Analysis Overview
SHA256
6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
Threat Level: Known bad
The file 98d129283fccf504adb59f2ff02bdf76_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
FFDroider
Ffdroider family
Nullmixer family
NullMixer
FFDroider payload
PrivateLoader
Vidar
Privateloader family
Vidar family
Vidar Stealer
Checks computer location settings
ASPack v2.12-2.42
Executes dropped EXE
VMProtect packed file
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Looks up external IP address via web service
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 03:02
Reported
2024-11-25 03:04
Platform
win7-20240903-en
Max time kernel
66s
Max time network
148s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b735755af543525.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe
eb8b5374cee7.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe
7a0a59dd28055ec3.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe
a56065a4b52c2c16.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe
ffdebd71b3232.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe
09c48f70afae1.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe
b735755af543525.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe
fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe
"C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 944
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| N/A | 127.0.0.1:49280 | tcp | |
| N/A | 127.0.0.1:49282 | tcp | |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 89086cb8af781cacdb7f54885b9f3c93 |
| SHA1 | 90dd7b1f35b151efa68e691212a9fdd72188faef |
| SHA256 | 1c8fd4b23994f2dbffb0f51debe3551b796ab2bc280242c325de14d650ecb227 |
| SHA512 | d7b2d92536a6bfabc80f3b12284df5969e3b4f3d47c6c44e0b7702a043915e31914161be9b76f2d9db88ca47788eaa6522f6d1475b4b15a9d7c68379b041037f |
\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
| MD5 | d0c0ed74cb8878f734ad674f4c6f6430 |
| SHA1 | b18eaaaf110caa25c101b86fd088e700fc5eec9b |
| SHA256 | 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b |
| SHA512 | 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5 |
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2880-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2880-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2880-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2880-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2880-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2880-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2880-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2880-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe
| MD5 | 78e8acd24692dbfac7f20fd60fe5dfbd |
| SHA1 | d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca |
| SHA256 | 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822 |
| SHA512 | f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7 |
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
memory/2196-88-0x00000000028E0000-0x0000000002C39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe
| MD5 | 8cd6a0f9c54968b2003415a62a6ce8b7 |
| SHA1 | ea5bacbba4ebceacf4f7c547fc840d03fb8654f7 |
| SHA256 | 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f |
| SHA512 | b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915 |
\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe
| MD5 | 83cc20c8d4dd098313434b405648ebfd |
| SHA1 | 59b99c73776d555a985b2f2dcc38b826933766b3 |
| SHA256 | 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8 |
| SHA512 | e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c |
memory/1164-104-0x0000000000ED0000-0x0000000001229000-memory.dmp
memory/1164-103-0x0000000000ED0000-0x0000000001229000-memory.dmp
memory/1164-102-0x0000000000400000-0x0000000000759000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe
| MD5 | 181f1849ccb484af2eebb90894706150 |
| SHA1 | 45dee946a7abc9c1c05d158a05e768e06a0d2cdc |
| SHA256 | aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409 |
| SHA512 | a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c |
memory/1164-108-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2428-124-0x0000000000400000-0x0000000002C6C000-memory.dmp
memory/2856-126-0x00000000001D0000-0x00000000001FE000-memory.dmp
memory/904-125-0x0000000000060000-0x0000000000068000-memory.dmp
memory/2856-127-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2856-128-0x0000000000200000-0x0000000000222000-memory.dmp
