Malware Analysis Report

2025-01-02 05:58

Sample ID 241126-lht57s1rfp
Target a128c5bc0609f0871555f4e66bb19717_JaffaCakes118
SHA256 a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001
Tags
ffdroider nullmixer privateloader aspackv2 discovery dropper evasion loader spyware stealer trojan vmprotect vidar 706
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

Threat Level: Known bad

The file a128c5bc0609f0871555f4e66bb19717_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ffdroider nullmixer privateloader aspackv2 discovery dropper evasion loader spyware stealer trojan vmprotect vidar 706

Privateloader family

PrivateLoader

Nullmixer family

Ffdroider family

Vidar

NullMixer

FFDroider

Vidar family

FFDroider payload

Vidar Stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

VMProtect packed file

ASPack v2.12-2.42

Checks computer location settings

Looks up external IP address via web service

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Script User-Agent

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-26 09:32

Reported

2024-11-26 09:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-9BN50.tmp C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\757755d929c68.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\29dc9096b9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3848 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe
PID 3848 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe
PID 3848 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe
PID 4216 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4216 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe
PID 2476 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe
PID 2476 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe
PID 2120 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe
PID 2120 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe
PID 2120 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe
PID 1628 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\757755d929c68.exe
PID 1628 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\757755d929c68.exe
PID 4428 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe
PID 4428 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe
PID 4428 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe
PID 3428 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe
PID 3428 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe
PID 3428 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe
PID 1996 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe
PID 1996 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe
PID 1996 wrote to memory of 1616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe
PID 4780 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\29dc9096b9.exe
PID 4780 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\29dc9096b9.exe
PID 672 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe
PID 672 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe
PID 672 wrote to memory of 3592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe
PID 1616 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp
PID 1616 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp
PID 1616 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp
PID 2260 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe
PID 2260 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe
PID 2260 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME11.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f0ef9103.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a6d6262485.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c65040c72c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 757755d929c68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe

6f0ef9103.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe

a6d6262485.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe

cb4071ec97a2.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\757755d929c68.exe

757755d929c68.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe

c65040c72c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe

30dd64a3b09404.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\29dc9096b9.exe

29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe

ed10a8b2b3d6.exe

C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp" /SL5="$B0042,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5000 -ip 5000

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe

"C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3592 -ip 3592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1828

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 ipinfo.io udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
RU 186.2.171.3:443 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.150.118:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 187.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 118.150.219.52.in-addr.arpa udp
JP 52.219.150.118:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
N/A 127.0.0.1:57849 tcp
N/A 127.0.0.1:57851 tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\setup_install.exe

MD5 94fcd8b53e0f74e1e8ab62e03f6dc633
SHA1 1ffd87916893938ccc405a8d5e677ce4ea20941d
SHA256 4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744
SHA512 142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4216-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4216-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4216-44-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4216-43-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4216-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\c65040c72c7.exe

MD5 0b31b326131bbbd444a76bc37fe708fd
SHA1 2c71c646a257b7749b8a055744112056b92d4ff2
SHA256 491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f
SHA512 0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

memory/2832-79-0x00000000005D0000-0x00000000005D8000-memory.dmp

memory/1468-90-0x0000000000400000-0x0000000000759000-memory.dmp

memory/1468-92-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4K8HF.tmp\a6d6262485.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/4608-98-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/4608-95-0x00000000001E0000-0x0000000000212000-memory.dmp

memory/4608-99-0x00000000009C0000-0x00000000009E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\ed10a8b2b3d6.exe

MD5 da4e3e9ae2be8837db231d73e1e786b3
SHA1 ef3f564a1d383f0b2a414d28e1306a07d0ba48e4
SHA256 71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647
SHA512 df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\29dc9096b9.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/4608-110-0x00000000009E0000-0x00000000009E6000-memory.dmp

memory/1652-108-0x0000000003940000-0x000000000397C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KS5TL.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\a6d6262485.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/1616-76-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\757755d929c68.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\cb4071ec97a2.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\6f0ef9103.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\30dd64a3b09404.exe

MD5 a6b572db00b94224d6637341961654cb
SHA1 9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
SHA256 91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
SHA512 39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

memory/4216-42-0x0000000001210000-0x000000000129F000-memory.dmp

memory/4216-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4216-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4216-38-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4216-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4216-34-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4216-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4216-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4216-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4216-25-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/5000-112-0x0000000000400000-0x0000000000907000-memory.dmp

memory/4216-122-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4216-121-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4216-120-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4216-119-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4216-116-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4216-113-0x0000000000400000-0x0000000000875000-memory.dmp

memory/1468-127-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/1468-133-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

