Analysis Overview
SHA256
e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
Threat Level: Known bad
The file aad837c26c32c147e23e49abac741d0b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Vidar family
Ffdroider family
PrivateLoader
NullMixer
FFDroider
Nullmixer family
FFDroider payload
Privateloader family
Vidar
Vidar Stealer
Checks computer location settings
VMProtect packed file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
ASPack v2.12-2.42
Checks whether UAC is enabled
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-28 03:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-28 03:41
Reported
2024-11-28 03:45
Platform
win7-20240729-en
Max time kernel
90s
Max time network
152s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AskFinder\is-H3D47.tmp | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
| File created | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cc9c4e191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d879501442ad4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1e97cf058.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe
1e97cf058.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe
c61317e0d33fd92.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe
12d60c3323e093.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe
f43b7f406819e5.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe
7c5d969bb386.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe
773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe
cc9c4e191.exe
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe
d879501442ad4.exe
C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp" /SL5="$501C6,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 968
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| GB | 37.0.8.235:80 | tcp | |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 172.67.75.219:80 | proxycheck.io | tcp |
| US | 8.8.8.8:53 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | udp |
| JP | 52.219.136.39:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| JP | 52.219.150.114:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| N/A | 127.0.0.1:49263 | tcp | |
| N/A | 127.0.0.1:49265 | tcp | |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
| MD5 | 69b0cbfaac38d57e49d456752aecfa2e |
| SHA1 | 00ad1373dfc113d02bf4abbbd2f29aebfed269df |
| SHA256 | 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a |
| SHA512 | 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180 |
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2596-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC8470177\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2596-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC8470177\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2596-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC8470177\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
\Users\Admin\AppData\Local\Temp\7zSC8470177\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2596-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2596-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2596-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2596-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe
| MD5 | c465c7eb89a23837379e37046ec398e6 |
| SHA1 | 00f6f8b48667dfe44d354953158c6915efd6d260 |
| SHA256 | 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9 |
| SHA512 | 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97 |
\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe
| MD5 | 8af735f5bc6bd037d1819b551ae63048 |
| SHA1 | 3f6907f45f188c4222f671e9d900d2bc05dddf0f |
| SHA256 | 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5 |
| SHA512 | c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485 |
\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2596-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2596-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2596-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2596-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2596-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
memory/1748-93-0x0000000000230000-0x0000000000238000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe
| MD5 | 2a75a60da995428b31f915b9272693c2 |
| SHA1 | 5fea2c4b689c822f27186d299fc5911a284c104b |
| SHA256 | 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56 |
| SHA512 | 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0 |
memory/2812-108-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe
| MD5 | 58c203a58312c6121c932e9a59079064 |
| SHA1 | f57f41180fbe8e5dffafef79ea88f707c5cb748a |
| SHA256 | 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27 |
| SHA512 | e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406 |
memory/2796-94-0x0000000000820000-0x0000000000852000-memory.dmp
memory/2504-115-0x0000000002BB0000-0x0000000002F09000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
memory/2504-117-0x0000000002BB0000-0x0000000002F09000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/1528-118-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2796-129-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/2796-135-0x0000000000800000-0x0000000000822000-memory.dmp