memory/2856-129-0x0000000000220000-0x0000000000226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2DA7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1164-200-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2880-203-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2880-206-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-205-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2880-204-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2880-202-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2880-201-0x0000000000400000-0x00000000008DD000-memory.dmp
memory/752-207-0x0000000000400000-0x0000000002CC8000-memory.dmp
memory/2880-214-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2880-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2880-215-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2880-212-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2880-209-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2880-208-0x0000000000400000-0x00000000008DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 03:02
Reported
2024-11-25 03:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b735755af543525.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe
09c48f70afae1.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe
b735755af543525.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe
7a0a59dd28055ec3.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe
a56065a4b52c2c16.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe
ffdebd71b3232.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe
eb8b5374cee7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2792 -ip 2792
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.27.17.104.in-addr.arpa | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:53171 | tcp | |
| N/A | 127.0.0.1:53173 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 89086cb8af781cacdb7f54885b9f3c93 |
| SHA1 | 90dd7b1f35b151efa68e691212a9fdd72188faef |
| SHA256 | 1c8fd4b23994f2dbffb0f51debe3551b796ab2bc280242c325de14d650ecb227 |
| SHA512 | d7b2d92536a6bfabc80f3b12284df5969e3b4f3d47c6c44e0b7702a043915e31914161be9b76f2d9db88ca47788eaa6522f6d1475b4b15a9d7c68379b041037f |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe
| MD5 | d0c0ed74cb8878f734ad674f4c6f6430 |
| SHA1 | b18eaaaf110caa25c101b86fd088e700fc5eec9b |
| SHA256 | 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b |
| SHA512 | 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/5016-40-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/5016-47-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5016-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/5016-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-55-0x0000000064940000-0x0000000064959000-memory.dmp
memory/5016-54-0x0000000064941000-0x000000006494F000-memory.dmp
memory/5016-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5016-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-48-0x00000000012C0000-0x000000000134F000-memory.dmp
memory/5016-45-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5016-46-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5016-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/1940-97-0x0000000000400000-0x0000000000759000-memory.dmp
memory/1940-98-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2264-100-0x0000000000420000-0x000000000044E000-memory.dmp
memory/2264-101-0x0000000000BF0000-0x0000000000BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe
| MD5 | 78e8acd24692dbfac7f20fd60fe5dfbd |
| SHA1 | d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca |
| SHA256 | 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822 |
| SHA512 | f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe
| MD5 | 83cc20c8d4dd098313434b405648ebfd |
| SHA1 | 59b99c73776d555a985b2f2dcc38b826933766b3 |
| SHA256 | 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8 |
| SHA512 | e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c |
memory/2264-103-0x0000000000C00000-0x0000000000C22000-memory.dmp
memory/2264-104-0x0000000000C20000-0x0000000000C26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe
| MD5 | 8cd6a0f9c54968b2003415a62a6ce8b7 |
| SHA1 | ea5bacbba4ebceacf4f7c547fc840d03fb8654f7 |
| SHA256 | 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f |
| SHA512 | b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915 |
memory/4524-96-0x0000000000330000-0x0000000000338000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe
| MD5 | 181f1849ccb484af2eebb90894706150 |
