Malware Analysis Report

2025-01-02 05:58

Sample ID 241125-djlw8a1ken
Target 98d129283fccf504adb59f2ff02bdf76_JaffaCakes118
SHA256 6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347
Tags
ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e19816cb41452f85a6f40216c40140066ea8bc999d81e378dd3b5daefd26347

Threat Level: Known bad

The file 98d129283fccf504adb59f2ff02bdf76_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan

FFDroider

Ffdroider family

Nullmixer family

NullMixer

FFDroider payload

PrivateLoader

Vidar

Privateloader family

Vidar family

Vidar Stealer

Checks computer location settings

ASPack v2.12-2.42

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Looks up external IP address via web service

Unsigned PE

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 03:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 03:02

Reported

2024-11-25 03:04

Platform

win7-20240903-en

Max time kernel

66s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2648 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2696 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2880 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b735755af543525.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe

eb8b5374cee7.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe

7a0a59dd28055ec3.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe

a56065a4b52c2c16.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe

ffdebd71b3232.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe

09c48f70afae1.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe

b735755af543525.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe

fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 944

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
N/A 127.0.0.1:49280 tcp
N/A 127.0.0.1:49282 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 89086cb8af781cacdb7f54885b9f3c93
SHA1 90dd7b1f35b151efa68e691212a9fdd72188faef
SHA256 1c8fd4b23994f2dbffb0f51debe3551b796ab2bc280242c325de14d650ecb227
SHA512 d7b2d92536a6bfabc80f3b12284df5969e3b4f3d47c6c44e0b7702a043915e31914161be9b76f2d9db88ca47788eaa6522f6d1475b4b15a9d7c68379b041037f

\Users\Admin\AppData\Local\Temp\7zS88AC1E37\setup_install.exe

MD5 d0c0ed74cb8878f734ad674f4c6f6430
SHA1 b18eaaaf110caa25c101b86fd088e700fc5eec9b
SHA256 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b
SHA512 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2880-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2880-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2880-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2880-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2880-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2880-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2880-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2880-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\7a0a59dd28055ec3.exe

MD5 78e8acd24692dbfac7f20fd60fe5dfbd
SHA1 d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca
SHA256 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822
SHA512 f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\ffdebd71b3232.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\09c48f70afae1.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/2196-88-0x00000000028E0000-0x0000000002C39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\a56065a4b52c2c16.exe

MD5 8cd6a0f9c54968b2003415a62a6ce8b7
SHA1 ea5bacbba4ebceacf4f7c547fc840d03fb8654f7
SHA256 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f
SHA512 b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915

\Users\Admin\AppData\Local\Temp\7zS88AC1E37\eb8b5374cee7.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

memory/1164-104-0x0000000000ED0000-0x0000000001229000-memory.dmp

memory/1164-103-0x0000000000ED0000-0x0000000001229000-memory.dmp

memory/1164-102-0x0000000000400000-0x0000000000759000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS88AC1E37\b735755af543525.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

memory/1164-108-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88AC1E37\fbbf95c08c8b58.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2428-124-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/2856-126-0x00000000001D0000-0x00000000001FE000-memory.dmp

memory/904-125-0x0000000000060000-0x0000000000068000-memory.dmp

memory/2856-127-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2856-128-0x0000000000200000-0x0000000000222000-memory.dmp

memory/2856-129-0x0000000000220000-0x0000000000226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DA7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2DC9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1164-200-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2880-203-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2880-206-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-205-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2880-204-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2880-202-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2880-201-0x0000000000400000-0x00000000008DD000-memory.dmp

memory/752-207-0x0000000000400000-0x0000000002CC8000-memory.dmp

memory/2880-214-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2880-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2880-215-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2880-212-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2880-209-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2880-208-0x0000000000400000-0x00000000008DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 03:02

Reported

2024-11-25 03:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1676 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1676 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1484 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe
PID 1484 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe
PID 1484 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe
PID 5016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe
PID 4092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe
PID 4092 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe
PID 2940 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe
PID 2940 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe
PID 1420 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
PID 1420 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
PID 1420 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
PID 2800 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe
PID 2800 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe
PID 2800 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe
PID 232 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe
PID 232 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe
PID 232 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe
PID 2748 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe
PID 2748 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe
PID 2748 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe
PID 2284 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe
PID 2284 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe
PID 4808 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
PID 4808 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe
PID 4808 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\98d129283fccf504adb59f2ff02bdf76_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b735755af543525.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe

09c48f70afae1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe

b735755af543525.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe

7a0a59dd28055ec3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe

fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe

a56065a4b52c2c16.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe

ffdebd71b3232.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe

eb8b5374cee7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2792 -ip 2792

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1564

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 104.26.2.46:443 iplogger.org tcp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
GB 37.0.8.235:80 tcp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
N/A 127.0.0.1:53171 tcp
N/A 127.0.0.1:53173 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 89086cb8af781cacdb7f54885b9f3c93
SHA1 90dd7b1f35b151efa68e691212a9fdd72188faef
SHA256 1c8fd4b23994f2dbffb0f51debe3551b796ab2bc280242c325de14d650ecb227
SHA512 d7b2d92536a6bfabc80f3b12284df5969e3b4f3d47c6c44e0b7702a043915e31914161be9b76f2d9db88ca47788eaa6522f6d1475b4b15a9d7c68379b041037f

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\setup_install.exe

MD5 d0c0ed74cb8878f734ad674f4c6f6430
SHA1 b18eaaaf110caa25c101b86fd088e700fc5eec9b
SHA256 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b
SHA512 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/5016-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/5016-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5016-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5016-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-55-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5016-54-0x0000000064941000-0x000000006494F000-memory.dmp

memory/5016-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5016-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-48-0x00000000012C0000-0x000000000134F000-memory.dmp

memory/5016-45-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5016-46-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5016-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\09c48f70afae1.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\fbbf95c08c8b58.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1940-97-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1940-98-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2264-100-0x0000000000420000-0x000000000044E000-memory.dmp

memory/2264-101-0x0000000000BF0000-0x0000000000BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\7a0a59dd28055ec3.exe

MD5 78e8acd24692dbfac7f20fd60fe5dfbd
SHA1 d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca
SHA256 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822
SHA512 f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\eb8b5374cee7.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

memory/2264-103-0x0000000000C00000-0x0000000000C22000-memory.dmp

memory/2264-104-0x0000000000C20000-0x0000000000C26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\ffdebd71b3232.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\a56065a4b52c2c16.exe

MD5 8cd6a0f9c54968b2003415a62a6ce8b7
SHA1 ea5bacbba4ebceacf4f7c547fc840d03fb8654f7
SHA256 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f
SHA512 b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915

memory/4524-96-0x0000000000330000-0x0000000000338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\b735755af543525.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/5016-112-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/5016-116-0x0000000064940000-0x0000000064959000-memory.dmp

memory/5016-115-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/5016-114-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/5016-113-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2792-106-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/5016-107-0x0000000000400000-0x00000000008DD000-memory.dmp

memory/1940-122-0x0000000003A60000-0x0000000003A70000-memory.dmp

memory/1940-127-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

memory/1940-121-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/1940-135-0x0000000004680000-0x0000000004688000-memory.dmp

memory/1940-141-0x0000000004880000-0x0000000004888000-memory.dmp

memory/1940-140-0x0000000004860000-0x0000000004868000-memory.dmp

memory/1940-137-0x0000000004720000-0x0000000004728000-memory.dmp

memory/1940-142-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/1940-143-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/1940-134-0x0000000004660000-0x0000000004668000-memory.dmp

memory/1940-144-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/1940-157-0x0000000004680000-0x0000000004688000-memory.dmp

memory/1940-165-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 3e60996b2d78d5d580be3f2a3ae4dd67
SHA1 344d2253b9795f7302c709a16a1ec2bf6974f5de
SHA256 481ec206c9ba016f36141ce60dac966afaa22d6f4bd3064d5bec466bb84e2d6c
SHA512 7db1382e44b0fb98a648e32ecbc7100feb847057e845a0086f2721ae4c94289e0d767e4b60f357fc6203f3df3260a46255a5ea6d6ee367b521c740a3cc21f4fd

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 4ce6999b8834480dd53aac631e78c8dc
SHA1 e277dee7f7f9a07188d9e03f2c5342bccd5be904
SHA256 c3ed145c861368d3d9ffd6efee15730f8e1ee6c90af85a9246750ee108ede3bb
SHA512 6256700ea22b2c79ae007fcda25c6a99ea7c169087aa99500c34b226c9e327b0c5d6853c07121a7d30d8ebfde44f846edcb037912fbb8e8a1becb59a12c1427d

memory/1940-167-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/1940-190-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/1940-188-0x00000000049D0000-0x00000000049D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 d90f11d314998c3d1006ac81df0aaf03
SHA1 4195fed775c5b7679c6c7aa24cd221f723b7e5fa
SHA256 d0cec6c4a2db3ccd9e0c1751511c03fce097af49d03251b6596bd5d2ecae38db
SHA512 86ea8882f46a2b190ae8ff5ea42feffa4455729e232c7e4450bd405cd0f785752a27923329b51f7df7f0ba432e16f5bd8a6b7e523a0ec959f3814aac172c6a23

memory/1940-180-0x0000000004680000-0x0000000004688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 ca5a2fe21efa3d2200be4c368984f254
SHA1 32b24b1883a61d58d228578b5908a1b19ba3bb09
SHA256 998089718dca6c508660643c32a39a7750b096fabf22f28299149feb766e755c
SHA512 408a88d95b3f76487ae6311c86f10c1f40a3cf5ec19e804cce10b3bc0cc5cc7c347d08551a76ddf4805b2497dcd710c57d23fe9781e21cc16db145b649f5c8a7