memory/2188-133-0x00000000004C0000-0x00000000004FC000-memory.dmp
memory/1528-132-0x0000000000C50000-0x0000000000FA9000-memory.dmp
memory/1528-131-0x0000000000C50000-0x0000000000FA9000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-M0V4B.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2796-136-0x0000000001F00000-0x0000000001F06000-memory.dmp
memory/1528-137-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab82C9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar86AE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1528-209-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2412-210-0x0000000000400000-0x000000000095B000-memory.dmp
memory/2596-211-0x0000000000400000-0x0000000000875000-memory.dmp
memory/2596-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2596-215-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2596-214-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2596-213-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2596-212-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2596-224-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2596-225-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2028-226-0x0000000000400000-0x0000000000907000-memory.dmp
memory/2596-221-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2596-218-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2596-223-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2596-217-0x0000000000400000-0x0000000000875000-memory.dmp
memory/2812-227-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2188-229-0x00000000004C0000-0x00000000004FC000-memory.dmp
memory/2188-228-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2812-242-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2188-241-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-28 03:41
Reported
2024-11-28 03:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| File created | C:\Program Files (x86)\AskFinder\is-68SRV.tmp | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cc9c4e191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d879501442ad4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1e97cf058.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe
d879501442ad4.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe
c61317e0d33fd92.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe
12d60c3323e093.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe
cc9c4e191.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe
f43b7f406819e5.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe
7c5d969bb386.exe
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
1e97cf058.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040
C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp" /SL5="$4025C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe"
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe
773e151d8f03fcc9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 356
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
"C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1028
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 104.26.8.187:80 | proxycheck.io | tcp |
| US | 8.8.8.8:53 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | udp |
| US | 8.8.8.8:53 | 187.8.26.104.in-addr.arpa | udp |
| JP | 52.219.199.178:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| JP | 52.219.199.178:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| N/A | 127.0.0.1:57337 | tcp | |
| N/A | 127.0.0.1:57339 | tcp | |
| US | 8.8.8.8:53 | 178.199.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe
| MD5 | 69b0cbfaac38d57e49d456752aecfa2e |
| SHA1 | 00ad1373dfc113d02bf4abbbd2f29aebfed269df |
| SHA256 | 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a |
| SHA512 | 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2040-43-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2040-44-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2040-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-37-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2040-36-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2040-35-0x0000000001250000-0x00000000012DF000-memory.dmp
memory/2040-34-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2040-33-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2040-32-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2040-30-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2040-29-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe
| MD5 | c465c7eb89a23837379e37046ec398e6 |
| SHA1 | 00f6f8b48667dfe44d354953158c6915efd6d260 |
| SHA256 | 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9 |
| SHA512 | 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
memory/3624-85-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/4988-91-0x0000000000280000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe
| MD5 | 2a75a60da995428b31f915b9272693c2 |
| SHA1 | 5fea2c4b689c822f27186d299fc5911a284c104b |
| SHA256 | 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56 |