| SHA1 | 45dee946a7abc9c1c05d158a05e768e06a0d2cdc |
| SHA256 | aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409 |
| SHA512 | a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/5016-112-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/5016-116-0x0000000064940000-0x0000000064959000-memory.dmp
memory/5016-115-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/5016-114-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/5016-113-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2792-106-0x0000000000400000-0x0000000002C6C000-memory.dmp
memory/5016-107-0x0000000000400000-0x00000000008DD000-memory.dmp
memory/1940-122-0x0000000003A60000-0x0000000003A70000-memory.dmp
memory/1940-127-0x0000000003BB0000-0x0000000003BC0000-memory.dmp
memory/1940-121-0x0000000003A50000-0x0000000003A60000-memory.dmp
memory/1940-135-0x0000000004680000-0x0000000004688000-memory.dmp
memory/1940-141-0x0000000004880000-0x0000000004888000-memory.dmp
memory/1940-140-0x0000000004860000-0x0000000004868000-memory.dmp
memory/1940-137-0x0000000004720000-0x0000000004728000-memory.dmp
memory/1940-142-0x0000000004B30000-0x0000000004B38000-memory.dmp
memory/1940-143-0x0000000004A30000-0x0000000004A38000-memory.dmp
memory/1940-134-0x0000000004660000-0x0000000004668000-memory.dmp
memory/1940-144-0x00000000048A0000-0x00000000048A8000-memory.dmp
memory/1940-157-0x0000000004680000-0x0000000004688000-memory.dmp
memory/1940-165-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 3e60996b2d78d5d580be3f2a3ae4dd67 |
| SHA1 | 344d2253b9795f7302c709a16a1ec2bf6974f5de |
| SHA256 | 481ec206c9ba016f36141ce60dac966afaa22d6f4bd3064d5bec466bb84e2d6c |
| SHA512 | 7db1382e44b0fb98a648e32ecbc7100feb847057e845a0086f2721ae4c94289e0d767e4b60f357fc6203f3df3260a46255a5ea6d6ee367b521c740a3cc21f4fd |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 4ce6999b8834480dd53aac631e78c8dc |
| SHA1 | e277dee7f7f9a07188d9e03f2c5342bccd5be904 |
| SHA256 | c3ed145c861368d3d9ffd6efee15730f8e1ee6c90af85a9246750ee108ede3bb |
| SHA512 | 6256700ea22b2c79ae007fcda25c6a99ea7c169087aa99500c34b226c9e327b0c5d6853c07121a7d30d8ebfde44f846edcb037912fbb8e8a1becb59a12c1427d |
memory/1940-167-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/1940-190-0x00000000048A0000-0x00000000048A8000-memory.dmp
memory/1940-188-0x00000000049D0000-0x00000000049D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | d90f11d314998c3d1006ac81df0aaf03 |
| SHA1 | 4195fed775c5b7679c6c7aa24cd221f723b7e5fa |
| SHA256 | d0cec6c4a2db3ccd9e0c1751511c03fce097af49d03251b6596bd5d2ecae38db |
| SHA512 | 86ea8882f46a2b190ae8ff5ea42feffa4455729e232c7e4450bd405cd0f785752a27923329b51f7df7f0ba432e16f5bd8a6b7e523a0ec959f3814aac172c6a23 |
memory/1940-180-0x0000000004680000-0x0000000004688000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | ca5a2fe21efa3d2200be4c368984f254 |
| SHA1 | 32b24b1883a61d58d228578b5908a1b19ba3bb09 |
| SHA256 | 998089718dca6c508660643c32a39a7750b096fabf22f28299149feb766e755c |
| SHA512 | 408a88d95b3f76487ae6311c86f10c1f40a3cf5ec19e804cce10b3bc0cc5cc7c347d08551a76ddf4805b2497dcd710c57d23fe9781e21cc16db145b649f5c8a7 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d
| MD5 | 25f5d1a3f1bab6cacb86d662e4991f3d |
| SHA1 | 12723dbe0ef5d0436a1eb8e4f1df87fe8f15ae8a |
| SHA256 | 35d87bfd2b4ff1f2e4d7aac2800a34ca1051f68acd20790c32a1748917db17b0 |
| SHA512 | 34e11cbff8c11cc5fa7daab0a3e6553c943d77758fd52d37c7d92dfb0d13d6eceb8d4325fe86a0cb69c65ee01d9ad16e46c310e3ea5a0208c1bcf7e5716c0195 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 02fceb97b0de222052676faf9428fd88 |
| SHA1 | cc6752df760a00fea750e167acae64e96bb5108a |
| SHA256 | a63996a8cb96778ffb1059a2704c2ed51103fcee4825fcd80cdab26322aa8c73 |
| SHA512 | 72f3dd4cf1d701ce1e1572f4eddb4a022c8605654eecf5a6ef3597cc34f22f722299d8d35e36132609816fe09e8ffb32fd2477ecd235c9102e8907d8bf38726f |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 1289b74bb0028d1dad066f707d455705 |
| SHA1 | c59c52f566cd17d4475a2c364f027a0e8790cb02 |
| SHA256 | 618e099730f6aab78397040bb07fbc283c90ca8df827251b858cbec95d8057e0 |
| SHA512 | 8504615840a4cd8620790c4705fb7fad4b6451a115e35c1bc83149d05412fafad0ecea1634fe1ffbbc7d7374ecaa18ba47184636cff96a8e2f46deaba9ec1768 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 5b848f316700af46dd21e5ed36784518 |
| SHA1 | f79cd0137a3a41ece0c96d2a8566e83b787d6bff |
| SHA256 | 6c23f9ccefad64f38e8aa021a389ed6092543aee9bb61c725a066b27b111743f |
