Malware Analysis Report

2025-01-02 05:57

Sample ID 241124-aq69ysvjex
Target 918769eceacd168684def1b316ff3198_JaffaCakes118
SHA256 6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
Tags
ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900

Threat Level: Known bad

The file 918769eceacd168684def1b316ff3198_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan

Nullmixer family

FFDroider payload

PrivateLoader

Ffdroider family

Vidar

NullMixer

Vidar family

FFDroider

Privateloader family

Vidar Stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

ASPack v2.12-2.42

VMProtect packed file

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 00:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 00:26

Reported

2024-11-24 00:28

Platform

win7-20241010-en

Max time kernel

73s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2880 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe

01a389215e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 964

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49268 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
FR 23.33.233.193:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS04B92477\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

\Users\Admin\AppData\Local\Temp\7zS04B92477\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2852-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2852-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2852-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2852-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2852-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2852-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS04B92477\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

\Users\Admin\AppData\Local\Temp\7zS04B92477\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

\Users\Admin\AppData\Local\Temp\7zS04B92477\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1504-110-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1504-108-0x0000000000EB0000-0x0000000001209000-memory.dmp

memory/2116-77-0x0000000002130000-0x0000000002489000-memory.dmp

memory/2116-75-0x0000000002130000-0x0000000002489000-memory.dmp

memory/1504-106-0x0000000000EB0000-0x0000000001209000-memory.dmp

memory/2480-107-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/1504-92-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2012-116-0x00000000000B0000-0x00000000000B8000-memory.dmp

memory/2192-115-0x0000000000EE0000-0x0000000000F12000-memory.dmp

memory/2852-39-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2192-127-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2852-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7715.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2192-137-0x0000000000250000-0x0000000000272000-memory.dmp

memory/2192-138-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1504-139-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7E36.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0eb52da15ffc7608d1a0fbb512543a26
SHA1 e32f2b9e03c77d8de135b5c6b1c39f007b2f5f67
SHA256 6cbec1045e4fb45efdb1b3b49f4490cc5e6c08753bd7ce565a935d44d104e040
SHA512 959b01aec2b7ee36cb8fbef33f5b7f71ae50566f695d8b025dbd537a96801f728fee5beb7f55c1a1f8edc8092fa50c6a377e416ad5022f7656d1066f4b06c00d

memory/2852-183-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2852-184-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-182-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2852-181-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2852-180-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2852-179-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/2168-203-0x0000000000400000-0x0000000002CC8000-memory.dmp

memory/2852-209-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2852-211-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2852-206-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2852-213-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2852-212-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2852-205-0x0000000000400000-0x00000000008E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 00:26

Reported

2024-11-24 00:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
PID 5112 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
PID 5112 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe
PID 2036 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe
PID 776 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe
PID 100 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
PID 100 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
PID 100 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe
PID 448 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
PID 448 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
PID 448 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe
PID 1140 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
PID 1140 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
PID 1140 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
PID 4932 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
PID 4932 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
PID 4932 wrote to memory of 4832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe
PID 5000 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\servicing\TrustedInstaller.exe
PID 5000 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\servicing\TrustedInstaller.exe
PID 1352 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
PID 1352 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
PID 1352 wrote to memory of 60 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe
PID 4436 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
PID 4436 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe
PID 4436 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe

Processes

C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\918769eceacd168684def1b316ff3198_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe

01a389215e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2036 -ip 2036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1580