memory/1468-140-0x0000000004660000-0x0000000004668000-memory.dmp

memory/1468-141-0x0000000004680000-0x0000000004688000-memory.dmp

memory/1468-143-0x0000000004720000-0x0000000004728000-memory.dmp

memory/1468-146-0x0000000004870000-0x0000000004878000-memory.dmp

memory/1468-147-0x0000000004890000-0x0000000004898000-memory.dmp

memory/1468-148-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/1468-149-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/1468-150-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 dd9ae6a03a8857eb6650c5db114df7cc
SHA1 403c0d05207fc169af8d38a6c4ac27a64e041e83
SHA256 bfb9fdda9ef8695d8adb5849c8ea77602fff330028871613d75fafd96023daac
SHA512 e4a6f12ee9b8849782d4a2e7cf5af2ca31f95761763fe57a08e343db17d9afb37ca6628241225dbbc09a4d538e19c58bffab10818efbcb81a734609a247d8076

memory/1468-163-0x0000000004680000-0x0000000004688000-memory.dmp

memory/1468-171-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/1468-173-0x00000000049D0000-0x00000000049D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 aa837654685df181a94ad92bbf414b20
SHA1 5174a09a14c460b76d252d6e94c8886c9eb29218
SHA256 dade1a1ddde0f93cbf0851325d3aaf0b34b3a40ddf1378e0085e032bb1f698c4
SHA512 759fa96788902340c1a6505dba7be2f8ee44672a365fff71fb96b36e900decd01000341ab0769ce82ff365462ef6c051c4f98578275c7362a77f9ecded8c2ec4

memory/1468-186-0x0000000004680000-0x0000000004688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 bf495899597308ae42652e41039b6aa2
SHA1 da5cf73dc63e55ee1f3210fe9e32a07369f636c9
SHA256 66f424ab0e644c9b58c74afb2b032a627ff8d6724667a6412ab184d4b6beebb1
SHA512 583cd80ac9e6b7b25e5d941f4a3838f573dc674325ce476e1e96df70a4c5f9740183203c1c8aa45f13aac026f7d28c713d49758133d22ddeef1a8755dd1a403b

memory/1468-194-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/1468-196-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 c15779662b5cda2c756c0557bbdbce1d
SHA1 49d45933f33d05925ab80bb09074cfeab2962811
SHA256 2a64516294ab5e9d60390e8ac24dafc99f598c1c8f2ef9ed8e76b4110b53aa96
SHA512 45cf8462eed6630da3729d6af8e049e4cc25252f81acd8969ab080529f1ed1063c4036582af21d098374be579f439137edcd806e0167423cedd6933c6c05029c

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d

MD5 6f6f7f15ea023dce8934c16b90fc095b
SHA1 39673c16cd036ae37639c665e5ad08ac4a345c00
SHA256 95fe750a641227db786024d9147efc435408d4c39fc4a19dd3b65de7a5d90e9e
SHA512 d2cd130f4067b3d9ad6e6eca03934905eb4e63efe6fb47de2b3e49428dddd8f070ee700175c0d6fa1032b3dc8888f6f4cb8ecc2c6e216fe6da7d8e018693aa0a

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 d2cd7416054f0ed449be98406fc5ea48
SHA1 5e5500789d4e7c5228c17996bcc546fd941f2d01
SHA256 a9bf08e76fa6589e5df0f8f39f8412019442b0a8041e0fc61ea107c829e83acd
SHA512 616835191a3b0e8b967dd1771604b7da9f251981c53bb3f2532dbb293282fe2f78374326dc9e996a78838cca59dc474591cce0792a7a1cabef6b8340fc0171b5

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 1aa2058a035ce555599aae58442c5f65
SHA1 ef76cfb162def1af7dc7368e9293ddacf9f58043
SHA256 3c48ae735a010dabfcd5021962aca7effbfe1d5e6f216e8261109c77010e2486
SHA512 0e375ec40cf99601229a68765a4547e14ec6023ed38c467d70375f987fd1afb04a44dc55d43bd77443643589987367cf9805975b3b6ae2de688cdcdd1b7cd14e

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 311f70cd5cacf074b139775669cbee74
SHA1 5da4b749a0be5362ab764adde731611e70e7d016
SHA256 797d69ceda7fc8e042d37ecca4f95f10eff532c91ea801fa9a4d7c5925adaaac
SHA512 a7cbdf8f96ce5c96d857ef1a17b742dab0c7b5eb633d2d5579f07f3fd28dfbe3b4bb82b32c8afc8c8699f2020021105268106e3a37ce3cb848aa71f839596e67

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 ac45608cc5520683351ee21e88d4f9bb
SHA1 8bca2e96843168727a0b323f066ba15704b2d9b0
SHA256 29287811896f49bbf7e0911f8c45253973ec742d75c140103112c7928265034c
SHA512 1c73722e2d298e1d31526c5c399280a0818f8935354aa7f95b955a6f33ce3ef66acfacfc3c0748efebb5e00f84ab3bf777ac4ba67d9254e53fb7bfa182fb13e8

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 3d8e14e2d4e7f7f2f77993680320df55
SHA1 133920102c471d6339b5cc89200f2dcf2873de08
SHA256 b07729fdbc3681548260802aa8d7ed0af87256680c1d852d1ded28bce5cea640
SHA512 c287b08eed8fc49e2aa92d43e1db13286013aca42cd40047903fb5318747d13eb594c0001bc6a659ad2670f39cc9acecc590204acd69f3022a53ec2791a1bbe5

