Analysis Overview
SHA256
6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
Threat Level: Known bad
The file 918769eceacd168684def1b316ff3198_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Nullmixer family
FFDroider payload
PrivateLoader
Ffdroider family
Vidar
NullMixer
Vidar family
FFDroider
Privateloader family
Vidar Stealer
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
VMProtect packed file
Checks whether UAC is enabled
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-24 00:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-24 00:26
Reported
2024-11-24 00:28
Platform
win7-20241010-en
Max time kernel
73s
Max time network
150s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c98f61652.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 01a389215e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME33.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1a693a205739887.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe
6eee9f336da6fcf1.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe
9e27a03aab64665.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe
c98f61652.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe
efd22e6e99d7ee86.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe
01a389215e4.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe
1a693a205739887.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe
626c1e3ded0b288.exe
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe
"C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 964
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 127.0.0.1:49266 | tcp | |
| N/A | 127.0.0.1:49268 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 23.33.233.193:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
| MD5 | b11a656f94670d490972f233b5f73cc0 |
| SHA1 | 5b84f9bac9a1fe59b2e27eae58912f8364654025 |
| SHA256 | 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a |
| SHA512 | 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed |
\Users\Admin\AppData\Local\Temp\7zS04B92477\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2852-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2852-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2852-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2852-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2852-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-46-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2852-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe
| MD5 | 3d82323e7a84a2692208024901cd2857 |
| SHA1 | 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c |
| SHA256 | 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4 |
| SHA512 | 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5 |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe
| MD5 | 80a85c4bf6c8500431c195eecb769363 |
| SHA1 | 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb |
| SHA256 | ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6 |
| SHA512 | f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2 |
\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1504-110-0x0000000000400000-0x0000000000759000-memory.dmp
memory/1504-108-0x0000000000EB0000-0x0000000001209000-memory.dmp
memory/2116-77-0x0000000002130000-0x0000000002489000-memory.dmp
memory/2116-75-0x0000000002130000-0x0000000002489000-memory.dmp
memory/1504-106-0x0000000000EB0000-0x0000000001209000-memory.dmp
memory/2480-107-0x0000000000400000-0x0000000002C6C000-memory.dmp
memory/1504-92-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2012-116-0x00000000000B0000-0x00000000000B8000-memory.dmp
memory/2192-115-0x0000000000EE0000-0x0000000000F12000-memory.dmp
memory/2852-39-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2192-127-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2852-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7715.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2192-137-0x0000000000250000-0x0000000000272000-memory.dmp
memory/2192-138-0x0000000000270000-0x0000000000276000-memory.dmp
memory/1504-139-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar7E36.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0eb52da15ffc7608d1a0fbb512543a26 |
| SHA1 | e32f2b9e03c77d8de135b5c6b1c39f007b2f5f67 |
| SHA256 | 6cbec1045e4fb45efdb1b3b49f4490cc5e6c08753bd7ce565a935d44d104e040 |