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 1048

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:63268 tcp
N/A 127.0.0.1:63270 tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2036-39-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2036-38-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2036-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2036-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2036-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/4832-79-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/4832-83-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/4028-66-0x0000000000180000-0x0000000000188000-memory.dmp

memory/2036-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2036-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2036-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-33-0x0000000001060000-0x00000000010EF000-memory.dmp

memory/2036-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2036-29-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/4328-88-0x0000000000450000-0x0000000000482000-memory.dmp

memory/4328-89-0x0000000000D30000-0x0000000000D36000-memory.dmp

memory/4328-90-0x0000000000D40000-0x0000000000D62000-memory.dmp

memory/4328-91-0x0000000000D60000-0x0000000000D66000-memory.dmp

memory/2036-101-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2036-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2036-99-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2036-94-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/2036-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2036-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/60-93-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/4832-108-0x0000000003120000-0x0000000003130000-memory.dmp

memory/4832-114-0x0000000003B70000-0x0000000003B80000-memory.dmp

memory/4832-121-0x0000000004620000-0x0000000004628000-memory.dmp

memory/4832-122-0x0000000004640000-0x0000000004648000-memory.dmp

memory/4832-124-0x00000000046E0000-0x00000000046E8000-memory.dmp

memory/4832-127-0x0000000004820000-0x0000000004828000-memory.dmp

memory/4832-128-0x0000000004840000-0x0000000004848000-memory.dmp

memory/4832-129-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

memory/4832-130-0x00000000049F0000-0x00000000049F8000-memory.dmp

memory/4832-131-0x0000000004860000-0x0000000004868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 914ac88c754f43b6df62c852f9706ea4
SHA1 1315f1533616e4cf1e26303dac3986a673cdcc67
SHA256 8cfb9dc8f45c35fac4a121a2a2bac1aefe0714c1ddf991abe6dca2791f407ff6
SHA512 5078d045a96aa095449cdfd2545ec5290d53f39bb26f450bc2560263c3b0260e114990be15dd06095f93a83d4e46eb5733776aeb187b33885663e85124a85ea6

memory/4832-144-0x0000000004640000-0x0000000004648000-memory.dmp

memory/4832-152-0x0000000004860000-0x0000000004868000-memory.dmp

memory/4832-154-0x0000000004990000-0x0000000004998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 9c7fd5d4bbb8d020479d3002a02029d1
SHA1 8e1407c96e99d2285676157d4251d617c7ac31b9
SHA256 8b1f647b5a1fcfc88c81b5b934236d171db250847082083a5b2945b19589e6de
SHA512 34ff613d65d0d8f4f613a0319e1ff65e23b08fa9192bd5ae7665598dc02fd3eb77179a4caa29b76d9e06f68f27f19bdb8d02221ee250c58889c3694c519e53b6

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 63ad6b12caa5c53abd19c015a99ce434
SHA1 2219238a307a10cd81712ee64759d660756a0640
SHA256 ea2798504619078ea80cfd2dde5451dc1c98fde1ae519ab85bfc06d23eff6d5b
SHA512 c3ac14514122b1faaa3e0b3caca794d78b0491ab47a9b4c9476b7d05bfa99b5528d7535cad5b0e10b2a5354167fe5c102f2ecac9fc4fcd404e6b1f600d4e56d8

memory/4832-175-0x0000000004990000-0x0000000004998000-memory.dmp

memory/4832-167-0x0000000004640000-0x0000000004648000-memory.dmp

memory/4832-177-0x0000000004860000-0x0000000004868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 9bd49fef87049784c80fa7022ae8ed51
SHA1 4c9815cda904f1b40649fc728513ad2aa87ae03e
SHA256 a3be433770b0ecae77b4bcb1c3ce7ba4169836e1dd635f7fd982b1c7096e934e
SHA512 86715971c74cf15997fbf7d8633eee8368b22c828c2e6d8fe3e4422284f142be085479ea9b09ed9827aaf447c7271382a9d8eda5278062f704636052585f4dce

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d

MD5 b44ce00d46602c4d2a015dd5db458c88
SHA1 0cbb5607a0482bbc6cd1ab998114fe9a43e5d50f
SHA256 e3c8755f757a6bea206d2c280fedfca400fa05a92c3d07b0e1a6c13d98a23935
SHA512 56bb6df65836bfd3233ec7d330f061fdec371b18a77acca5c610315991103a116b7f1e34f7b78daa51401909892c5e3c2e3388063cc8e7e37bf97e2857b70c3b