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d

MD5 25f5d1a3f1bab6cacb86d662e4991f3d
SHA1 12723dbe0ef5d0436a1eb8e4f1df87fe8f15ae8a
SHA256 35d87bfd2b4ff1f2e4d7aac2800a34ca1051f68acd20790c32a1748917db17b0
SHA512 34e11cbff8c11cc5fa7daab0a3e6553c943d77758fd52d37c7d92dfb0d13d6eceb8d4325fe86a0cb69c65ee01d9ad16e46c310e3ea5a0208c1bcf7e5716c0195

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 02fceb97b0de222052676faf9428fd88
SHA1 cc6752df760a00fea750e167acae64e96bb5108a
SHA256 a63996a8cb96778ffb1059a2704c2ed51103fcee4825fcd80cdab26322aa8c73
SHA512 72f3dd4cf1d701ce1e1572f4eddb4a022c8605654eecf5a6ef3597cc34f22f722299d8d35e36132609816fe09e8ffb32fd2477ecd235c9102e8907d8bf38726f

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 1289b74bb0028d1dad066f707d455705
SHA1 c59c52f566cd17d4475a2c364f027a0e8790cb02
SHA256 618e099730f6aab78397040bb07fbc283c90ca8df827251b858cbec95d8057e0
SHA512 8504615840a4cd8620790c4705fb7fad4b6451a115e35c1bc83149d05412fafad0ecea1634fe1ffbbc7d7374ecaa18ba47184636cff96a8e2f46deaba9ec1768

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 5b848f316700af46dd21e5ed36784518
SHA1 f79cd0137a3a41ece0c96d2a8566e83b787d6bff
SHA256 6c23f9ccefad64f38e8aa021a389ed6092543aee9bb61c725a066b27b111743f
SHA512 1abfc88db513dbb2f6733c45e82847499931a0eb1e52241de19ad47b1938d2defe9cb504907b3ce0e59d05d33b18ca9e92616b0b9e7a6d997d4e9c268964cf9a

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 b1109994adef74cc27cd17b5cb7b6def
SHA1 db96c3e5e4b674d147ee10b1129b84662521bd33
SHA256 1f344c658c55c0ccd808f03f12e20f719aaeb235d9f9811036a5f18b87c02193
SHA512 f5a4c3597cb71eb3b42993a955ce949eed0ad51253b8f1511d1e04b0abfff74ff0d0a6ed8000009d601c45ad2e5eb517af6ef3d457367f846684924152c383f7

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 187f0250f806fa1f3e61625f49212e8e
SHA1 057ea7b1d0734b000479ff6913821b22b2e8344e
SHA256 0c2df31f8c330c9152bc3627c9ba95876ee6ed5625b7d789e5ffac60cf5f86e1
SHA512 bd48fc687070be07016474270b48f7bce6fb88e764b4ad61ddb827de20a254b3a0087e3140762021786b619e7645ace86700d78aeea18adaedf1f0bea303054f

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 da44c5d5dc2f23b1dae4b5ba083b7759
SHA1 c4a5975a68f469acb5da2d02801af1729832b341
SHA256 c4fb31a226e4cff8de67fcf29055c63545f61105e654579b505116885e2b3f3d
SHA512 b2be24f3a52cc32ad7e253a13c8b009a6c8a4a13621d99527d020bde3237e781a61c4ec6038444d8129a885fe7c9e0f7d1940f14c39b37eeaadd4acd9cfb9408

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 ada89a673bd446246518b82ef9e78af2
SHA1 e3770b06e3b87f84c1bd7662c55b77941516ea8e
SHA256 500e5eb14254d0ce0322256ef4e67b7c40770f5ee549cc6675c047c39956c83f
SHA512 6e11a4c80e2109736659c84f7aaf9044308ea3c86b3fe4fbb98fd74598102b5cae77c8cd72fc51e01acc9f556e5e07f4256c7203729cd3eda901226e18aa42e8