| SHA512 | 1abfc88db513dbb2f6733c45e82847499931a0eb1e52241de19ad47b1938d2defe9cb504907b3ce0e59d05d33b18ca9e92616b0b9e7a6d997d4e9c268964cf9a |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | b1109994adef74cc27cd17b5cb7b6def |
| SHA1 | db96c3e5e4b674d147ee10b1129b84662521bd33 |
| SHA256 | 1f344c658c55c0ccd808f03f12e20f719aaeb235d9f9811036a5f18b87c02193 |
| SHA512 | f5a4c3597cb71eb3b42993a955ce949eed0ad51253b8f1511d1e04b0abfff74ff0d0a6ed8000009d601c45ad2e5eb517af6ef3d457367f846684924152c383f7 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 187f0250f806fa1f3e61625f49212e8e |
| SHA1 | 057ea7b1d0734b000479ff6913821b22b2e8344e |
| SHA256 | 0c2df31f8c330c9152bc3627c9ba95876ee6ed5625b7d789e5ffac60cf5f86e1 |
| SHA512 | bd48fc687070be07016474270b48f7bce6fb88e764b4ad61ddb827de20a254b3a0087e3140762021786b619e7645ace86700d78aeea18adaedf1f0bea303054f |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | da44c5d5dc2f23b1dae4b5ba083b7759 |
| SHA1 | c4a5975a68f469acb5da2d02801af1729832b341 |
| SHA256 | c4fb31a226e4cff8de67fcf29055c63545f61105e654579b505116885e2b3f3d |
| SHA512 | b2be24f3a52cc32ad7e253a13c8b009a6c8a4a13621d99527d020bde3237e781a61c4ec6038444d8129a885fe7c9e0f7d1940f14c39b37eeaadd4acd9cfb9408 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | ada89a673bd446246518b82ef9e78af2 |
| SHA1 | e3770b06e3b87f84c1bd7662c55b77941516ea8e |
| SHA256 | 500e5eb14254d0ce0322256ef4e67b7c40770f5ee549cc6675c047c39956c83f |
| SHA512 | 6e11a4c80e2109736659c84f7aaf9044308ea3c86b3fe4fbb98fd74598102b5cae77c8cd72fc51e01acc9f556e5e07f4256c7203729cd3eda901226e18aa42e8 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 36846b755ed7f37f7029a7c79e6c7615 |
| SHA1 | 1e4087ad5ee1e0a24336262438ff91a7d26b32c7 |
| SHA256 | 7641cff58a0500eb0ab1d873d0da54621ff7655eb14459b90b056d8fdf1e05c7 |
| SHA512 | c1c6dd76e9d7622737ba2320f0cfc3277209ba3d60ece83a994720e2a6ee822e198e21c06a3912c20810a7d823384882660880052c6d195784218af62bb7a455 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | fc120638cc8e566bf1d68c0c47c3a4d6 |
| SHA1 | df89e94775cd806254939a4e615616e3a4a7dd2d |
| SHA256 | 07718d0b2e4284acf484369bc98f09b1261a55fa02d0aa299a6231a61dc2e869 |
| SHA512 | 15cf7aa859d42b577c2ba4a9c294a2a60d1210d8691fedf0d14a244db99dadb6c4c1af03aacd57f3d55c68dae99cbf77c538a46fa096f776e4f1f77720e4ef1c |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 5ff36ec5a894624da4ceb750a222e10d |
| SHA1 | 137755f53dc1bc5e9dcdba72a12eca87d0023a58 |
| SHA256 | 27bd73a2bdf9e91e3a97597cff32c17aa3d91c3295d57b4eb55a7ebb213c2b1d |
| SHA512 | 7d8d5dbd102179f9b6f1b0f34e5b34e103c4f164c50cdf1a81ff37545174b74f4eee7dff6ca17ed45400778a69d81948a09909d20aed04cec2d6b1c5770a9c04 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 26b7fa0c78b7a0f33e16dbbd558ec613 |
| SHA1 | ea04ee10cd573294569a482d4ee9918b6d89a2ac |
| SHA256 | 7edd0ef0409d9887546b2f5e9ae728648a403ac1546b217730aaefbaa359cb50 |
| SHA512 | e3381e715d301db3892c16f68bab3f304f5789395951ac813e02bf5c2875208f27e8ae050fab1c7b501b54b5596ebab88b85fadb1a98938af956333b660212ed |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | a7e9103f682e6c009d6e3890cf748dc0 |
| SHA1 | 05db280ff7e16abd667b8c683b86b3a4e4bf5c08 |
| SHA256 | c3215ff764f35e8f98e5cfdb32586aeced44e9d80f9afdadaf77e375ebaea610 |
| SHA512 | 9e86ba4dd6edc95ef002b80c59ef1a6c859fbb076b4225e450d523e6cc9e5331e189b95ff968919851d3cca1ad3ac4fe65003312e38bf99801c4d70be977a976 |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | 40e264bc73d2dd8ff9ee72f36ee5b4f1 |
| SHA1 | 6e2351e9df893e37a0a27b9fadda90ed2f263fa8 |
| SHA256 | a9cbb0847b3a80233810435dfbc15ea8f8f3bb7765896579a15a8cc27e171337 |
| SHA512 | a9a7b219ef55eb7e70f1ec790601a1c6bd236a144845a486b805b9acc4aae4eeb93bebed2a611370fed28b5c5346d4afc209c03e89d4f9697224caa3e03739bf |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm
| MD5 | aa90f87c2a516b86596ab0bc879068e3 |
| SHA1 | 054dc878dbb6d9c5a8aff86e44b4dc19c18aef41 |
| SHA256 | d92a672104726a8698e021fc1104dfb0c553546a19cc1799c76171ec0bb2dbeb |
| SHA512 | 86edae4c66287a6d28e38445ed532a262e81dbc9dac0320064bcaeb80dcb008a1dc6cc224a62b3426aa84ab1568f3c4bba2434dc780862c1a52b84b88c24983c |
C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.INTEG.RAW
| MD5 | ff381cbc438e22f749152b5e2d131174 |
| SHA1 | 0ad4fff4ae0e8a7641db98667fb282aaf3d4f744 |
| SHA256 | f9ccf66bb453f40722751c45f50bf220b82fee45e79dc306ad1ecd816ea885eb |
| SHA512 | 0f2abffe39651e7f49eaec7fd3f278d47d20b6e8d5730aa6edc0047a16dcdcfc61ec3c5daaa65320123666eb5e686a002643c6a14c06a8d85b9c698010719f94 |