| SHA512 | 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0 |
memory/4988-96-0x0000000002210000-0x0000000002216000-memory.dmp
memory/4988-100-0x0000000002220000-0x0000000002242000-memory.dmp
memory/4988-101-0x0000000002350000-0x0000000002356000-memory.dmp
memory/3968-84-0x0000000000820000-0x0000000000828000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
memory/3140-80-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe
| MD5 | 58c203a58312c6121c932e9a59079064 |
| SHA1 | f57f41180fbe8e5dffafef79ea88f707c5cb748a |
| SHA256 | 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27 |
| SHA512 | e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406 |
memory/3624-69-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe
| MD5 | 8af735f5bc6bd037d1819b551ae63048 |
| SHA1 | 3f6907f45f188c4222f671e9d900d2bc05dddf0f |
| SHA256 | 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5 |
| SHA512 | c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485 |
memory/4848-110-0x0000000003940000-0x000000000397C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-MCIPF.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2040-120-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2040-123-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4852-124-0x0000000000400000-0x0000000000907000-memory.dmp
memory/2040-122-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2040-121-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2040-118-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2040-114-0x0000000000400000-0x0000000000875000-memory.dmp
memory/3624-135-0x0000000003D70000-0x0000000003D80000-memory.dmp
memory/3624-129-0x0000000003A50000-0x0000000003A60000-memory.dmp
memory/3624-142-0x0000000004660000-0x0000000004668000-memory.dmp
memory/3624-143-0x0000000004680000-0x0000000004688000-memory.dmp
memory/3624-145-0x0000000004720000-0x0000000004728000-memory.dmp
memory/3624-148-0x0000000004860000-0x0000000004868000-memory.dmp
memory/3624-149-0x0000000004880000-0x0000000004888000-memory.dmp
memory/3624-150-0x0000000004B30000-0x0000000004B38000-memory.dmp
memory/3624-151-0x0000000004A30000-0x0000000004A38000-memory.dmp
memory/3624-165-0x0000000004680000-0x0000000004688000-memory.dmp
memory/3624-173-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | e684a991a035bd9f928fa3377fd9fb5e |
| SHA1 | 96247bac72e90b7edb6c564553c1bf68d994da1b |
| SHA256 | 5d3b250c2678a1d25d8ad183b423ff9bde801239e5519439e0a88d069cfd1a2c |
| SHA512 | 6f896ed68fe717d0b3d2e364ee6194a85f50e79545494e30dd934737cc468fde4c14919dc45c8c2d660c2631e993c218e1bdac2b4be7a5b13fae7bd0a716d27a |
memory/3624-152-0x00000000048A0000-0x00000000048A8000-memory.dmp
memory/3624-175-0x00000000049D0000-0x00000000049D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | dd4996ba432639ba95a0bd157ca20f40 |
| SHA1 | 4e4c570c994a77def06180a5b537eb7e46971f9a |
| SHA256 | 59294a0e45bf91a6ded8d29e77f3aaf23fb24ae4c71287a2196cde67399dfd2f |
| SHA512 | 831c9d4c273e08c736d5cb57b0169971edb54e60c0c0116bb60a4bb7c517af8622481977e21be113e9911f7758e765b52758d9b76fb91b32eaa9d924ba9e3f14 |
memory/3624-188-0x0000000004680000-0x0000000004688000-memory.dmp
memory/3624-196-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/3624-198-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | c2ad103cbfcc8081b8b4b6edc20bab58 |
| SHA1 | 47a6bb44b9643df0954692a5477f673ac549d9f7 |
| SHA256 | ee894a72211c6d51430d2766f98f7f9b21cad32531dec252deeacfda3136703c |
| SHA512 | 2d4ea1af2c72e6f9932fe5511722c2ad8b6b3f9b61a3563eebfebad7669ce683efd1f7f25d7c179a949f9c5ab4f9eaa383cc1405b2a46689c2a354ffe27d7bdf |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d
| MD5 | 73b0c0933569f114b7971b40243c3f59 |
| SHA1 | df222e9d1d5566870fb0e57b68f682bd68e58768 |
| SHA256 | 5fa4fb7b7d98410c0f0b3f01b5eb2489934e89f2bbad5c96b421ed23c2555262 |
| SHA512 | 5af007380b025a079d9183ce195dfc7f49de3e37363c0e932da2b772fdeb87a6c53bf31a886bf7a6e577fc33fe0d7794206bb137ac40c1693d14bc68337b4dda |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | ad06145eb6f44f093aabeade19ab6763 |
| SHA1 | 778c66cc1c2aa013c8e1a5d1862b1bda3fb75c48 |
| SHA256 | 31e225337bb3ae5dcc6aaf4c90f8d535dd20aab01cb3d69700d5690e736e8a6f |
| SHA512 | 093cbb713f4d1a777ae4838dd05568c3ede07f326bd3daf7ec47e35b9394c81bd500674d9eebf880455d75e76903828de8321437378bb4a46e944cffdb6bffa5 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | e590b8024a8724b7bab02373f098d250 |
| SHA1 | e8a0854e290fea24146893fde705e3f72cdb9273 |
| SHA256 | 96aa24aa3fae035e8d3ebde4e79301f7b48d1495a8d9fa17bded6a4e3de5fa72 |
| SHA512 | f72d71b84892c921158ec3c790b3cb20597278617b78093c6465c3d1319c8c5478f7c95cce91014c1f739da3f387b29e0c4f6047da663a20243b6b0703dc3fbe |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | cb79dfa1c6c873c0ddd016a8fd67d0dd |
| SHA1 | ca7e2186a1b10da067a57f7f8807e95e34da005a |
| SHA256 | e815ee7bc5a22df803336bbd643d4a40eab82c8eb1cc3650a74fb8eed8b08cb3 |
| SHA512 | 7d9ec7d936bb48500c773faf96375556b0539070dd6c87005d3b2213cbdebe544c4241173be0375a39bc43da3cbb424fea4d7978c33a66862e76d32fc2c6734f |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 82b2709bfbd934b83f777b0881e1eec6 |