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 36846b755ed7f37f7029a7c79e6c7615
SHA1 1e4087ad5ee1e0a24336262438ff91a7d26b32c7
SHA256 7641cff58a0500eb0ab1d873d0da54621ff7655eb14459b90b056d8fdf1e05c7
SHA512 c1c6dd76e9d7622737ba2320f0cfc3277209ba3d60ece83a994720e2a6ee822e198e21c06a3912c20810a7d823384882660880052c6d195784218af62bb7a455

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 fc120638cc8e566bf1d68c0c47c3a4d6
SHA1 df89e94775cd806254939a4e615616e3a4a7dd2d
SHA256 07718d0b2e4284acf484369bc98f09b1261a55fa02d0aa299a6231a61dc2e869
SHA512 15cf7aa859d42b577c2ba4a9c294a2a60d1210d8691fedf0d14a244db99dadb6c4c1af03aacd57f3d55c68dae99cbf77c538a46fa096f776e4f1f77720e4ef1c

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 5ff36ec5a894624da4ceb750a222e10d
SHA1 137755f53dc1bc5e9dcdba72a12eca87d0023a58
SHA256 27bd73a2bdf9e91e3a97597cff32c17aa3d91c3295d57b4eb55a7ebb213c2b1d
SHA512 7d8d5dbd102179f9b6f1b0f34e5b34e103c4f164c50cdf1a81ff37545174b74f4eee7dff6ca17ed45400778a69d81948a09909d20aed04cec2d6b1c5770a9c04

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 26b7fa0c78b7a0f33e16dbbd558ec613
SHA1 ea04ee10cd573294569a482d4ee9918b6d89a2ac
SHA256 7edd0ef0409d9887546b2f5e9ae728648a403ac1546b217730aaefbaa359cb50
SHA512 e3381e715d301db3892c16f68bab3f304f5789395951ac813e02bf5c2875208f27e8ae050fab1c7b501b54b5596ebab88b85fadb1a98938af956333b660212ed

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 a7e9103f682e6c009d6e3890cf748dc0
SHA1 05db280ff7e16abd667b8c683b86b3a4e4bf5c08
SHA256 c3215ff764f35e8f98e5cfdb32586aeced44e9d80f9afdadaf77e375ebaea610
SHA512 9e86ba4dd6edc95ef002b80c59ef1a6c859fbb076b4225e450d523e6cc9e5331e189b95ff968919851d3cca1ad3ac4fe65003312e38bf99801c4d70be977a976

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 40e264bc73d2dd8ff9ee72f36ee5b4f1
SHA1 6e2351e9df893e37a0a27b9fadda90ed2f263fa8
SHA256 a9cbb0847b3a80233810435dfbc15ea8f8f3bb7765896579a15a8cc27e171337
SHA512 a9a7b219ef55eb7e70f1ec790601a1c6bd236a144845a486b805b9acc4aae4eeb93bebed2a611370fed28b5c5346d4afc209c03e89d4f9697224caa3e03739bf

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.jfm

MD5 aa90f87c2a516b86596ab0bc879068e3
SHA1 054dc878dbb6d9c5a8aff86e44b4dc19c18aef41
SHA256 d92a672104726a8698e021fc1104dfb0c553546a19cc1799c76171ec0bb2dbeb
SHA512 86edae4c66287a6d28e38445ed532a262e81dbc9dac0320064bcaeb80dcb008a1dc6cc224a62b3426aa84ab1568f3c4bba2434dc780862c1a52b84b88c24983c

C:\Users\Admin\AppData\Local\Temp\7zSCC5196F7\d.INTEG.RAW

MD5 ff381cbc438e22f749152b5e2d131174
SHA1 0ad4fff4ae0e8a7641db98667fb282aaf3d4f744
SHA256 f9ccf66bb453f40722751c45f50bf220b82fee45e79dc306ad1ecd816ea885eb
SHA512 0f2abffe39651e7f49eaec7fd3f278d47d20b6e8d5730aa6edc0047a16dcdcfc61ec3c5daaa65320123666eb5e686a002643c6a14c06a8d85b9c698010719f94

memory/1940-629-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 03:02

Reported

2024-11-25 03:04

Platform

win7-20240903-en

Max time kernel

63s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2664 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b735755af543525.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe

eb8b5374cee7.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe

7a0a59dd28055ec3.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe

ffdebd71b3232.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe

b735755af543525.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe

a56065a4b52c2c16.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe

fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe

09c48f70afae1.exe

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe

"C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 944

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
N/A 127.0.0.1:49250 tcp
N/A 127.0.0.1:49252 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.200.189.225:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\setup_install.exe