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 25525d522fb86a81da81132e3eedab61
SHA1 b9eb091bd37af0f447b960064fbf7dc759265446
SHA256 c64751422eb0f32b11cc024e28f77406906526c622c46b3e5281b1482b88f0d4
SHA512 cce9e6564890a99a3049c318c12caf205eda5ccc05dc1e3903bd0569e0aca0cb158040ec8316befdc29192635d6a3f191bcbd52873ec477c2c756bf91a6639f5

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 20efd730e5d35049f19de9823f9a018e
SHA1 4e327df90826545212d8be61115685d277c958d3
SHA256 83e45e0610b4347823df4d7743cc284a629591aba02380ac2fd28d4fa4623d9a
SHA512 1ef6a7aafcf60121e9a382c54d750ca1514cf859c272ad153c41793666a183ca8a0455094f95bb66d3ccd0edceda187e605a5d7e531076b75adb2b012163a365

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 69f1c44f4d09bc9800c7ed9e5d25415c
SHA1 fe8c31bec921cf3a12b323b69746702e2a508bea
SHA256 74b5bbeeea1038dab26a4024ff57abf0415033b24fd771346e316c00b0f0f4c1
SHA512 a965efe1693743df23d03344d328a7ba18b06c6168cf2f44bcf3fac22c73b638dad9cf5b6e217236bd4b11942a5ba6f9986958a189fbcac6eedf45272c19f3b7

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 7c76e008096c0a2b37576db297f8dadb
SHA1 218e08e177ed024b5330075f26af3685d3a03c93
SHA256 3b8c7dc34a0b655b6eaf52eb4802eca66a6be5b06d0958c803dea0f8177dde43
SHA512 d6a9084f4f95fd29116997177f5f5c34755eee6fd8e783636af1e17e762654d063e8ab5700610c24793d1b895b2e37e6ea4d1c5e092ff9b1079c32ff3276239d

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 742e1b04d218d9a05c159a90095486b0
SHA1 070eeb9b65ad1beee645acf86b95e7eb9a52881e
SHA256 d41beaafdd247c059951b8d29bfbe982c2bc69c6bee33f13e207394731d24801
SHA512 99ed243acb8f5af8ac6c78201277d35162c990fe278a1e5424fdb6cbe2fcc6dff50ef3e57cd41d6b1ed5b49fa783587d87662e12548f914788bd7a9e71617b32

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 9ffa70e86917dfef6b14679c3f826214
SHA1 5a115ffe0d82ec724bde29f8ef781b43e9a43488
SHA256 d9b5cd31032fc4319e314f4149ad11e734e72a7330c19115020d1999dae45f67
SHA512 812b525ec5ed2e064a61f5cb6bb6cd39148f546d733ec3785ea158fb7ad1800d26e26233068ce9bcc572e061ed63c603a34806e2f8d87e23da4bf32a34c7cff6

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 abee7a37df351230268a6bb94a0b1d45
SHA1 9b342ed28174076aedf00e6d9d621a57cc3822f0
SHA256 79efe6fff1371db301e82bc49f77ecdd28c0b19a48c979bf9ea59f9e23d2f657
SHA512 f52159c0039696e2ddf54cd2cba5c3f598b58d7d09797235baead986eeab9f2da4d566786ad414b0bf35a57bc12433c79165691f9b9e7c5c3d537faa53e9748c

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 23b300bc3f5bc01cb08742d3df5594c5
SHA1 8679d774c0bf4c0503a2b90604736dbbb684fea1
SHA256 a4bd0283b0feadafd088a33fbd569aec8a8e7034d86cc3716c812e6a05a1b9e9
SHA512 9fd3f71a4e6cecafe810e38c2c8a03c02e83b4d3af89bd0e05826add4e3eb22e7adeabb101f338a0e43278bd177c840e4162d85c47331ee985d247927d458c26

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 470d39318c8ad8a558efbe53d48763dc
SHA1 7b67ee5df648eceb92b76a7a97f2f8e9ac273f01
SHA256 70d3060fa78eedc5746c7085f710451f4898ce9d10532de3a3ca7e006cdc9256
SHA512 42a0ab1ff12d213283c1ed44d1af01236e14bfb9f064acc5da4a7313525ba619d1be75eac14e940f959c954348a5137c65d2e3496d7bb7e0bf8ce90a20495d26

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 bfa8344961a09af39ffd21d8a52ba835
SHA1 3cee883bf61a2fcc64ab6cbe45d0938f5be449df
SHA256 b3e2b4b2732ee5fca5325934b0d789f1e7514669ee76a8e19a62d88865de09a6
SHA512 ebc569093efea4e76f6c934e5ca71c8f8fe8ef9318cb7528395a73e8a77a2c2564a699e8bc03dd421fe4dd22226bc7c248c79206c89ae40f71e41d673ee754bd