| SHA512 | 959b01aec2b7ee36cb8fbef33f5b7f71ae50566f695d8b025dbd537a96801f728fee5beb7f55c1a1f8edc8092fa50c6a377e416ad5022f7656d1066f4b06c00d |
memory/2852-183-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2852-184-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-182-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2852-181-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2852-180-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2852-179-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2168-203-0x0000000000400000-0x0000000002CC8000-memory.dmp
memory/2852-209-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2852-211-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2852-206-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2852-213-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2852-212-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2852-205-0x0000000000400000-0x00000000008E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-24 00:26
Reported
2024-11-24 00:28
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c98f61652.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 01a389215e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME33.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1a693a205739887.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe
6eee9f336da6fcf1.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
9e27a03aab64665.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
c98f61652.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
1a693a205739887.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
01a389215e4.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
efd22e6e99d7ee86.exe
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe
626c1e3ded0b288.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 60 -ip 60
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 356
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1580
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 4988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1048
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| N/A | 127.0.0.1:63268 | tcp | |
| N/A | 127.0.0.1:63270 | tcp | |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
| MD5 | b11a656f94670d490972f233b5f73cc0 |
| SHA1 | 5b84f9bac9a1fe59b2e27eae58912f8364654025 |
| SHA256 | 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a |
| SHA512 | 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2036-39-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2036-38-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2036-37-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2036-36-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2036-45-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
memory/4832-79-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
| MD5 | 3d82323e7a84a2692208024901cd2857 |
| SHA1 | 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c |
| SHA256 | 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4 |
| SHA512 | 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
memory/4832-83-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
| MD5 | 80a85c4bf6c8500431c195eecb769363 |
| SHA1 | 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb |
| SHA256 | ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6 |
| SHA512 | f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
memory/4028-66-0x0000000000180000-0x0000000000188000-memory.dmp
memory/2036-44-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2036-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-35-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2036-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-33-0x0000000001060000-0x00000000010EF000-memory.dmp
memory/2036-32-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2036-29-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4328-88-0x0000000000450000-0x0000000000482000-memory.dmp
memory/4328-89-0x0000000000D30000-0x0000000000D36000-memory.dmp
memory/4328-90-0x0000000000D40000-0x0000000000D62000-memory.dmp
memory/4328-91-0x0000000000D60000-0x0000000000D66000-memory.dmp
memory/2036-101-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2036-100-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2036-99-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2036-94-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2036-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2036-103-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/60-93-0x0000000000400000-0x0000000002C6C000-memory.dmp