MD5 d0c0ed74cb8878f734ad674f4c6f6430
SHA1 b18eaaaf110caa25c101b86fd088e700fc5eec9b
SHA256 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b
SHA512 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2244-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2244-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2244-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2244-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2244-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2244-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2244-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2244-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2244-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2244-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2244-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2244-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\7a0a59dd28055ec3.exe

MD5 78e8acd24692dbfac7f20fd60fe5dfbd
SHA1 d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca
SHA256 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822
SHA512 f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\eb8b5374cee7.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

C:\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\b735755af543525.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\09c48f70afae1.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\a56065a4b52c2c16.exe

MD5 8cd6a0f9c54968b2003415a62a6ce8b7
SHA1 ea5bacbba4ebceacf4f7c547fc840d03fb8654f7
SHA256 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f
SHA512 b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915

memory/2440-109-0x0000000000400000-0x0000000002C6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\fbbf95c08c8b58.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2596-112-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2596-103-0x0000000000D30000-0x0000000001089000-memory.dmp

memory/2596-102-0x0000000000D30000-0x0000000001089000-memory.dmp

memory/2628-116-0x0000000000360000-0x000000000038E000-memory.dmp

memory/2924-115-0x00000000012B0000-0x00000000012B8000-memory.dmp

memory/2596-101-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1620-96-0x0000000002840000-0x0000000002B99000-memory.dmp

memory/1620-95-0x0000000002840000-0x0000000002B99000-memory.dmp

memory/2628-117-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2628-118-0x0000000000250000-0x0000000000272000-memory.dmp

memory/2628-119-0x0000000000270000-0x0000000000276000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS86AB6FC6\ffdebd71b3232.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\CabFDB2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baf4b27c9dcdc4f483dabd64d31d2828
SHA1 f7bf15c62a7398b561c7f15acd178817184ec82c
SHA256 b4fad0a05559190a4b264c94e28d36238e61f1fdeeb2333878b36458394752cd
SHA512 3a2c73842081f3ba4af43ec2d3d234787af177ff69306b39671970160319f2a512bb63be34ae379aaa0d8350a3206d34b9b9518f0672595517066310ad2ede4f

C:\Users\Admin\AppData\Local\Temp\TarFE3D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2596-232-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2244-237-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2244-241-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2244-240-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2244-239-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2244-233-0x0000000000400000-0x00000000008DD000-memory.dmp

memory/2244-234-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3048-260-0x0000000000400000-0x0000000002CC8000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 03:02

Reported

2024-11-25 03:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4188 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe
PID 4188 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe
PID 4188 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe
PID 1844 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe
PID 4980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe
PID 4980 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe
PID 3732 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe
PID 3732 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe
PID 1852 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe
PID 1852 wrote to memory of 2668 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
PID 2800 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe
PID 2704 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe
PID 4468 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe
PID 4468 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe
PID 4468 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe
PID 2552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe
PID 2552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe
PID 2552 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe
PID 2384 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
PID 2384 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe
PID 2384 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09c48f70afae1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ffdebd71b3232.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME44.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7a0a59dd28055ec3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c b735755af543525.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c eb8b5374cee7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a56065a4b52c2c16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe

7a0a59dd28055ec3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe

eb8b5374cee7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe

b735755af543525.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe

fbbf95c08c8b58.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe

a56065a4b52c2c16.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe

09c48f70afae1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe

ffdebd71b3232.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 560

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 1028

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 db-ip.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 104.26.5.15:443 db-ip.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 music-sec.xyz udp
N/A 127.0.0.1:50709 tcp
N/A 127.0.0.1:50711 tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 www.maxmind.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\setup_install.exe

MD5 d0c0ed74cb8878f734ad674f4c6f6430
SHA1 b18eaaaf110caa25c101b86fd088e700fc5eec9b
SHA256 0125d17f17f3cf5b115c1202de3931b3082ca56d2d473447e4dac039c53b517b
SHA512 42a3ce63865b3f8b417bc48bdabc68a9436b11cc3574aff4d8c91b8ec7b7ed34b7e11d7b7ae35f01ad40fe1c1b5616773c3fdbd59e9fb68ace3d1493c62c56d5

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1844-27-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1844-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1844-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\7a0a59dd28055ec3.exe

MD5 78e8acd24692dbfac7f20fd60fe5dfbd
SHA1 d9c1f3b4ccceaa21897c57d8f343c0b3b19c88ca
SHA256 23e2a056155948a0f8dee4ff30f0336fe7aa1922be58010acc88fbec64c3e822
SHA512 f0476b350ac6813a3a1f18c2a2366c09f1faf5f2475bcacc95fe3c545fd378879deba98ae12ab43035de22c524bd5a76f4a704de42f7572d41a7d4e8109315e7