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 99b72102432c5d36609f34f9dd066231
SHA1 87901cf56dd56b13cc855bdb722d3abd7f8dc126
SHA256 72eaada8c691ba273166b72a947a1650c69b047f61fd447fbee8f4cccb76dda1
SHA512 a7d70d7b056a08797008fcc0b40b7ac1fe78bce10ad8b2e0b8a2172872bc18ebcf49f4dea58838f1ea07be466e694e88c397f07e0b1ba912193329c984189e95

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.jfm

MD5 04ef51c749993aaf34364f6df1654abd
SHA1 5ebdb66350b1b9341d1e47c4e95d87c6a533db48
SHA256 567afbb68f0d22f937e291a54029332ae50c0099ac966c90086c47f8624a94d5
SHA512 5679ef5b29bb9692023f6cfdff60f59cc6055bdfd258e1b756b62c1af6f9a3122606b045cc85aaddcc3eeab2d8db638dc144b23ec6533ae937cf62b6eb29192e

C:\Users\Admin\AppData\Local\Temp\7zS80FE2EC7\d.INTEG.RAW

MD5 02a09338f5cad3ae08ee2a73531a0036
SHA1 1afdc103edbb818ab5b578c163fb9bf653e0afd4
SHA256 198da823da9aa9cd690f9e458da852cb0f49a36e8b005645a26a3abb855d74ff
SHA512 9aed28575691a126e93a75f2ad6eb2ea113595cdd624ce218868bf03eb0baefd8811edfae34b898183d00a8b95e1b0ade57a812773092cc8a92c6400b64dfa55

memory/1468-635-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 09:32

Reported

2024-11-26 09:35

Platform

win7-20240708-en

Max time kernel

54s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\30dd64a3b09404.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\30dd64a3b09404.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\c65040c72c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\c65040c72c7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\6f0ef9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\6f0ef9103.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\is-9HDV7.tmp C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\c65040c72c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\6f0ef9103.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\30dd64a3b09404.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\757755d929c68.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\29dc9096b9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2396 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME11.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f0ef9103.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a6d6262485.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c65040c72c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 757755d929c68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\29dc9096b9.exe

29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe

a6d6262485.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\30dd64a3b09404.exe

30dd64a3b09404.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe

ed10a8b2b3d6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\757755d929c68.exe

757755d929c68.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe

cb4071ec97a2.exe

C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp" /SL5="$60120,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\c65040c72c7.exe

c65040c72c7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\6f0ef9103.exe

6f0ef9103.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 272

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 932

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 ipinfo.io udp
GB 37.0.8.235:80 tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 172.67.75.219:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.163.22:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.163.22:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49268 tcp
N/A 127.0.0.1:49270 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.146:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 bc3529a39749e698e030aaed73343ac7
SHA1 4420f1445bf7dd0ccb3e795ab77a1ce3e6f2501d
SHA256 82445c54c2679f15b883f34a95ccdfec4828ad72dc5e609c9281c522561cb74b
SHA512 12fe58c706cfe6590af9c36a0ae99ff33def04196c0cc5bea6684ea585c61186f98fd72e23be02535985460f56b122692378a90b03af98805096d4fddfd4e2be

\Users\Admin\AppData\Local\Temp\7zSC59729A6\setup_install.exe

MD5 94fcd8b53e0f74e1e8ab62e03f6dc633
SHA1 1ffd87916893938ccc405a8d5e677ce4ea20941d
SHA256 4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744
SHA512 142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

\Users\Admin\AppData\Local\Temp\7zSC59729A6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC59729A6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2884-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2884-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59729A6\ed10a8b2b3d6.exe

MD5 da4e3e9ae2be8837db231d73e1e786b3
SHA1 ef3f564a1d383f0b2a414d28e1306a07d0ba48e4
SHA256 71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647
SHA512 df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

C:\Users\Admin\AppData\Local\Temp\7zSC59729A6\a6d6262485.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/2884-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59729A6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC59729A6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zSC59729A6\29dc9096b9.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

\Users\Admin\AppData\Local\Temp\7zSC59729A6\c65040c72c7.exe

MD5 0b31b326131bbbd444a76bc37fe708fd
SHA1 2c71c646a257b7749b8a055744112056b92d4ff2
SHA256 491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f
SHA512 0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

\Users\Admin\AppData\Local\Temp\7zSC59729A6\cb4071ec97a2.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

memory/2900-126-0x00000000027B0000-0x0000000002B09000-memory.dmp

memory/1984-134-0x0000000000D80000-0x00000000010D9000-memory.dmp

memory/1984-132-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2900-125-0x00000000027B0000-0x0000000002B09000-memory.dmp

memory/1984-127-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2672-137-0x0000000001130000-0x0000000001162000-memory.dmp

memory/1912-136-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59729A6\6f0ef9103.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

\Users\Admin\AppData\Local\Temp\is-1BO0H.tmp\a6d6262485.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\7zSC59729A6\757755d929c68.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/2924-139-0x0000000000C00000-0x0000000000C3C000-memory.dmp

memory/2672-141-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1648-86-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2672-142-0x0000000000150000-0x0000000000172000-memory.dmp

memory/2672-143-0x0000000000170000-0x0000000000176000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC59729A6\30dd64a3b09404.exe