| SHA1 | 2a0621e1f885d721e32730f8241a4b73c0484c01 |
| SHA256 | 487f41f0f61585b51918ec22a0d839ad32c5fa5c7c0b8d62f89cb29c03044d5b |
| SHA512 | 3272f8b17bc7da98615a317484e4ac842b7aaed8d0928d3ced90d51cf6132e7c58f96763192d4148ee9d3121d7fc67a80024b3ea2b4aa9db0c5f32881848e608 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | c5f06c518f082a5b309526278f4d5030 |
| SHA1 | 8412fdc32de774e2b9c43ec50bf6db31ca65c87d |
| SHA256 | 5d34a33ee2c38a8eb8b79e41e54cab443228ced1688abe28a35df78db400f5f2 |
| SHA512 | 91196b8a92642afab9b9453064f87eed15c1628f566d170e5378b5f0f0a38ac80f3e59d5e0a47b9d849eaf9fd9c31a3cbbb62b1bc56d244c2729a663328e9e8d |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 7eebc77600ef52234cafa9be9112d63f |
| SHA1 | b321637b4ad47ffd020e2fb8a1ea43b5787ed264 |
| SHA256 | 28827bbb755fe1b9de2ea3e2b97559914c53f0c7be213d3a6f784f0f9ac38a46 |
| SHA512 | 0e5f16d0cfe552586cf14df0c3b32d1add87fe3e78a3804f97b91d1967bd8e76cc809eb8d33be7d97aa9414abe6471180178e4b7c55a059e756eebbb71042e0b |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 9f0fbaa91c4862a33348c55fb014101c |
| SHA1 | 1bda0f5bcfe6bcd44c7f8d98333ff5282e7be121 |
| SHA256 | d9c58075f6185249a2de26d6bcb3a4fa313786bade43c9d9e1e66259dac6b2a8 |
| SHA512 | 0afeeb05a488b49715a210929d122b2d23ada5a11d11a9ea30223173542fa46969762f8b4fc641085ecbbb96038939d14e3cf3c29649067c20769ff28130a67f |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 04296881cfcba88e8130ceec99461585 |
| SHA1 | 45f96132fc43baf229fcc99238131494a69f3ef5 |
| SHA256 | 99d99f5180726db6c4a8d74e93ea7b8a109da64ca52850eeb8081940d281e09d |
| SHA512 | cf430d45f5b873e6799aa027fa8a60b8cc1e8cc3b5f0d03cb275de1b2a871521b2f5297f64fbce9eac152ef18729a4c5a879ae0232085b797189185aef3d806b |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 6930b5fa7122738157b7e983239f9a1c |
| SHA1 | fd2087d1cb73835b3194accc38a98a6e33643d69 |
| SHA256 | c067633c0bf7ff02d23b718fbd19bbc74a4ff91da42acc8de12cf53083efa45f |
| SHA512 | 3faf28c616aa31b7942f477e369957a6f3775768742941fb129ee68b39e332201a8265b67cf5efb756eda9972e3acaa0683b81011b4b7c0729b3f3ff054a0e63 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | a53f77b870064bf6ff6c1ec893754787 |
| SHA1 | 6490805261d5a8f8550d849e9013ae6aabe3f126 |
| SHA256 | 950c27972b0e84a2af33288af979a0642fbe0675dbac8471b1adaebeedcee185 |
| SHA512 | d4b3bc965e74c5a127a7caac6f769ab56efa2965f6d15986b13b8a108199011eb23dbf862b301630952fb41063055b23ca5bacc7a4899d319897855b8c122df7 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 321026f78b886e4b42fcd3a11d7f0938 |
| SHA1 | 9c3f5cfa213a23a83cd73e93dade839b79981601 |
| SHA256 | 3964a2b29ca7f1d0660186451010bdddc85b19da6283d3ef20135eb8a58a67e1 |
| SHA512 | cd1ceccb3e0c0d9fea180167ec3be8d41d0b3dbdb8e83797a75a156cc50877d3279d0a597c7e36acc2df877eceadcb2e2fe8c0decf65e09386e06972fb17f822 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 3c0390e3a0323558ff123343a697550d |
| SHA1 | cb01ba0db2821a186f77aa8d9129a236a8427b69 |
| SHA256 | d18daf62e207ce57661df0a5f3645588cc4492386045e7037900248ea98b84f4 |
| SHA512 | fd8db9205c8400a79311a865be0f1109cc0e5dec0b6e089ce5ad3e141afb4489aab2be95183998b41c09537877dd5cb26124372b4c08c179708c8bbcf4ee1882 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 90d8b66aed3cb0c93e6fa5cb995df834 |
| SHA1 | 6e8ecc1cb360bc3acd4612592a76b5e49b1da287 |
| SHA256 | 26f9baae85eafaec6cf3a2117bf1a5ab0b079429f01f3b0225444a5b15bb9fee |
| SHA512 | 0a3c07b2f54b312fcda37ee0190c9558fcdc0a035c6d6238159f33dfbefdc0782bd40fa9b5ff04839a8c071fd3f1d86319abe7a6749a231bae8ca9325a4d38b8 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | fccbba6d5dbf46e3cdd1d3e16914e2f2 |
| SHA1 | 8606b750a13c36e890fd5d12b4803eb98be1c222 |
| SHA256 | e2334f8517da17e9c8347cdabfbfe292fbbab1cb65091d53ad34c98a341d115b |
| SHA512 | 0d59337e0df8f78912115c4d55504db27518833ce4c53347c2d665c92cbd55308b52369755c895bb60fc3b1d77ca38b63e7201ed42805f40449a470e72e997f6 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 1453f270cbbffc28b9607fe8624523ff |
| SHA1 | 90793b393673146e112fa26ff0b65d9ebc5fafb6 |
| SHA256 | 1ce0f4aa77c742e5cb6b88a37e493ac403c4f68e766c9b29e07a73ca2bc777b3 |
| SHA512 | 3241c93a5d2edfc356556f1fff5846b478a1ebc6578dd414317cd2bd496027be76463b73ac7b83e5f284c7bea5f9df445a460021787cc846d2d553bb7a7bd432 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 3cc89baf5aaf62bc439840ad01976d84 |
| SHA1 | 47094033df040f167b580fe2cae43d48a20aa4c5 |
| SHA256 | be94458301e54a7ae921efee75b42925082ce2aa5ee9d7b2545e7c93e9ffb2c5 |
| SHA512 | ef8ac487960ea55944f9897c2268d965b84b03c82bd8a49f76226d94391b5f2ee1dbc4b0696477b42675f040755bba1b32f1b835d14492212bb47cf1d1fb181e |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.INTEG.RAW
| MD5 | 294893a63284275650f75704cd571564 |
| SHA1 | b3d83d3f8adbec5dc2465c5530479e4e8fcbeede |
| SHA256 | d90b7ed0f3e7a10d65a19a52e5a4aa0630f4c458c03e4233749d8fe3032baf77 |
| SHA512 | 7348f40453bf4646b407d139a4690112266904b38941702f698e6886c6000bf2fe8ba4cb819bebdfa8f8332744e9869a9ef97c664786aad105cf5ea103ff6837 |
C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm
| MD5 | 9e744bfe09a5ae4e089dffedcc420bb2 |
| SHA1 | 4b84dfcf34b2977e8b366cad7ab5e11e6ff246f4 |