memory/1940-629-0x0000000000400000-0x0000000000759000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-25 03:02
Reported
2024-11-25 03:04
Platform
win7-20240903-en
Max time kernel
63s
Max time network
146s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b735755af543525.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe
eb8b5374cee7.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe
7a0a59dd28055ec3.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe
ffdebd71b3232.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe
b735755af543525.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe
a56065a4b52c2c16.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe
fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe
09c48f70afae1.exe
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe
"C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 944
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| N/A | 127.0.0.1:49250 | tcp | |
| N/A | 127.0.0.1:49252 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.71:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 23.200.189.225:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| SG | 37.0.10.236:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
| MD5 | d0c0ed74cb8878f734ad674f4c6f6430 |
| SHA1 | b18eaaaf110caa25c101b86fd088e700fc5eec9b |
| SHA256 | 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b |
| SHA512 | 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5 |
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2244-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2244-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2244-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2244-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2244-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2244-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2244-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2244-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2244-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2244-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2244-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2244-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe
| MD5 | 78e8acd24692dbfac7f20fd60fe5dfbd |
| SHA1 | d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca |
| SHA256 | 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822 |
| SHA512 | f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7 |
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe
| MD5 | 83cc20c8d4dd098313434b405648ebfd |
| SHA1 | 59b99c73776d555a985b2f2dcc38b826933766b3 |
| SHA256 | 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8 |
| SHA512 | e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c |
C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe
| MD5 | 181f1849ccb484af2eebb90894706150 |
| SHA1 | 45dee946a7abc9c1c05d158a05e768e06a0d2cdc |
| SHA256 | aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409 |
| SHA512 | a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c |
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe
| MD5 | 8cd6a0f9c54968b2003415a62a6ce8b7 |
| SHA1 | ea5bacbba4ebceacf4f7c547fc840d03fb8654f7 |
| SHA256 | 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f |
| SHA512 | b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915 |
memory/2440-109-0x0000000000400000-0x0000000002C6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2596-112-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2596-103-0x0000000000D30000-0x0000000001089000-memory.dmp
memory/2596-102-0x0000000000D30000-0x0000000001089000-memory.dmp
memory/2628-116-0x0000000000360000-0x000000000038E000-memory.dmp
memory/2924-115-0x00000000012B0000-0x00000000012B8000-memory.dmp
memory/2596-101-0x0000000000400000-0x0000000000759000-memory.dmp
memory/1620-96-0x0000000002840000-0x0000000002B99000-memory.dmp
memory/1620-95-0x0000000002840000-0x0000000002B99000-memory.dmp
memory/2628-117-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2628-118-0x0000000000250000-0x0000000000272000-memory.dmp
memory/2628-119-0x0000000000270000-0x0000000000276000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\CabFDB2.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | baf4b27c9dcdc4f483dabd64d31d2828 |
| SHA1 | f7bf15c62a7398b561c7f15acd178817184ec82c |
| SHA256 | b4fad0a05559190a4b264c94e28d36238e61f1fdeeb2333878b36458394752cd |
| SHA512 | 3a2c73842081f3ba4af43ec2d3d234787af177ff69306b39671970160319f2a512bb63be34ae379aaa0d8350a3206d34b9b9518f0672595517066310ad2ede4f |