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 e1a020d805e396cdcd5d688ae7d1dcd2
SHA1 78eac9c73d63732de800999b86fd9a436b717dd6
SHA256 3791abda1ea3b4e818b5df133bb9c161df20bad4f03b8537dda5613dab66a1c8
SHA512 0ae32193e73e4fa6dbaad925c7f1aebee322a92d15a627807bfda8144412ebbb602724531df9e17b74b01253afe47e83a2abd92e76d950b78f859377f25e86c2

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 540b7a94377e6c635858e55a70290526
SHA1 650b7c8d39d1f40d49f4599185f6cf83fbc73002
SHA256 95015276c49fabdf7c372aaaa81badfc9f0e332e0dadc03646ce503af2688fa1
SHA512 0234b23a0911b30ca6d59d5e03d2a8dc702ea857d2493733720236e26b72433347895c71a2e586c81bf8978f51dd013d8a47732bfc13d531c6b2393575904cc8

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d

MD5 de57255cc2f6aea876fb73d25dbfe565
SHA1 c4d754ca8a042bd01a4294055525f7f2588e775a
SHA256 fa65fc683351b29411035ea458fc57d2d2d3c9e810fd36ee4a83fb4da59ed7c0
SHA512 dff3fc63e703a5a60c1beb3fb66019812e0756658966d37fba11f8e04cf0387fc4a1130d5eb162ecd6c0214b103d1b86d8f487038d35b7a2e3986b02ff2ad3df

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 e7feb0864adddb6f063bd8f5ad493118
SHA1 9b278c19af975109c9c1af58164f1ade098dd070
SHA256 6fc485d9a16022c11e0967aa7f89a72ebd967cf47d5488a035f85b83c0888631
SHA512 ec4a7cac49d46f77e11fa2d313b61ee9e959d8195da72841c756a4724b1813f17bcc295cf950dce2a7f110c6330afdea1ea8af4db104f26fb6692058596c1361

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 e412378d59c1515095a56de068a4345c
SHA1 d8a3888c3d2733f2da3aaf3a87cca966b8572a00
SHA256 d707d4c4753535e09381e54b2e9651d919d2c1211e38b4404ecede4bf41c9b96
SHA512 332fdb29a4efc6634669a86476fd43b22d50f10a7e5d669a52b52ded0d7c22758f7e17c8f7c67691536dc2421d781d8c3b3737074758ccb1bf18c3dd24133236

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 366b0ea80c0f6bd5fac7fe0ff5de9268
SHA1 4fd52d267ed28e25eb7e59098694dbfe4827fa44
SHA256 a33f9ca5a3f472f071a0fa81886a0c876d052bf31c220b48db0c7122689c802d
SHA512 9a905b5e3bae5108c43f49b50c7d13d182c8507cacfbff5f234dd8dfff1265a252184600585ef8f2313dc63bd8089bda70513fd2dd6444c0bf8186f05ede8129

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 7f189d1fb28381e38e18a9329aa0b060
SHA1 4329521e229f7a6ca7d745083b8443f80eb4d15c
SHA256 fff2231dd37e6ddf16180d4a72d3ec421001644e19cf4d12915a55fed5bc8e8a
SHA512 041329df87ea0f9df99363552cf25a3c6c7b31e86f54d44826c4e3134fec7aaf6f0ecd24c814830d3ef7aa3b7a86f22e499a7626419fcddd765a44b8e68cd4a5

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 d79ace3f2754ade448fe379334c286db
SHA1 ed1cd284d3b5925e57570842bec58e799451956b
SHA256 f6e9cc794f849dc73e8125690d6cd8cf5b5ad04f1fa4a393dd5c1b35b6a267b4
SHA512 3c26e5def23e73e76e95ccc391ceb779045ea45172ffd052f6b61078125ea79eb4b3e3de795a3c739961f914cfa9fdfa67d86cf2900bc4ed915c3edd17de726d