MD5 a6b572db00b94224d6637341961654cb
SHA1 9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
SHA256 91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
SHA512 39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

C:\Users\Admin\AppData\Local\Temp\CabC525.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1984-160-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2884-167-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2884-169-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2884-168-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2884-161-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2884-165-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2884-162-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarCF80.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/304-224-0x0000000000400000-0x000000000095B000-memory.dmp

memory/1648-223-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2660-228-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2924-227-0x0000000000C00000-0x0000000000C3C000-memory.dmp

memory/2924-226-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2924-238-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1648-244-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2924-243-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 09:32

Reported

2024-11-26 09:35

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-K4H1B.tmp C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\757755d929c68.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\29dc9096b9.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2584 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2584 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2584 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4024 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe
PID 4024 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe
PID 4024 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe
PID 2452 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe
PID 1068 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe
PID 1068 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe
PID 3948 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe
PID 3948 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe
PID 3948 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe
PID 4532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe
PID 4532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe
PID 4532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe
PID 2276 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\29dc9096b9.exe
PID 2276 wrote to memory of 3180 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\29dc9096b9.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe
PID 1412 wrote to memory of 4032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe
PID 3056 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe
PID 3056 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe
PID 3056 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe
PID 3532 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe
PID 3532 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe
PID 3532 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe
PID 2260 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp
PID 2260 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp
PID 2260 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp
PID 3632 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\757755d929c68.exe
PID 3632 wrote to memory of 3696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\757755d929c68.exe
PID 1008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe
PID 1008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe
PID 1008 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME11.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f0ef9103.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a6d6262485.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c65040c72c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 757755d929c68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe

c65040c72c7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe

6f0ef9103.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe

cb4071ec97a2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\29dc9096b9.exe

29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe

30dd64a3b09404.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe

ed10a8b2b3d6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe

a6d6262485.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452

C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp" /SL5="$7004A,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\757755d929c68.exe

757755d929c68.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4064 -ip 4064

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1608

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 cdn.discordapp.com udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 34.117.59.81:443 ipinfo.io tcp
US 104.26.3.46:443 iplogger.org tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 live.goatgame.live udp
N/A 127.0.0.1:58550 tcp
N/A 127.0.0.1:58552 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 proxycheck.io udp
US 172.67.75.219:80 proxycheck.io tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 219.75.67.172.in-addr.arpa udp
JP 52.219.152.106:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.152.106:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 106.152.219.52.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 bc3529a39749e698e030aaed73343ac7
SHA1 4420f1445bf7dd0ccb3e795ab77a1ce3e6f2501d
SHA256 82445c54c2679f15b883f34a95ccdfec4828ad72dc5e609c9281c522561cb74b
SHA512 12fe58c706cfe6590af9c36a0ae99ff33def04196c0cc5bea6684ea585c61186f98fd72e23be02535985460f56b122692378a90b03af98805096d4fddfd4e2be

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\setup_install.exe

MD5 94fcd8b53e0f74e1e8ab62e03f6dc633
SHA1 1ffd87916893938ccc405a8d5e677ce4ea20941d
SHA256 4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744
SHA512 142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2452-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2452-46-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2452-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2452-43-0x0000000000B10000-0x0000000000B9F000-memory.dmp

memory/2452-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2452-36-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2452-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2452-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2452-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2452-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2452-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2452-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\c65040c72c7.exe

MD5 0b31b326131bbbd444a76bc37fe708fd
SHA1 2c71c646a257b7749b8a055744112056b92d4ff2
SHA256 491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f
SHA512 0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

memory/3180-100-0x00000000004C0000-0x00000000004F2000-memory.dmp

memory/3468-97-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\a6d6262485.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/2260-94-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\30dd64a3b09404.exe

MD5 a6b572db00b94224d6637341961654cb
SHA1 9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
SHA256 91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
SHA512 39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\cb4071ec97a2.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\ed10a8b2b3d6.exe

MD5 da4e3e9ae2be8837db231d73e1e786b3
SHA1 ef3f564a1d383f0b2a414d28e1306a07d0ba48e4
SHA256 71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647
SHA512 df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\29dc9096b9.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\6f0ef9103.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/2452-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2452-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2452-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3468-102-0x0000000000400000-0x0000000000759000-memory.dmp

memory/3180-101-0x0000000000C90000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N1QUE.tmp\a6d6262485.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/3180-107-0x0000000000CA0000-0x0000000000CC2000-memory.dmp

memory/3696-111-0x0000000000830000-0x0000000000838000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\757755d929c68.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/3180-112-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

memory/3252-121-0x0000000003940000-0x000000000397C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3UGHR.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/4064-124-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2452-125-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2452-134-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2452-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2452-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2452-131-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2452-129-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3468-139-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/3468-145-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