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\ffdebd71b3232.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/4816-82-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2668-84-0x00000000004C0000-0x00000000004EE000-memory.dmp

memory/4816-85-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2668-87-0x0000000000C90000-0x0000000000C96000-memory.dmp

memory/2668-89-0x0000000000CB0000-0x0000000000CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\fbbf95c08c8b58.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2668-90-0x0000000000CE0000-0x0000000000CE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\09c48f70afae1.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\a56065a4b52c2c16.exe

MD5 8cd6a0f9c54968b2003415a62a6ce8b7
SHA1 ea5bacbba4ebceacf4f7c547fc840d03fb8654f7
SHA256 61167f2be099b7bf668e25a470119adfa0c409c2e5c059ad1a016c14dd168f3f
SHA512 b7a988cf8218a3ff0c13cd58953b4e4b7e4b641d18380bb03a37aa39628d336adac80c8d6d526389d8b2197228813c4b12593fdc5514f633cee0ee856f3ec915

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\b735755af543525.exe

MD5 181f1849ccb484af2eebb90894706150
SHA1 45dee946a7abc9c1c05d158a05e768e06a0d2cdc
SHA256 aeb2d203b415b00e0a23aa026862cec8e11962fdb99c6dce38fb0b018b7d8409
SHA512 a87485005ca80e145a7b734735184fa2d374a7f02e591eec9e51b77dc2a51be7f8198ce5abfceb9546c48bf235a555f19d6c57469975d0b4c786b0db16df930c

memory/3564-72-0x00000000001C0000-0x00000000001C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\eb8b5374cee7.exe

MD5 83cc20c8d4dd098313434b405648ebfd
SHA1 59b99c73776d555a985b2f2dcc38b826933766b3
SHA256 908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
SHA512 e00009e1f322a1fe6e24f88a1cc722acf3094569174e7c58ebf06f75f50a7735dcebf3e493886bbdc87593345adc8bb7b6f2daca2e64618f276075a0bb46bb8c

memory/1844-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1844-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1844-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1844-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1844-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1844-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1844-35-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1844-34-0x000000006494A000-0x000000006494F000-memory.dmp

memory/1844-33-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1844-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1844-30-0x0000000000B60000-0x0000000000BEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1844-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1844-93-0x0000000000400000-0x00000000008DD000-memory.dmp

memory/1844-97-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1844-101-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2388-92-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/1844-100-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1844-99-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1844-102-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4816-112-0x0000000003D70000-0x0000000003D80000-memory.dmp

memory/4816-106-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/4816-120-0x0000000004680000-0x0000000004688000-memory.dmp

memory/4816-119-0x0000000004660000-0x0000000004668000-memory.dmp

memory/4816-122-0x0000000004740000-0x0000000004748000-memory.dmp

memory/4816-125-0x0000000004700000-0x0000000004708000-memory.dmp

memory/4816-126-0x0000000004890000-0x0000000004898000-memory.dmp

memory/4816-127-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/4816-128-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/4816-132-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 218c0eef77aff676aac48d816a91867d
SHA1 5fdbcbc49646a6db9dbcc89fe2186f7445999a96
SHA256 3d34a5ea430366f95f9677ee077ec3646a495cf033d47262ffa323601eb3f1f9
SHA512 65a985429d018ce26c3dcabeb531b47fcfbd9660b181533ede4ae7649a07483006ea1f70d521bd1158bb9839f56d2cd24bd969c9a1e19d19ca9adbc1241b7342

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 d302935c71ec58ec5f74ec7b0b24099f
SHA1 03f3d2421081851a0acb8e416c12a3f5a49cdc12
SHA256 4bdaa5dfe74b08005cce4f03f1bccbd43bd1312dea1ac64c94fb160c38820cd9
SHA512 e0c6533f5257e257023811c38d351f3adb214544f934abe725170c35997f8b0882f9ec6ded6cdcc248c171014ccb0d6bcfb15c6166593c5beac5719471521e2a

memory/4816-153-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/4816-145-0x0000000004680000-0x0000000004688000-memory.dmp

memory/4816-158-0x00000000049D0000-0x00000000049D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 692c370b8056f24b460f03e94d79c344
SHA1 8b6e8a143a39d90266ffeb5a41455e4367dd1f70
SHA256 e2753b0964162472b626c6ea49e92db27e54c9272048cf59b497e6e48f78208f
SHA512 f3b5c4ddd3523a0172209837648ee535cfe2e2f50e26dc19f72ad5c99a5d0b46effec5dea37df5cdb097027b57e228760c93bba9712163aee08865578b18fb16