| SHA256 | b3b3b75875ecac1f8a0c29cd02f944d3a3d62e6b5030bd5072c3cbffc1494e90 |
| SHA512 | 7107e7da3bb16e1f4162c75f9078bec0d65f76a05db63380b2e73db0d4d13f6d23cd2e9792aa8171a090a323259291dcad331516a510e9c368f09250b623e29b |
memory/3624-637-0x0000000000400000-0x0000000000759000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-28 03:41
Reported
2024-11-28 03:44
Platform
win7-20241010-en
Max time kernel
77s
Max time network
154s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
| File created | C:\Program Files (x86)\AskFinder\is-9OE48.tmp | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cc9c4e191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d879501442ad4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
c61317e0d33fd92.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1e97cf058.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe
7c5d969bb386.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe
f43b7f406819e5.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe
12d60c3323e093.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe
773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe
cc9c4e191.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe
1e97cf058.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe
d879501442ad4.exe
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe
"C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe" -a
C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp" /SL5="$C0154,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 972
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| GB | 37.0.8.235:80 | tcp | |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 104.26.8.187:80 | proxycheck.io | tcp |
| US | 8.8.8.8:53 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | udp |
| JP | 52.219.16.35:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| JP | 52.219.16.35:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| N/A | 127.0.0.1:49280 | tcp | |
| N/A | 127.0.0.1:49282 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 57c53637861a01384db30fad33bc9459 |
| SHA1 | 52ac6fef11da2c17aca7677ceb46459b72ef74a8 |
| SHA256 | 787c2734ffd8d3faa404896595d75ef6806edfbfd1f059e4a242dcba086f67a4 |
| SHA512 | be649443e3c4eaf133aefbef2bc710398496e1a6abfa2d8a52655136a992578f1a330fdbd117cbd73e9d4ef0a77216a35bbff8a6254907063ecf1543fdd0fb2f |
\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
| MD5 | 69b0cbfaac38d57e49d456752aecfa2e |
| SHA1 | 00ad1373dfc113d02bf4abbbd2f29aebfed269df |
| SHA256 | 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a |
| SHA512 | 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2964-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS42A7A387\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2964-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/2964-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2964-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2964-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2964-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2964-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
| MD5 | 8af735f5bc6bd037d1819b551ae63048 |
| SHA1 | 3f6907f45f188c4222f671e9d900d2bc05dddf0f |
| SHA256 | 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5 |
| SHA512 | c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe
| MD5 | c465c7eb89a23837379e37046ec398e6 |
| SHA1 | 00f6f8b48667dfe44d354953158c6915efd6d260 |
| SHA256 | 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9 |
| SHA512 | 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe
| MD5 | 2a75a60da995428b31f915b9272693c2 |
| SHA1 | 5fea2c4b689c822f27186d299fc5911a284c104b |
| SHA256 | 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56 |
| SHA512 | 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0 |
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe
| MD5 | 58c203a58312c6121c932e9a59079064 |
| SHA1 | f57f41180fbe8e5dffafef79ea88f707c5cb748a |
| SHA256 | 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27 |
| SHA512 | e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406 |
\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/2664-114-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
memory/2444-120-0x00000000021D0000-0x0000000002529000-memory.dmp
memory/2444-122-0x00000000021D0000-0x0000000002529000-memory.dmp
memory/2120-125-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2120-126-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2904-135-0x0000000000DA0000-0x0000000000DA8000-memory.dmp
memory/2260-136-0x0000000000320000-0x0000000000352000-memory.dmp
memory/1304-138-0x0000000000B70000-0x0000000000BAC000-memory.dmp
memory/2260-140-0x0000000000240000-0x0000000000246000-memory.dmp
memory/2260-148-0x0000000000250000-0x0000000000272000-memory.dmp
memory/2260-149-0x00000000002F0000-0x00000000002F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCD7C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCDAE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2964-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-179-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2964-178-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2964-177-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2964-176-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2964-166-0x0000000000400000-0x0000000000875000-memory.dmp