memory/3468-152-0x0000000004660000-0x0000000004668000-memory.dmp

memory/3468-153-0x0000000004680000-0x0000000004688000-memory.dmp

memory/3468-155-0x0000000004720000-0x0000000004728000-memory.dmp

memory/3468-158-0x0000000004860000-0x0000000004868000-memory.dmp

memory/3468-159-0x0000000004880000-0x0000000004888000-memory.dmp

memory/3468-160-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/3468-161-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/3468-162-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 d06480a6893d8ef3575a7704183375bd
SHA1 2f31fe26070cbfa5ef3030ece96220a55382d573
SHA256 6914ebc332c2dbf1df66e0f9b2e940d0376672fb2e353bf6e045d10d87b14d50
SHA512 2817b0ab9cb5f2f4b515d583de318ffc7d9b6258e4c71a0cf673d6806fcaffbb52caef19548d8f965af8e2ae0f73c5d0e140053db4346f01eaf1b8a69d6f0db8

memory/3468-175-0x0000000004680000-0x0000000004688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 639fb877c72270ea071c07265ebfa366
SHA1 99b7fe5e88d56739f4afafc193c944068e397beb
SHA256 ccc7d14d22d8868c14ae138bda0aa8bb9ac029992e43b69fc916cfbd3645811a
SHA512 bbef0594f38eb58361653607cbe13265870a54fadc42d21bd2c684c13029849a85c76214747ef056eca4065fa1773733f18f960d0b8082f6466b232b4e2a00e3

memory/3468-183-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/3468-185-0x00000000049D0000-0x00000000049D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 b6826b32eaf5292bdce40f09d145c1b5
SHA1 076c8bb2926b0aa8a9df092c94503bd1fcfbff39
SHA256 5d6f5d1cfb358cf865f5d16b105499bf946cbfa5b1a6c5bb47e9f44891a2a1fb
SHA512 3400a161edbc9e7ff1914a0d78f6161bf0a90b06b18a901f584eef8db78cb1ca9b184eb310b49cb0df940fdffc096102015139fa06feb3a095a4e155e4a6a29a

memory/3468-198-0x0000000004680000-0x0000000004688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 4a92c8cabcd360f9ebd26cd358fe0c8c
SHA1 cbea2995f943d035003e111c95b346c27b94c74e
SHA256 e12a16f004d2c4482b91a287a4cc1a3107a67fe160cd2ad650c7911d4b8262bd
SHA512 c24cc9271ca463e1539091939092cbe1eb68aaf10d5e650b8b233937344b726565db4b0eec8f8ff8965f875d20a9d53de46fca8430bce94c47f1d34deea2fc80

memory/3468-206-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/3468-208-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 02991935522c2b705f5db757c3c87bb6
SHA1 5bcf27e7bba0ae9c54bbe085c6931e9c678c9604
SHA256 11a7e819da9d82762a99964d0f4700ea039b3c3a77ce5421f0e25e62ac68f11b
SHA512 5bd7dcb2cadabe33c4f52b88c3864b3f6ddb9fdab563d0b9f6f73e944ebc3ad74860cf0a3ae189219748c1df57f90882f18df96567821b0d5af6e43584916511

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d

MD5 5f8fd0692d8bdb002602352a7d952075
SHA1 cd0302f5aeb3215f4b19415a84dbb8952811e123
SHA256 4a3d538e64c0f5a477b919efb75aa82debd2b722bdf8a426e0cdbaf6d6c8aefa
SHA512 323481b3aae5b24de78d7cab6340dc970a0cdb94f14c1ee82fe9b59bbe9bafc0ae8d8f91197417d6237ef2a91092d641aff7c7c5ec2c11ada77767962b04749b

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 55c7057932b1c7adf6be1f3f6d5ab2c3
SHA1 84d7215efeaaf7d9c1fcc996a9bd928d352dd68b
SHA256 fc2aa686444fbc0ef8cf884f2c3c5b286f6a0655ed693f0e99433eee49f9ae8f
SHA512 5a6e41c0692f6a2ec8f65d67894ae65ef52b49a551156a92fb7d035a6ed6eba745165b6fbb9576906d47e41b3e5031f2a9a2313389377bd9abf8c8faa4a9de9c

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 6f44e06b251d411a5797496eb84e923f
SHA1 cbb276d5c974e4102f949515ad27bd301feb90c7
SHA256 0c6ad0c74a16f34633f7ced7555ba74e94d622a9f0329ba5bb582f8844aaf4b2
SHA512 eb07f58ccd4a7f965adfecc9381399e03b43e59cf1a2fefe7ba68f24a13f06721601cdac38bbb72ec06b4a08813bf8a089f2071d13e102b9daaf0e0a6a477387

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 7f13e85c65f93c872d1dee8b177bf200
SHA1 2ae2ecbd361e4cfb335490db87a19752d71ed8c8
SHA256 e90293ea09cd9fd573326a976243604919cd0951f965db7d2c62ccf5fb52d5cc
SHA512 b2ad19146d54d6563a75057e655c2d4bae120aa0ab92b18d474433c5c13c7223828a41303d380a40c0822633ea99e5d16426bbeeca7d015da5f4641c90c4628f