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 558aa2d8a1ec0f4aa9e4b4b9891d7ebb
SHA1 adff8f47c93a58095075e383792d5048a862d09d
SHA256 4f242b3be5ca2e526774563fa1435fcc6af01002845bbbd06becb86899d38084
SHA512 5bc75450bb5e02f4873448e8d938f5d3a1d55081332f5d9f9cc7f2a1c29d8ab49f9da63efe34a7d2ba3582db89cd1f88de4bca29718ca970a1c114489c794597

memory/4816-171-0x0000000004680000-0x0000000004688000-memory.dmp

memory/4816-179-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/4816-181-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 c164b3494ffa7bda8ce68482b76c0837
SHA1 31e15d4a2ed207dcdfa80b672770329cfa6dbeae
SHA256 273e517a91ba751870b50f4c3332d7826c312cc22076ce690d95ba44caff45fe
SHA512 ec3dd37ee08df5a331092225f441a03043797fb631c1939d1461ea28e6a0dcffac78e49225af6d37c4217b9b291eff885e0e09da23936e75f3f73b6e5ff2a23a

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d

MD5 18f00928cd354bd3b9d3e5a439af52aa
SHA1 80a0ba27d2cf957d9a555c0a25068e8083da3faa
SHA256 008effc8e02fa41141500ada547efd46883094655383ca37acfbe87b87ac80bc
SHA512 4d42b6915272e4b32afe10fd3c24d5a361ba5e6e63121551cf636c4b33d6b3d98e372add4fbb6a767dbce36061f199a486abec8a7df2fa52dbdf7c8e383b5024

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 4379c5073eb281d31ed2f727e8a6b8b0
SHA1 6b7c1bf5227dd6b10e9035c9fa6d1404160a589d
SHA256 01b00ed4e0c67fc354ede5fc371a658035828f1603db1f47abafedf0834d8eab
SHA512 8f255a8356821f46cdecb490ca8ef56cdf9611eae806b6b80bddfe5e6586f82aa71e4f66870dfead32d3dc61d560bde5988c338c0bdbd135aefbb7cc8c34f784

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 681b735b447e5d0838fe7870eb4087c3
SHA1 868a04ede36bad4e5038a900e8506dbf0ad872c2
SHA256 07f3255417cb09885a75e311ea2953f214d4e44155deeca34f4d29b6e9339d46
SHA512 3091ad41cfef4b241e2477fe0e1a7421961c1d8b21559ced9171b445936368e2b586359063e51be25020a59b2fc66a574cd51b14429c7d5fb48589d6606951ca

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 415e0d95741ec50cf2cc6214a96e848a
SHA1 4ffa6c030f83d6d07839ad5a9d20f71f43bd4e77
SHA256 a30dd2a9e228625aedc674a28fff6982223a45bd4349b380cd950e93df24f69b
SHA512 21c7459e6e29ea11e973da15992ae0741cc983d8e9f5e3e427f18ac0fe61969da7501924d35cb74ed452a7ad31b7021cac23592f9369ad8652b7c8cacbe4256c

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 3e6f72af334d966903ae9a0215d5638d
SHA1 f146025c3bb0c9b9bf678ad09e4c892f5ee6d0bb
SHA256 50a912b505ef0f6d37b5d95b6b45e434af7eac86b794a182429c79f045dfa889
SHA512 443aeb876fc063606e8ebdb53177a47c087dec8214fafcb8e2466b61d1166ee54f96bf242d6f5db36555a860ab6234842371c9d0bdb9552bb193f7d00ee79161

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 eeb41f4d1cb5510b1b00faa4b98acc4e
SHA1 856e7c50517ac6fc2176daad7804045dc7729d2f
SHA256 441fea5be5958366df2ab8f35814a1454e293ba82635c46e479ab35106273422
SHA512 d58160dc16ea3d8ee7216922a7b2c5aa767d2e769b6dfb74e1ebe0620f7e39b078fb5d3e33a45c261ea9de6f1dc1b3e76861fa7235bafcc874938441cf1b273e

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 be9acf482a79d451c567221dfc7d7853
SHA1 93fb1ccc55931617088e3fdfabe69abdc9d8bc43
SHA256 453e5e8a21c3812b2a0be6fc7234dd919951a2c420645e4e6742165e7ab70d05
SHA512 cd516419195566d428ae0eb76225c86fea8d73da628e8045a9f6060753607fc118ac7b176d680e8f29e5346c1981cf8d933b1f0162f602901584cdfccec60382