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 0d4045d80274a0246c9dbdf55d95684a
SHA1 65258668f5db561f9dfeb3867827cd7e07f72409
SHA256 3d92f7e3c54d34e3c15ea614d3f08b6049a6a76a8a70ac254630f2b289922c53
SHA512 ea801c7affc9b178cf0a1325824c22038a9bf199ec0eab0f36d9592968ceb472a6f77fb387a7f20294a88c263fbce119903101b04f2d150eabd5da103e0ce4dc

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 7cceef6a4be2e8d9ffe6cf8c7ecb0cc4
SHA1 44e0e05d6d551700f419a347bd078d7912c56c17
SHA256 185a1077bb91b787e78c5ef41313908c1c18b361bfbb73c1cce350a3027156df
SHA512 02eb84660d822d2faa67b6eabd579eb6e7af55440c65dd483b03a497e0fb6c11a96f79a5de278f94f119ba94195940534a37969684db72ed7d0f7816c6c99157

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 200cc0f808c204ad427b58c5ff02adc4
SHA1 8756711a142c998d1df849ff51d6fb725c4f8af8
SHA256 dc968e3915768897e421965420bd5944251c31c9820a7f925dcf227fecaaec48
SHA512 ee8d9a77796f6088801f795224cc8b46f8c419702730fe43f870e6966a6b0c302e1e5e433e1a12d997296ba582af1b2aaea2df7005d8b6cebe925e4dcb148d88

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 2d9ddd69aef0a7311cb7ca7f154835ff
SHA1 1a0bf29d5c022964ebf94d402114fe613f3d49ba
SHA256 d101bc3f5be2350412b3a29de0ea8525b9de8bc140de591753c5369d814789b6
SHA512 13c3d394cf01d6b1dd5df31646bec8290211a781353dc4b38a606eb59b94de20195f65e3da857f6d03e5fd92b36488171ba6ad25f3066979a6c35b8bdcfa50f9

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 7f939d83e1baaab795950968ac99961b
SHA1 91b089176bf7c9f7deb5947b8860b5f79f251a28
SHA256 50e60bd9e282121403ea4cbedc07341189a245e07346e6f57fa6228a842d563c
SHA512 dc66d80d4cc3f0710773ff024b4cfafd53ff11f799e79af3b2d66a50d5bd3dadd7f2e3408913bb9e6b6ea49cbe5a73d321ffb1fa5800f69d00d4180e5351c07d

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 6b5e9c03e0808b6aabbfdc5557a05ffe
SHA1 7a8eb59fdfcd42c17ae03dccdb557b26d71b4e72
SHA256 7bd5325cda74f256641130cfc55c42b3efffbf62fc835a6f86b42aac9e80f774
SHA512 0c81d2216b96418c3cbef9141510b51ea213d5035ac1444c44ee5c43d1681fcd23c7f8fb50bd0b78dfc9f166495b2c5937a2217ea933aa4342f8e38f513c83a3

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.INTEG.RAW

MD5 ba611121b1f64f3cbed9adefd7915d9a
SHA1 051add3ba1dc370f293c269a3416063f7eeb1acb
SHA256 9aea3e4b365c9d2dc2595e9935b792d2420ecf18f0ba4be6b3c598f196fd833d
SHA512 9871aacfa856114632686fcf21403db1938d75b81a9e30d5d6b962363dcdd1544b90f9978bc776a626a3c013419dd39773f3c4791960c8980191dc6555dc8064

C:\Users\Admin\AppData\Local\Temp\7zS8F352697\d.jfm

MD5 e8f8033f24eb8eb0837936c19ceffa7c
SHA1 68d550e66cb359132865449b2243380fdd57b3cf
SHA256 8a84287468d8f77721271b98a8332a683d68261cde620ee47dd9a82f0a7b59df
SHA512 5abce8d0954a59dd62916612b4e7536c4e93ca77506c2fb21293a9a7a009f3737371d908d723e1149dd46c3169537bd086c2fa2f7639c27504a7d189e2ac3306

memory/4832-606-0x0000000000400000-0x0000000000759000-memory.dmp