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 29575f6d82ff32ef3bd12a8cb0f4fbe4
SHA1 28daa7f29efb3a9dc9528b15d43f6e57e0856a7d
SHA256 5c0e5fcb201839cfdda0eea384375aa0c13d45ba810174c4497abaa5c57e06fd
SHA512 901121b77d225722d07eb87d069aeec42ca86c9cd00f25165c40e3aa1908fd9205b9a8dd0098c612b1f4303aaaf2c4ce69673ada482e5d1c57933b44abfac216

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 e8136ebd43783106925cd95f96350189
SHA1 e3988909d30a2d2f4d3861e863ad1562a5b70c04
SHA256 0cddc0023b1b3a4258e13f2a00798c2ed3c761015185a431304d96b665dbebb9
SHA512 7d4f62b7f6c772c4199c89b7d37afaf3d50ce42f7e71bb45c6e2f34c2131e7f8784be4e0035106e7011076c41883ad303f7af8d93ffb418ccca5ef17d9c084fa

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d

MD5 78f96cffc456164aff191dda747dc8ec
SHA1 2160aea275befba61e2141e0a3c2283859b99f6d
SHA256 3178f7714a3638497f44475700465d7d7241a36d52a2f5bd22063ae606b971ea
SHA512 7d46bedad5673aa5647291c88d4f38f2c390d711c9dac47dcd652c3bfb7b6da0126a6db28fdaf7186f877e85e31a6aaf2e28a2f26a1e70a55fff7be58ecddaf1

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 dcae39a32861d46c1aa9db60b62a7ea5
SHA1 ec0aa4ad10041c9a6db4bcc6965e7e99044b84f1
SHA256 8ccdcdcb976b69f921de61be4dbf73ab6e79c452aaf214233e0ab8f95127625f
SHA512 000910ccfb47d40688aad4118e678920a09adf7f8a1d0a05bbc2300056935eb4fa413c46864956a660fbfb07c0f83149117995cc1901013cc444ec44686b30b1

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 3996b4f78604d4cd19fba0ad2e4c7edd
SHA1 f242eba8e70878f4d793ea5de56d8dfee7b7bc29
SHA256 765eaa183d77b75b05bf008fc2f36b5b7ade0f1f5d59168566857ce8baae3932
SHA512 1af64b801a7b97f2415c7757059a2a3b5c3f97c472366c7ae82b8b83e2985959f1390763411e4484e3d7d413f07090571e11ff844806e4e81c8f47147c4ce7ef

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 3269e347ba475bda9751b3c7944abd7d
SHA1 f3e7228b145617c7274fdf6f7e4047feafd35746
SHA256 746f47c2d5b0a7aa5ac5b5e298990dd6f5355a12bc9a9c9db023a2268c1525e5
SHA512 5b3093f4bfeead7c983226b1d681c5afea50029487263349be9784238f06cacd126608768e87624ea3ba2efb492c21d3bfbb94cbcc3c04efbac201973536f972

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 332cb205e7876f6ec91381d07e3bcbee
SHA1 e918fa84cdd653fda1f6baaafea3046589e3290a
SHA256 5bbe847c5f5b74f642546dd52aaa5039b514d7d8bc3b74b85d239dc2bd645a4d
SHA512 a886e774f885e7da66c8d68fbc713f1d48fa519297d9d1ed96d320cfd1aec269f1183659cc33d969799cd152bf948eb7b8314cc680fde2f2115c2d5932d27b36

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 02bf94c512f039c5b124c05a4c6ba817
SHA1 ba0158defa54a8fd24664c2d411e9f08cf0c221a
SHA256 d2cde2c6ee6e08767643d80f6109c106c8b3aea032cf03b322bc288f364b70ee
SHA512 9e90f1e3718e2b5beb01eb59153afb30cac9dfb085b350841cf7246383c0214959c3a9f78287264f0b0512a13079a436918d10093a824c2fcb089220666f96a2

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 4ca663a18a1de636648b0d359ca8e9f1
SHA1 9fe0c30ecd4e1d42c3cf4c69f2c4e643b65e9985
SHA256 7d1ac1811b035601205d637c115d7504af96e37acd1e82b33b2efa9f5d00b0dc
SHA512 e52c9aa0f66129ee6e29f76977439f52c09b9d6dab73707bc27127397b8a678dcbabb1fd767bc8526504b136e0e3d18d5014a0c23cc71d21d680a653117c3be8

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 881a3802c4e59fda2d4edc3789e0452a
SHA1 1e5c5dc553a572ec4ee1907a98a0a6a0d5414f9b
SHA256 875f015da756620836f091059d6b55932ac1d0d4b08f1ef484f7f0e3d63007c2
SHA512 6dac62480ceec2ceca234d042b9717d4246c0674e00ece9bf1c8cd20c2bae28199c64efcf6795f5680f32c8d3fd82edb89d02336993e00547e2d5cb54b31a479

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 df1a20cfeab9eeb45794a91ba637aee8
SHA1 833008a339acff2ac01f4d3fbff47ec8b74bdb0d
SHA256 349fee682e6e0783cc5f842600e2e818d63b40f9edd02905ee2c59f3aeb3c0db
SHA512 c3da58c2683d8d5d1a157461e0572fd180d9fcef463654156b9f360f8492fa5701ad79f464cf926ea2bf75fc7d50efb1ee7be233e92594c7b4e480b6047f0891