C:\Users\Admin\AppData\Local\Temp\TarFE3D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2596-232-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2244-237-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2244-241-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2244-240-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2244-239-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2244-233-0x0000000000400000-0x00000000008DD000-memory.dmp
memory/2244-234-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3048-260-0x0000000000400000-0x0000000002CC8000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-25 03:02
Reported
2024-11-25 03:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME44.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b735755af543525.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe
7a0a59dd28055ec3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe
eb8b5374cee7.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe
b735755af543525.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
fbbf95c08c8b58.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe
a56065a4b52c2c16.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe
09c48f70afae1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe
ffdebd71b3232.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 560
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2568 -ip 2568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1028
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| N/A | 127.0.0.1:50709 | tcp | |
| N/A | 127.0.0.1:50711 | tcp | |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe
| MD5 | d0c0ed74cb8878f734ad674f4c6f6430 |
| SHA1 | b18eaaaf110caa25c101b86fd088e700fc5eec9b |
| SHA256 | 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b |
| SHA512 | 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/1844-27-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1844-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1844-44-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe
| MD5 | 78e8acd24692dbfac7f20fd60fe5dfbd |
| SHA1 | d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca |
| SHA256 | 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822 |
| SHA512 | f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
memory/4816-82-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2668-84-0x00000000004C0000-0x00000000004EE000-memory.dmp
memory/4816-85-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2668-87-0x0000000000C90000-0x0000000000C96000-memory.dmp
memory/2668-89-0x0000000000CB0000-0x0000000000CD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2668-90-0x0000000000CE0000-0x0000000000CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe
| MD5 | 8cd6a0f9c54968b2003415a62a6ce8b7 |
| SHA1 | ea5bacbba4ebceacf4f7c547fc840d03fb8654f7 |
| SHA256 | 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f |
| SHA512 | b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe
| MD5 | 181f1849ccb484af2eebb90894706150 |
| SHA1 | 45dee946a7abc9c1c05d158a05e768e06a0d2cdc |
| SHA256 | aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409 |
| SHA512 | a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c |
memory/3564-72-0x00000000001C0000-0x00000000001C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe
| MD5 | 83cc20c8d4dd098313434b405648ebfd |
| SHA1 | 59b99c73776d555a985b2f2dcc38b826933766b3 |
| SHA256 | 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8 |
| SHA512 | e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c |
memory/1844-43-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1844-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1844-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1844-38-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1844-37-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1844-36-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1844-35-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1844-34-0x000000006494A000-0x000000006494F000-memory.dmp
memory/1844-33-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1844-32-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1844-30-0x0000000000B60000-0x0000000000BEF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/1844-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1844-93-0x0000000000400000-0x00000000008DD000-memory.dmp