memory/2964-208-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2964-210-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2964-209-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2964-206-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2964-203-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2964-202-0x0000000000400000-0x0000000000875000-memory.dmp
memory/2120-227-0x0000000000400000-0x0000000000759000-memory.dmp
memory/2988-228-0x0000000000400000-0x0000000000907000-memory.dmp
memory/2664-230-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2132-229-0x0000000000400000-0x000000000095B000-memory.dmp
memory/1304-233-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1304-234-0x0000000000B70000-0x0000000000BAC000-memory.dmp
memory/1304-236-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1304-246-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1304-251-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2664-252-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-28 03:41
Reported
2024-11-28 03:45
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| File created | C:\Program Files (x86)\AskFinder\is-OBKJU.tmp | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\AskFinder\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cc9c4e191.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d879501442ad4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c APPNAME77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1e97cf058.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe
cc9c4e191.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe
c61317e0d33fd92.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe
12d60c3323e093.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe
d879501442ad4.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe
f43b7f406819e5.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe
7c5d969bb386.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
1e97cf058.exe
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe
773e151d8f03fcc9.exe
C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp" /SL5="$A0040,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1708 -ip 1708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 356
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe" -a
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1868 -ip 1868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1032
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 172.67.75.219:80 | proxycheck.io | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | udp |
| JP | 52.219.163.46:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| JP | 52.219.163.46:80 | 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 46.163.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.22:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | 22.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 127.0.0.1:60804 | tcp | |
| N/A | 127.0.0.1:60806 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 57c53637861a01384db30fad33bc9459 |
| SHA1 | 52ac6fef11da2c17aca7677ceb46459b72ef74a8 |
| SHA256 | 787c2734ffd8d3faa404896595d75ef6806edfbfd1f059e4a242dcba086f67a4 |
| SHA512 | be649443e3c4eaf133aefbef2bc710398496e1a6abfa2d8a52655136a992578f1a330fdbd117cbd73e9d4ef0a77216a35bbff8a6254907063ecf1543fdd0fb2f |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe
| MD5 | 69b0cbfaac38d57e49d456752aecfa2e |
| SHA1 | 00ad1373dfc113d02bf4abbbd2f29aebfed269df |
| SHA256 | 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a |
| SHA512 | 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2756-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-57-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe
| MD5 | 8af735f5bc6bd037d1819b551ae63048 |
| SHA1 | 3f6907f45f188c4222f671e9d900d2bc05dddf0f |
| SHA256 | 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5 |
| SHA512 | c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485 |
memory/868-95-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe
| MD5 | c5437a135b1a8803c24cae117c5c46a4 |
| SHA1 | eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf |
| SHA256 | 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1 |
| SHA512 | 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181 |
C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/4476-108-0x00000000008B0000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe
| MD5 | 2a75a60da995428b31f915b9272693c2 |
| SHA1 | 5fea2c4b689c822f27186d299fc5911a284c104b |
| SHA256 | 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56 |
| SHA512 | 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0 |
memory/2512-104-0x0000000000B30000-0x0000000000B38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/868-93-0x0000000000400000-0x0000000000759000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe
| MD5 | 9b55bffb97ebd2c51834c415982957b4 |