memory/4832-108-0x0000000003120000-0x0000000003130000-memory.dmp
memory/4832-114-0x0000000003B70000-0x0000000003B80000-memory.dmp
memory/4832-121-0x0000000004620000-0x0000000004628000-memory.dmp
memory/4832-122-0x0000000004640000-0x0000000004648000-memory.dmp
memory/4832-124-0x00000000046E0000-0x00000000046E8000-memory.dmp
memory/4832-127-0x0000000004820000-0x0000000004828000-memory.dmp
memory/4832-128-0x0000000004840000-0x0000000004848000-memory.dmp
memory/4832-129-0x0000000004AF0000-0x0000000004AF8000-memory.dmp
memory/4832-130-0x00000000049F0000-0x00000000049F8000-memory.dmp
memory/4832-131-0x0000000004860000-0x0000000004868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 914ac88c754f43b6df62c852f9706ea4 |
| SHA1 | 1315f1533616e4cf1e26303dac3986a673cdcc67 |
| SHA256 | 8cfb9dc8f45c35fac4a121a2a2bac1aefe0714c1ddf991abe6dca2791f407ff6 |
| SHA512 | 5078d045a96aa095449cdfd2545ec5290d53f39bb26f450bc2560263c3b0260e114990be15dd06095f93a83d4e46eb5733776aeb187b33885663e85124a85ea6 |
memory/4832-144-0x0000000004640000-0x0000000004648000-memory.dmp
memory/4832-152-0x0000000004860000-0x0000000004868000-memory.dmp
memory/4832-154-0x0000000004990000-0x0000000004998000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 9c7fd5d4bbb8d020479d3002a02029d1 |
| SHA1 | 8e1407c96e99d2285676157d4251d617c7ac31b9 |
| SHA256 | 8b1f647b5a1fcfc88c81b5b934236d171db250847082083a5b2945b19589e6de |
| SHA512 | 34ff613d65d0d8f4f613a0319e1ff65e23b08fa9192bd5ae7665598dc02fd3eb77179a4caa29b76d9e06f68f27f19bdb8d02221ee250c58889c3694c519e53b6 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 63ad6b12caa5c53abd19c015a99ce434 |
| SHA1 | 2219238a307a10cd81712ee64759d660756a0640 |
| SHA256 | ea2798504619078ea80cfd2dde5451dc1c98fde1ae519ab85bfc06d23eff6d5b |
| SHA512 | c3ac14514122b1faaa3e0b3caca794d78b0491ab47a9b4c9476b7d05bfa99b5528d7535cad5b0e10b2a5354167fe5c102f2ecac9fc4fcd404e6b1f600d4e56d8 |
memory/4832-175-0x0000000004990000-0x0000000004998000-memory.dmp
memory/4832-167-0x0000000004640000-0x0000000004648000-memory.dmp
memory/4832-177-0x0000000004860000-0x0000000004868000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 9bd49fef87049784c80fa7022ae8ed51 |
| SHA1 | 4c9815cda904f1b40649fc728513ad2aa87ae03e |
| SHA256 | a3be433770b0ecae77b4bcb1c3ce7ba4169836e1dd635f7fd982b1c7096e934e |
| SHA512 | 86715971c74cf15997fbf7d8633eee8368b22c828c2e6d8fe3e4422284f142be085479ea9b09ed9827aaf447c7271382a9d8eda5278062f704636052585f4dce |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d
| MD5 | b44ce00d46602c4d2a015dd5db458c88 |
| SHA1 | 0cbb5607a0482bbc6cd1ab998114fe9a43e5d50f |
| SHA256 | e3c8755f757a6bea206d2c280fedfca400fa05a92c3d07b0e1a6c13d98a23935 |
| SHA512 | 56bb6df65836bfd3233ec7d330f061fdec371b18a77acca5c610315991103a116b7f1e34f7b78daa51401909892c5e3c2e3388063cc8e7e37bf97e2857b70c3b |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | e1a020d805e396cdcd5d688ae7d1dcd2 |
| SHA1 | 78eac9c73d63732de800999b86fd9a436b717dd6 |
| SHA256 | 3791abda1ea3b4e818b5df133bb9c161df20bad4f03b8537dda5613dab66a1c8 |
| SHA512 | 0ae32193e73e4fa6dbaad925c7f1aebee322a92d15a627807bfda8144412ebbb602724531df9e17b74b01253afe47e83a2abd92e76d950b78f859377f25e86c2 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 540b7a94377e6c635858e55a70290526 |
| SHA1 | 650b7c8d39d1f40d49f4599185f6cf83fbc73002 |
| SHA256 | 95015276c49fabdf7c372aaaa81badfc9f0e332e0dadc03646ce503af2688fa1 |
| SHA512 | 0234b23a0911b30ca6d59d5e03d2a8dc702ea857d2493733720236e26b72433347895c71a2e586c81bf8978f51dd013d8a47732bfc13d531c6b2393575904cc8 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d
| MD5 | de57255cc2f6aea876fb73d25dbfe565 |
| SHA1 | c4d754ca8a042bd01a4294055525f7f2588e775a |
| SHA256 | fa65fc683351b29411035ea458fc57d2d2d3c9e810fd36ee4a83fb4da59ed7c0 |
| SHA512 | dff3fc63e703a5a60c1beb3fb66019812e0756658966d37fba11f8e04cf0387fc4a1130d5eb162ecd6c0214b103d1b86d8f487038d35b7a2e3986b02ff2ad3df |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | e7feb0864adddb6f063bd8f5ad493118 |
| SHA1 | 9b278c19af975109c9c1af58164f1ade098dd070 |
| SHA256 | 6fc485d9a16022c11e0967aa7f89a72ebd967cf47d5488a035f85b83c0888631 |
| SHA512 | ec4a7cac49d46f77e11fa2d313b61ee9e959d8195da72841c756a4724b1813f17bcc295cf950dce2a7f110c6330afdea1ea8af4db104f26fb6692058596c1361 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | e412378d59c1515095a56de068a4345c |