memory/1844-97-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1844-101-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2388-92-0x0000000000400000-0x0000000002C6C000-memory.dmp
memory/1844-100-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1844-99-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1844-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4816-112-0x0000000003D70000-0x0000000003D80000-memory.dmp
memory/4816-106-0x0000000003A50000-0x0000000003A60000-memory.dmp
memory/4816-120-0x0000000004680000-0x0000000004688000-memory.dmp
memory/4816-119-0x0000000004660000-0x0000000004668000-memory.dmp
memory/4816-122-0x0000000004740000-0x0000000004748000-memory.dmp
memory/4816-125-0x0000000004700000-0x0000000004708000-memory.dmp
memory/4816-126-0x0000000004890000-0x0000000004898000-memory.dmp
memory/4816-127-0x0000000004B30000-0x0000000004B38000-memory.dmp
memory/4816-128-0x0000000004A30000-0x0000000004A38000-memory.dmp
memory/4816-132-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 218c0eef77aff676aac48d816a91867d |
| SHA1 | 5fdbcbc49646a6db9dbcc89fe2186f7445999a96 |
| SHA256 | 3d34a5ea430366f95f9677ee077ec3646a495cf033d47262ffa323601eb3f1f9 |
| SHA512 | 65a985429d018ce26c3dcabeb531b47fcfbd9660b181533ede4ae7649a07483006ea1f70d521bd1158bb9839f56d2cd24bd969c9a1e19d19ca9adbc1241b7342 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | d302935c71ec58ec5f74ec7b0b24099f |
| SHA1 | 03f3d2421081851a0acb8e416c12a3f5a49cdc12 |
| SHA256 | 4bdaa5dfe74b08005cce4f03f1bccbd43bd1312dea1ac64c94fb160c38820cd9 |
| SHA512 | e0c6533f5257e257023811c38d351f3adb214544f934abe725170c35997f8b0882f9ec6ded6cdcc248c171014ccb0d6bcfb15c6166593c5beac5719471521e2a |
memory/4816-153-0x00000000048A0000-0x00000000048A8000-memory.dmp
memory/4816-145-0x0000000004680000-0x0000000004688000-memory.dmp
memory/4816-158-0x00000000049D0000-0x00000000049D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 692c370b8056f24b460f03e94d79c344 |
| SHA1 | 8b6e8a143a39d90266ffeb5a41455e4367dd1f70 |
| SHA256 | e2753b0964162472b626c6ea49e92db27e54c9272048cf59b497e6e48f78208f |
| SHA512 | f3b5c4ddd3523a0172209837648ee535cfe2e2f50e26dc19f72ad5c99a5d0b46effec5dea37df5cdb097027b57e228760c93bba9712163aee08865578b18fb16 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 558aa2d8a1ec0f4aa9e4b4b9891d7ebb |
| SHA1 | adff8f47c93a58095075e383792d5048a862d09d |
| SHA256 | 4f242b3be5ca2e526774563fa1435fcc6af01002845bbbd06becb86899d38084 |
| SHA512 | 5bc75450bb5e02f4873448e8d938f5d3a1d55081332f5d9f9cc7f2a1c29d8ab49f9da63efe34a7d2ba3582db89cd1f88de4bca29718ca970a1c114489c794597 |
memory/4816-171-0x0000000004680000-0x0000000004688000-memory.dmp
memory/4816-179-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/4816-181-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | c164b3494ffa7bda8ce68482b76c0837 |
| SHA1 | 31e15d4a2ed207dcdfa80b672770329cfa6dbeae |
| SHA256 | 273e517a91ba751870b50f4c3332d7826c312cc22076ce690d95ba44caff45fe |
| SHA512 | ec3dd37ee08df5a331092225f441a03043797fb631c1939d1461ea28e6a0dcffac78e49225af6d37c4217b9b291eff885e0e09da23936e75f3f73b6e5ff2a23a |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d
| MD5 | 18f00928cd354bd3b9d3e5a439af52aa |
| SHA1 | 80a0ba27d2cf957d9a555c0a25068e8083da3faa |
| SHA256 | 008effc8e02fa41141500ada547efd46883094655383ca37acfbe87b87ac80bc |
| SHA512 | 4d42b6915272e4b32afe10fd3c24d5a361ba5e6e63121551cf636c4b33d6b3d98e372add4fbb6a767dbce36061f199a486abec8a7df2fa52dbdf7c8e383b5024 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 4379c5073eb281d31ed2f727e8a6b8b0 |
| SHA1 | 6b7c1bf5227dd6b10e9035c9fa6d1404160a589d |
| SHA256 | 01b00ed4e0c67fc354ede5fc371a658035828f1603db1f47abafedf0834d8eab |
| SHA512 | 8f255a8356821f46cdecb490ca8ef56cdf9611eae806b6b80bddfe5e6586f82aa71e4f66870dfead32d3dc61d560bde5988c338c0bdbd135aefbb7cc8c34f784 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 681b735b447e5d0838fe7870eb4087c3 |
| SHA1 | 868a04ede36bad4e5038a900e8506dbf0ad872c2 |
| SHA256 | 07f3255417cb09885a75e311ea2953f214d4e44155deeca34f4d29b6e9339d46 |
| SHA512 | 3091ad41cfef4b241e2477fe0e1a7421961c1d8b21559ced9171b445936368e2b586359063e51be25020a59b2fc66a574cd51b14429c7d5fb48589d6606951ca |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 415e0d95741ec50cf2cc6214a96e848a |
| SHA1 | 4ffa6c030f83d6d07839ad5a9d20f71f43bd4e77 |
| SHA256 | a30dd2a9e228625aedc674a28fff6982223a45bd4349b380cd950e93df24f69b |