| SHA1 | 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16 |
| SHA256 | a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11 |
| SHA512 | 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe
| MD5 | 5b8639f453da7c204942d918b40181de |
| SHA1 | 2daed225238a9b1fe2359133e6d8e7e85e7d6995 |
| SHA256 | d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6 |
| SHA512 | cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe
| MD5 | c465c7eb89a23837379e37046ec398e6 |
| SHA1 | 00f6f8b48667dfe44d354953158c6915efd6d260 |
| SHA256 | 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9 |
| SHA512 | 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe
| MD5 | 58c203a58312c6121c932e9a59079064 |
| SHA1 | f57f41180fbe8e5dffafef79ea88f707c5cb748a |
| SHA256 | 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27 |
| SHA512 | e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406 |
memory/5044-80-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2756-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2756-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4476-111-0x0000000000E90000-0x0000000000E96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AI4R0.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/4476-122-0x0000000000EA0000-0x0000000000EC2000-memory.dmp
memory/840-120-0x0000000003940000-0x000000000397C000-memory.dmp
memory/2756-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2756-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2756-48-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2756-47-0x0000000064941000-0x000000006494F000-memory.dmp
memory/2756-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-45-0x0000000000B00000-0x0000000000B8F000-memory.dmp
memory/2756-44-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2756-43-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/4476-123-0x0000000001250000-0x0000000001256000-memory.dmp
memory/1708-125-0x0000000000400000-0x0000000000907000-memory.dmp
memory/2756-126-0x0000000000400000-0x0000000000875000-memory.dmp
memory/2756-133-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2756-135-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2756-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2756-132-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2756-130-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/868-146-0x0000000003D70000-0x0000000003D80000-memory.dmp
memory/868-140-0x0000000003A50000-0x0000000003A60000-memory.dmp
memory/868-153-0x0000000004660000-0x0000000004668000-memory.dmp
memory/868-154-0x0000000004680000-0x0000000004688000-memory.dmp
memory/868-156-0x0000000004720000-0x0000000004728000-memory.dmp
memory/868-159-0x0000000004860000-0x0000000004868000-memory.dmp
memory/868-160-0x0000000004880000-0x0000000004888000-memory.dmp
memory/868-161-0x0000000004B30000-0x0000000004B38000-memory.dmp
memory/868-162-0x0000000004A30000-0x0000000004A38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 926df97a3a0224c56b150192ca02c26a |
| SHA1 | 20f04f6dd8b4d9aa68b9769dee5a372e20b4b1b5 |
| SHA256 | c8f57c477de90ddce1e493adbe5eeae482afeb0db7b768ada81e50c5802934ee |
| SHA512 | 9aaa8e03cce0c14b44797a059f4683bbd11449e1afbded0ccdb6ca2d6b6b73df67e15fcdd305266c0990874c9f0f85fd5908ff1656351ec18e83ba4e2b966709 |
memory/868-163-0x00000000048A0000-0x00000000048A8000-memory.dmp
memory/868-176-0x0000000004680000-0x0000000004688000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 837bc0e548aa719a597c957cc9bd6b18 |
| SHA1 | bb7407dfa4bde03acd780ee33ca44277ad1ceda5 |
| SHA256 | 03522aac3e0bf704538b550f3f8a1ed4aedf9e01c3c558a79615b2543aa857be |
| SHA512 | f1653c9f95ad2ebbeca535069e1142e09006a24db515693174b9ce12871f6cf94e92b0a11350a47862bbfb96a849d799960484e88b1e4cbfcf8ae8d8c1472c2d |
memory/868-184-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | f217ff7b6e9ce0e688b517ef4e2dcc9f |
| SHA1 | fabc7a8c1efac143759016036bbf091eaeee9d4c |
| SHA256 | d9817406234f13db7090b0383325af4adc5a37c2e5c6bd0a13a4f604018674d8 |
| SHA512 | 2bf30553e3ae60a041c5478f68ad0a9bfddb882f6216a1a6fbca75c951a10df79e7fd493172204d6d5aa12dff7586bdfb20275a5455732b7f75a91160a4cd8e5 |
memory/868-186-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/868-199-0x0000000004680000-0x0000000004688000-memory.dmp
memory/868-207-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/868-209-0x00000000048A0000-0x00000000048A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | cd9904036c539f78d528fcf339757e56 |
| SHA1 | abedfa972ced73239ce6e64d2e46bad17e887663 |
| SHA256 | 1e808be850e04237b72dda5472d602b5fe788881a01751f503f0c1af9d1f20d3 |
| SHA512 | 1a0f66ee21a8ef96e907b0e8ba912834a1424309a938354ca5f7829c55c94e9e794517f417b64a62171bc0ef046c514df48881c3a2e1c41cbcc4b12c88059287 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d
| MD5 | 07204525af6d33957ef82f5897583999 |
| SHA1 | 920b9fb29727a81c93a0933460b7f32e870757ca |
| SHA256 | 01736304131a88c7484167983d2be95e457dc996856825ea3606aba18fe9a522 |
| SHA512 | b6d2a7f290ded118d6f4abf6c63fb76ffba8dc1e233d4e7a2f36397b51962b689687d01daa3bab3b2368390f6c210b79533ed2485370e287ab54b255657ebd57 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | df0285b1a9b7779cda430fe6cd13639f |