| SHA1 | d8a3888c3d2733f2da3aaf3a87cca966b8572a00 |
| SHA256 | d707d4c4753535e09381e54b2e9651d919d2c1211e38b4404ecede4bf41c9b96 |
| SHA512 | 332fdb29a4efc6634669a86476fd43b22d50f10a7e5d669a52b52ded0d7c22758f7e17c8f7c67691536dc2421d781d8c3b3737074758ccb1bf18c3dd24133236 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 366b0ea80c0f6bd5fac7fe0ff5de9268 |
| SHA1 | 4fd52d267ed28e25eb7e59098694dbfe4827fa44 |
| SHA256 | a33f9ca5a3f472f071a0fa81886a0c876d052bf31c220b48db0c7122689c802d |
| SHA512 | 9a905b5e3bae5108c43f49b50c7d13d182c8507cacfbff5f234dd8dfff1265a252184600585ef8f2313dc63bd8089bda70513fd2dd6444c0bf8186f05ede8129 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 7f189d1fb28381e38e18a9329aa0b060 |
| SHA1 | 4329521e229f7a6ca7d745083b8443f80eb4d15c |
| SHA256 | fff2231dd37e6ddf16180d4a72d3ec421001644e19cf4d12915a55fed5bc8e8a |
| SHA512 | 041329df87ea0f9df99363552cf25a3c6c7b31e86f54d44826c4e3134fec7aaf6f0ecd24c814830d3ef7aa3b7a86f22e499a7626419fcddd765a44b8e68cd4a5 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | d79ace3f2754ade448fe379334c286db |
| SHA1 | ed1cd284d3b5925e57570842bec58e799451956b |
| SHA256 | f6e9cc794f849dc73e8125690d6cd8cf5b5ad04f1fa4a393dd5c1b35b6a267b4 |
| SHA512 | 3c26e5def23e73e76e95ccc391ceb779045ea45172ffd052f6b61078125ea79eb4b3e3de795a3c739961f914cfa9fdfa67d86cf2900bc4ed915c3edd17de726d |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 0d4045d80274a0246c9dbdf55d95684a |
| SHA1 | 65258668f5db561f9dfeb3867827cd7e07f72409 |
| SHA256 | 3d92f7e3c54d34e3c15ea614d3f08b6049a6a76a8a70ac254630f2b289922c53 |
| SHA512 | ea801c7affc9b178cf0a1325824c22038a9bf199ec0eab0f36d9592968ceb472a6f77fb387a7f20294a88c263fbce119903101b04f2d150eabd5da103e0ce4dc |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 7cceef6a4be2e8d9ffe6cf8c7ecb0cc4 |
| SHA1 | 44e0e05d6d551700f419a347bd078d7912c56c17 |
| SHA256 | 185a1077bb91b787e78c5ef41313908c1c18b361bfbb73c1cce350a3027156df |
| SHA512 | 02eb84660d822d2faa67b6eabd579eb6e7af55440c65dd483b03a497e0fb6c11a96f79a5de278f94f119ba94195940534a37969684db72ed7d0f7816c6c99157 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 200cc0f808c204ad427b58c5ff02adc4 |
| SHA1 | 8756711a142c998d1df849ff51d6fb725c4f8af8 |
| SHA256 | dc968e3915768897e421965420bd5944251c31c9820a7f925dcf227fecaaec48 |
| SHA512 | ee8d9a77796f6088801f795224cc8b46f8c419702730fe43f870e6966a6b0c302e1e5e433e1a12d997296ba582af1b2aaea2df7005d8b6cebe925e4dcb148d88 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 2d9ddd69aef0a7311cb7ca7f154835ff |
| SHA1 | 1a0bf29d5c022964ebf94d402114fe613f3d49ba |
| SHA256 | d101bc3f5be2350412b3a29de0ea8525b9de8bc140de591753c5369d814789b6 |
| SHA512 | 13c3d394cf01d6b1dd5df31646bec8290211a781353dc4b38a606eb59b94de20195f65e3da857f6d03e5fd92b36488171ba6ad25f3066979a6c35b8bdcfa50f9 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 7f939d83e1baaab795950968ac99961b |
| SHA1 | 91b089176bf7c9f7deb5947b8860b5f79f251a28 |
| SHA256 | 50e60bd9e282121403ea4cbedc07341189a245e07346e6f57fa6228a842d563c |
| SHA512 | dc66d80d4cc3f0710773ff024b4cfafd53ff11f799e79af3b2d66a50d5bd3dadd7f2e3408913bb9e6b6ea49cbe5a73d321ffb1fa5800f69d00d4180e5351c07d |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | 6b5e9c03e0808b6aabbfdc5557a05ffe |
| SHA1 | 7a8eb59fdfcd42c17ae03dccdb557b26d71b4e72 |
| SHA256 | 7bd5325cda74f256641130cfc55c42b3efffbf62fc835a6f86b42aac9e80f774 |
| SHA512 | 0c81d2216b96418c3cbef9141510b51ea213d5035ac1444c44ee5c43d1681fcd23c7f8fb50bd0b78dfc9f166495b2c5937a2217ea933aa4342f8e38f513c83a3 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.INTEG.RAW
| MD5 | ba611121b1f64f3cbed9adefd7915d9a |
| SHA1 | 051add3ba1dc370f293c269a3416063f7eeb1acb |
| SHA256 | 9aea3e4b365c9d2dc2595e9935b792d2420ecf18f0ba4be6b3c598f196fd833d |
| SHA512 | 9871aacfa856114632686fcf21403db1938d75b81a9e30d5d6b962363dcdd1544b90f9978bc776a626a3c013419dd39773f3c4791960c8980191dc6555dc8064 |
C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm
| MD5 | e8f8033f24eb8eb0837936c19ceffa7c |
| SHA1 | 68d550e66cb359132865449b2243380fdd57b3cf |
| SHA256 | 8a84287468d8f77721271b98a8332a683d68261cde620ee47dd9a82f0a7b59df |
| SHA512 | 5abce8d0954a59dd62916612b4e7536c4e93ca77506c2fb21293a9a7a009f3737371d908d723e1149dd46c3169537bd086c2fa2f7639c27504a7d189e2ac3306 |
memory/4832-606-0x0000000000400000-0x0000000000759000-memory.dmp