7}" C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\4a3abd92faaeee0cbf47648b9f235140_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

"C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 www.jd9.net udp
US 8.8.8.8:53 config.ie.sogou.com udp
US 3.33.251.168:80 www.jd9.net tcp
US 8.8.8.8:53 ping.ie.sogou.com udp
CN 36.155.183.169:80 ping.ie.sogou.com tcp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 168.251.33.3.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsbAF4C.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\SeFastInstall2_3218.exe

MD5 006bcf6d8e9bcda4ad8323f3622e245b
SHA1 45b88bd752ea8853a3aebf5779ae47666253251c
SHA256 8854b97a765d20e2f15cc2da23bd78584bc3f67ec05a7e3f16020690f25d3821
SHA512 4008fbce2719618acd2a4f852a601517935a018f56ff361c4c08a88fb1446f2e35652c8128ed86b313bd198966ffb8892c6ee7000132551d396dbcb40ba48ec0

C:\Users\Admin\AppData\Local\Temp\nsbAF4C.tmp\md5dll.dll

MD5 a7d710e78711d5ab90e4792763241754
SHA1 f31cecd926c5d497aba163a17b75975ec34beb13
SHA256 9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2
SHA512 f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

C:\Users\Admin\AppData\Local\Temp\nsbAF4C.tmp\inetc.dll

MD5 8d8fdad7e153d6b82913f6fdc407d12c
SHA1 aabbeed33cd5221e4cb22aab6e48310df94facfd
SHA256 e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b
SHA512 42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

memory/1116-11-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1116-30-0x0000000000400000-0x00000000004AB000-memory.dmp

memory/1116-32-0x0000000000400000-0x00000000004AB000-memory.dmp