| SHA512 | 21c7459e6e29ea11e973da15992ae0741cc983d8e9f5e3e427f18ac0fe61969da7501924d35cb74ed452a7ad31b7021cac23592f9369ad8652b7c8cacbe4256c |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 3e6f72af334d966903ae9a0215d5638d |
| SHA1 | f146025c3bb0c9b9bf678ad09e4c892f5ee6d0bb |
| SHA256 | 50a912b505ef0f6d37b5d95b6b45e434af7eac86b794a182429c79f045dfa889 |
| SHA512 | 443aeb876fc063606e8ebdb53177a47c087dec8214fafcb8e2466b61d1166ee54f96bf242d6f5db36555a860ab6234842371c9d0bdb9552bb193f7d00ee79161 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | eeb41f4d1cb5510b1b00faa4b98acc4e |
| SHA1 | 856e7c50517ac6fc2176daad7804045dc7729d2f |
| SHA256 | 441fea5be5958366df2ab8f35814a1454e293ba82635c46e479ab35106273422 |
| SHA512 | d58160dc16ea3d8ee7216922a7b2c5aa767d2e769b6dfb74e1ebe0620f7e39b078fb5d3e33a45c261ea9de6f1dc1b3e76861fa7235bafcc874938441cf1b273e |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | be9acf482a79d451c567221dfc7d7853 |
| SHA1 | 93fb1ccc55931617088e3fdfabe69abdc9d8bc43 |
| SHA256 | 453e5e8a21c3812b2a0be6fc7234dd919951a2c420645e4e6742165e7ab70d05 |
| SHA512 | cd516419195566d428ae0eb76225c86fea8d73da628e8045a9f6060753607fc118ac7b176d680e8f29e5346c1981cf8d933b1f0162f602901584cdfccec60382 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d
| MD5 | 8199cf7de64ce99b7ffa800039b53424 |
| SHA1 | 80f04b57c9d74c37a612ecdbfa0089c1f449680f |
| SHA256 | e5b86e11dd3b2dbcb8bdca0b020eea8cd19e95cafdba3f98a1fe8bee5b6b4196 |
| SHA512 | 30c12e6cc63c707eb50edaf5f433605696931576a842c1539451cd906184457c0492332782c6d8464b288eae6af2c2eebc49fb18a4302008812bada30a15a4da |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | cba888a08a07fc3c7e3a4a4bd64e0fb9 |
| SHA1 | 30c2f87d8805d76827ba554945414416eec6a33d |
| SHA256 | e106e229a9e200106d5fd19df2e9d43ed4ffeea17a1a33420383b39b897f566c |
| SHA512 | 403e2cd83e6dd791b6ee4731765e695f76c143d9bd63ebc9e91f1a15bd4b7e0ddde259321720d525203463b231e30106d3b5933a48b0af982793de57f557915a |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 24ce1964c98ea0074728dc3a63e8471c |
| SHA1 | 5e020ab7fccdbf74b23ed31ff5c80fb7e157b5b7 |
| SHA256 | 218c1396c24717f630c8d11e83f75de631123d87c7233cb50a175c219b5001d5 |
| SHA512 | 7c27ad22361d8c0e36c35d2934a0f82df59e8d3c8f9d1ca8a1a29ef9b645d385433ded06bce21ef6c14e656c164b5984e44a355fef701c0bdebc6a3bdc460d8e |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 4b4a181956a22bf5ff6211b35a37822b |
| SHA1 | a41c8e401d136dab1b776279d856c9a67b21d0ad |
| SHA256 | e7a1083a3ed555fd7d16dbfbcf544d1391a124f2aaea35eac8878b9617f2b3d6 |
| SHA512 | 5f821a634835eb8e066898cb26098ebb6671d4742f4e806ed8b05041760c1415cdc95a3f9942e6086fe7d529bbf4adf4e9152614aef20a64439331775b4c80c4 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | ce4277b99f95ec55a88f68ed77cc53c0 |
| SHA1 | c1798e44085ba728638cacd7f8f1a98d7eb5fd34 |
| SHA256 | 4600731c623bebc871d385237bde7950fbf28eb3a66a19a49be72ef374a10011 |
| SHA512 | 7b6ea6f41de6518c420f80cf3b94bb18cc4a0da84affa6f9695608f886be9129574e1edf9b3fff62893daa63a0670b68fcffb110d52eb3f4ed91b0d80aaa9c1f |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 0bef066d48a9f01b6953cd9fbe3713d7 |
| SHA1 | f99b4312a4b50265fd6cf0ab546d61cebe5b4f8a |
| SHA256 | 6e664d5619f31dc7808547c7865f69bc8d63a0b06dc2e1966ec9c33c832a97f0 |
| SHA512 | 7399956814652c5d0cde5d2c38c3a551b10c3740b1c49d7d308c8fb6ca9b739cecfde648d94639f073b7542c84bc5abfabbb48c6878e7f9c7c18eadafd8ee722 |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 43d2c5b5b2d4baa9e3bb0fc9c2dca232 |
| SHA1 | 5209a9780662fab88b6d32db24239a184875eefe |
| SHA256 | 3251fd73f884c2b6c4b66ce73ba96cfec3ac4dfc99b29768c2d77be2c3d14a1b |
| SHA512 | 5aa1a2f19455f5aa24048c1407ee560eaff82ec0dde324d7762c5a9b95c7cdbbfe6e785e42ac810110f5f302b8f8784c2b4d50f4136bdc509a7b65483308fb8a |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm
| MD5 | 7ca1529e134ec863165f02b4f22dcfc6 |
| SHA1 | f0ade781062c0e54239dbef198814aaf1e029ec2 |
| SHA256 | b4202d78eff57cda8bc897ee058b7d84f9e4175a1d056e0cd1d8e620672a6c7d |
| SHA512 | 70fe6c204b538390ff086e98b76ca988995e7055352497212dcc46f95d0ba79d255b7f7b6501456be25239f51a1f483b30d13217a949df9a2801a4110d66fb8d |
C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.INTEG.RAW
| MD5 | 1925eb9dc4ac1134d3b1f0a3fbaeb4ec |
| SHA1 | 675322382723961d0f109fdd3fd162bc79b7d2ac |
| SHA256 | 168eded5ba64fe7938d3e9bb3a9562f0cbfc3f37c44f10123bb1575734de7297 |
| SHA512 | 6cba050f3c11ae6fcfb9fa84be6378c306ef84f035f336ed89a01c99fb93e83de12ab666f7f33f28d6814c6ba99286577e8728e6de42750910806a0c7396a771 |
memory/4816-615-0x0000000000400000-0x0000000000759000-memory.dmp