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d

MD5 8199cf7de64ce99b7ffa800039b53424
SHA1 80f04b57c9d74c37a612ecdbfa0089c1f449680f
SHA256 e5b86e11dd3b2dbcb8bdca0b020eea8cd19e95cafdba3f98a1fe8bee5b6b4196
SHA512 30c12e6cc63c707eb50edaf5f433605696931576a842c1539451cd906184457c0492332782c6d8464b288eae6af2c2eebc49fb18a4302008812bada30a15a4da

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 cba888a08a07fc3c7e3a4a4bd64e0fb9
SHA1 30c2f87d8805d76827ba554945414416eec6a33d
SHA256 e106e229a9e200106d5fd19df2e9d43ed4ffeea17a1a33420383b39b897f566c
SHA512 403e2cd83e6dd791b6ee4731765e695f76c143d9bd63ebc9e91f1a15bd4b7e0ddde259321720d525203463b231e30106d3b5933a48b0af982793de57f557915a

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 24ce1964c98ea0074728dc3a63e8471c
SHA1 5e020ab7fccdbf74b23ed31ff5c80fb7e157b5b7
SHA256 218c1396c24717f630c8d11e83f75de631123d87c7233cb50a175c219b5001d5
SHA512 7c27ad22361d8c0e36c35d2934a0f82df59e8d3c8f9d1ca8a1a29ef9b645d385433ded06bce21ef6c14e656c164b5984e44a355fef701c0bdebc6a3bdc460d8e

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 4b4a181956a22bf5ff6211b35a37822b
SHA1 a41c8e401d136dab1b776279d856c9a67b21d0ad
SHA256 e7a1083a3ed555fd7d16dbfbcf544d1391a124f2aaea35eac8878b9617f2b3d6
SHA512 5f821a634835eb8e066898cb26098ebb6671d4742f4e806ed8b05041760c1415cdc95a3f9942e6086fe7d529bbf4adf4e9152614aef20a64439331775b4c80c4

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 ce4277b99f95ec55a88f68ed77cc53c0
SHA1 c1798e44085ba728638cacd7f8f1a98d7eb5fd34
SHA256 4600731c623bebc871d385237bde7950fbf28eb3a66a19a49be72ef374a10011
SHA512 7b6ea6f41de6518c420f80cf3b94bb18cc4a0da84affa6f9695608f886be9129574e1edf9b3fff62893daa63a0670b68fcffb110d52eb3f4ed91b0d80aaa9c1f

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 0bef066d48a9f01b6953cd9fbe3713d7
SHA1 f99b4312a4b50265fd6cf0ab546d61cebe5b4f8a
SHA256 6e664d5619f31dc7808547c7865f69bc8d63a0b06dc2e1966ec9c33c832a97f0
SHA512 7399956814652c5d0cde5d2c38c3a551b10c3740b1c49d7d308c8fb6ca9b739cecfde648d94639f073b7542c84bc5abfabbb48c6878e7f9c7c18eadafd8ee722

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 43d2c5b5b2d4baa9e3bb0fc9c2dca232
SHA1 5209a9780662fab88b6d32db24239a184875eefe
SHA256 3251fd73f884c2b6c4b66ce73ba96cfec3ac4dfc99b29768c2d77be2c3d14a1b
SHA512 5aa1a2f19455f5aa24048c1407ee560eaff82ec0dde324d7762c5a9b95c7cdbbfe6e785e42ac810110f5f302b8f8784c2b4d50f4136bdc509a7b65483308fb8a

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.jfm

MD5 7ca1529e134ec863165f02b4f22dcfc6
SHA1 f0ade781062c0e54239dbef198814aaf1e029ec2
SHA256 b4202d78eff57cda8bc897ee058b7d84f9e4175a1d056e0cd1d8e620672a6c7d
SHA512 70fe6c204b538390ff086e98b76ca988995e7055352497212dcc46f95d0ba79d255b7f7b6501456be25239f51a1f483b30d13217a949df9a2801a4110d66fb8d

C:\Users\Admin\AppData\Local\Temp\7zSC502F7D7\d.INTEG.RAW

MD5 1925eb9dc4ac1134d3b1f0a3fbaeb4ec
SHA1 675322382723961d0f109fdd3fd162bc79b7d2ac
SHA256 168eded5ba64fe7938d3e9bb3a9562f0cbfc3f37c44f10123bb1575734de7297
SHA512 6cba050f3c11ae6fcfb9fa84be6378c306ef84f035f336ed89a01c99fb93e83de12ab666f7f33f28d6814c6ba99286577e8728e6de42750910806a0c7396a771

memory/4816-615-0x0000000000400000-0x0000000000759000-memory.dmp