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.INTEG.RAW

MD5 5f279fde1e2717fe6797b2d1567b0624
SHA1 f6fcdc3b9deb89cfe9592e3df20f5170b120c6df
SHA256 5381f11a25b73e2c87b1e1f78f79cdf7a11a0d0fb8eb6b85dcf3818f050ac74f
SHA512 b86e4f954f75c20fd9a0d1970e39c37dc312f42a54cec76a7a72a579596f5a7ade35c1fc76ae761ef30e64b13d17faa2f4796e6a775bd55a319912c4a616f188

C:\Users\Admin\AppData\Local\Temp\7zS8BFC31A7\d.jfm

MD5 603d6d5e1c5ec021436b9d6901d2d1db
SHA1 80e65e43b4269a33d685ac63df5a6f0aef2d87fe
SHA256 742487080bf71f012bda2f39978842b927439786d2ef659f73e8f9648404b08e
SHA512 0d517e413c873774a7c1e011568fb2a72f601dc9e613c051b13c627a2a7afca56a537fb326bbfdff2ec415b4819b52541e68b2451520236a12b3a232f60ec6f1

memory/3468-647-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-26 09:32

Reported

2024-11-26 09:35

Platform

win7-20241010-en

Max time kernel

68s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\c65040c72c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\c65040c72c7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\6f0ef9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\6f0ef9103.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\30dd64a3b09404.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\30dd64a3b09404.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-FR2OE.tmp C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\30dd64a3b09404.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\6f0ef9103.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1964227\c65040c72c7.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\757755d929c68.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\29dc9096b9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2332 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2476 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME11.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f0ef9103.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c a6d6262485.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c65040c72c7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 757755d929c68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\c65040c72c7.exe

c65040c72c7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe

cb4071ec97a2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\757755d929c68.exe

757755d929c68.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe

a6d6262485.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe

ed10a8b2b3d6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\30dd64a3b09404.exe

30dd64a3b09404.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\6f0ef9103.exe

6f0ef9103.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\29dc9096b9.exe

29dc9096b9.exe

C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp" /SL5="$7014C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 948

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 172.67.75.219:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.172.114:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.172.114:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:49264 tcp
N/A 127.0.0.1:49266 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC1964227\setup_install.exe

MD5 94fcd8b53e0f74e1e8ab62e03f6dc633
SHA1 1ffd87916893938ccc405a8d5e677ce4ea20941d
SHA256 4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744
SHA512 142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC1964227\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC1964227\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2476-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\cb4071ec97a2.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\c65040c72c7.exe

MD5 0b31b326131bbbd444a76bc37fe708fd
SHA1 2c71c646a257b7749b8a055744112056b92d4ff2
SHA256 491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f
SHA512 0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

\Users\Admin\AppData\Local\Temp\7zSC1964227\ed10a8b2b3d6.exe

MD5 da4e3e9ae2be8837db231d73e1e786b3
SHA1 ef3f564a1d383f0b2a414d28e1306a07d0ba48e4
SHA256 71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647
SHA512 df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\30dd64a3b09404.exe

MD5 a6b572db00b94224d6637341961654cb
SHA1 9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c
SHA256 91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656
SHA512 39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

\Users\Admin\AppData\Local\Temp\7zSC1964227\29dc9096b9.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/2956-103-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC1964227\a6d6262485.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

\Users\Admin\AppData\Local\Temp\7zSC1964227\6f0ef9103.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/2912-119-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2592-122-0x0000000002480000-0x00000000027D9000-memory.dmp

memory/2912-120-0x0000000000D70000-0x00000000010C9000-memory.dmp

memory/2912-121-0x0000000000D70000-0x00000000010C9000-memory.dmp

memory/2988-117-0x0000000000230000-0x0000000000262000-memory.dmp

memory/2592-115-0x0000000002480000-0x00000000027D9000-memory.dmp

memory/1912-114-0x0000000000310000-0x0000000000318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GHS5A.tmp\a6d6262485.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/2912-112-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2988-134-0x0000000000510000-0x0000000000516000-memory.dmp

memory/2988-138-0x0000000000520000-0x0000000000542000-memory.dmp

memory/2692-136-0x0000000001DE0000-0x0000000001E1C000-memory.dmp

memory/2988-139-0x00000000005C0000-0x00000000005C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1964227\757755d929c68.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\Cab1D14.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2912-156-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar29DF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2476-196-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-191-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2476-195-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2476-194-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-193-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-192-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2956-217-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2256-216-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2272-218-0x0000000000400000-0x000000000095B000-memory.dmp

memory/2692-221-0x0000000001DE0000-0x0000000001E1C000-memory.dmp

memory/2692-220-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2476-231-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2476-230-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2476-229-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2476-227-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2476-223-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2476-224-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2692-240-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2692-245-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2956-246-0x0000000000400000-0x0000000000414000-memory.dmp