| SHA1 | ec44d36954d4d54b1f1a9bd357c53c2550eb2283 |
| SHA256 | 5f9ba1dd53b6c2dfbfafd65372e559f6b73d294f967e8449f2282a4a675b11e2 |
| SHA512 | 0ba5e79719a232cd595a9a5ccf1d0e05efda47376aecc4fd7721114843de8c98c7659ddf23038ac53d0717210e1e0ffee8fe9bc655440f9bbf0806476d1a2174 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | e9d171a2edf6efb67803a54ea2ef9e05 |
| SHA1 | 8f2c53198b3497b207879674e4dc0a180176d9dc |
| SHA256 | 505cc3b841636b891822bfb91150cbc13a03a0bdcd0021869859f84328005f64 |
| SHA512 | 1e4cc52b8f5a8ef868cde0d4b1e0c8395069419283fc8600ee22579a25edb9f4e6eff9854afea999ff628fa21d280e65963beaca58881d7c57b01e5e434427af |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 12f8dacef87e53355879bf5e78353439 |
| SHA1 | 9034d6317fc0e169ea95b38b7656f8303009981f |
| SHA256 | 34a86b118b6398b614b356d0420890e7706af36a9721e5b03153121dc4e0dca1 |
| SHA512 | 013606bcc2c76f06116e2e6ef9d987e9da9579f7703ddbcbdff308e15d902e75b39a39a513a29c3802c1118af6163cc53351046862e022cd471e8b93b6cc32f7 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 994b032d219e6e3bd8d1e9ddd40cc18c |
| SHA1 | 67613c23c6a8c033cb1bd015efae56a01af716c3 |
| SHA256 | f0b106dba175c13fb5f5c13d51c5bce736533232ee59ea3c2a3e1524f09f9189 |
| SHA512 | f2c112219a107c84214ee2fb8567cbd1bbb0e9765dea6a98a088b1264c530ad8c69f9cbb3c3a11f762a55dccc8b355d264a31bfe1a9884d8312084b4f17eae81 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 67c1e057a35b790215faef16626e7179 |
| SHA1 | 8c39c1edd1ad3ca4073a6345d181cac48fc6f810 |
| SHA256 | 6f68bc9a8928635fc5bb4b7562d32c61df7aff853e1e44d8ad3c230a4cd29e46 |
| SHA512 | c2dae56b41bc95e3ec270459c4da8ed21886c0b1a07f66e28b7deee4057ad7e917629bebdd58169346970cb93c551e64ac78d67999cc88af23f5f0636d7bdb42 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | adb268f97622da46275ffdf531850802 |
| SHA1 | 6224c8bf2ff2625540a64c9451ed27aec5906bce |
| SHA256 | 26c6dbd7f0bd93c1276e107ecbddbf917a63180222fcf4dda94c870d46e54998 |
| SHA512 | 021e4b3f067480dadf4909b9a842502689e26e6f935b04ffa38e2af4bb503a6461f53c9f505cd2afd2b4cafe4f05b936957435f552c730c3874d414b1efe8a7e |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 6237ad2937e89b938d4baa9799a5d313 |
| SHA1 | 6ffd7987d701a8bda649a0734454125fc7eb338c |
| SHA256 | dc2030a5b438393f0e449a2e4000a4e8fafed32e564c336deaa6dae991594aff |
| SHA512 | 58721add3c70f3c16a2813a0ae8fa71b8ed87c072cca9dae8994af70829950b0e1dce1d4f7eeb75ca16d078c50063f40d1e40b58a2062cf634a55b0475843e4e |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 2314aaf805c678e093b909858b43e3ab |
| SHA1 | 9a49dc296c1ef911269e10faf1d989c2afa854da |
| SHA256 | 3d6c814b3873353d618ddc7c388048b42c97ffb3341014e728ba7b0c4b11b6d3 |
| SHA512 | c7dd67c2809d9f7d31e47e5dd09619d7c7cbd711d4a048b975ee322f6ea691da84a9fd0d5f3cc891abad7dc1dfec28859350778e1f3143e25ba8b68bd246c513 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 9917883c06a1b147e9348a1b4493c570 |
| SHA1 | 8cf59a061922251594bc09eeb71703faecee1689 |
| SHA256 | fec9988851a7cfcd86383cb503bb45e683d8d271091577599887482e386f37b3 |
| SHA512 | c51d5f6e69b43499f8a3d10be09368aaefc3e41a47b804139a8900086cbef1b284db2c470a538ab8cd7c9586958e9465e01c1de637ba96b85123a588dd68c013 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 9c2a6244ad6f87995e0306038615d6ee |
| SHA1 | f089e5b569d1676c0c7879dc5ed3177be17c8a5f |
| SHA256 | c3f4dec997261a487767533681eb6ce288f602f13dfb203dd6ace77e80e37c2c |
| SHA512 | d470327e91a53f787c61665324d40637157f61944b2863e1b29cb14edfbb36fd2a22de9aa2da2262ff018bca281d5a5273143fbcdddad9878f37f14caff1546f |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | f7f8501c36feb49989a1a196cd6e190d |
| SHA1 | c9f1c7d645cbad282988461a124a927cb7dadebe |
| SHA256 | 8bf6658af234ecf5ec48e99e723458d48af3a5f7bc4efd4e7c747e0a32377422 |
| SHA512 | 5a38936a7d675b45f7176a30483b9ee7603022a0aa590e25719ba9cf43a326902dc61708eb83a0aef53fab3791be2eda07b73605aef7dc3eb393f24ab5f81b9b |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 5ab6440f76d3e60669e9b0e1820d39bd |
| SHA1 | 4300effc979d293af52c9f7ea8dd14b0318db6c0 |
| SHA256 | cd5c3e4b1cedaee49c6790e87ca8bc65438d09664d56f5202290fc86c8dec8eb |
| SHA512 | 029ada0a93ff80143e86daece5f1364d0414c592d1246d3697f2e476ef923fd14f27e4b6e76af6786c26080d319b0729e7a3a5f8142805c393f38c42070f30c4 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 38654360829b0ec038aa6206512b74aa |
| SHA1 | cf9776994745502b0c6d6d85887240e1e9538128 |
| SHA256 | f1ff7d03336df258a21a9471c481560f5fa9ad14dedace3b8309df4c44c97d7f |
| SHA512 | 19466c8abe47837092ec48d14e072164e1b3b7cd8f0397170a005fde46fda4e72cd680b406e2e646e3b73910df3042ecd1fe901b842ec94c1d2867933f4679cd |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | abb1d60d7e43c6480f145956138a2ddd |
| SHA1 | fb429a737681cbb8f87662ec631fbd098b35e1a0 |
| SHA256 | d6e8b067e2c10fa34ef7a5d22c794e28e0ad9d241fdf7436227dd3e049e0e6dd |
| SHA512 | 604a42b9e1151b9e2be329734cae008a8407abfb9f0fcaf1610c12fb7c321b4577cdffb81f16595ff1afbc3de5f8af760dd034da5a1adf2689455eeace7c1f28 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.INTEG.RAW
| MD5 | e999b7d63f2e78493edfc018460dec04 |
| SHA1 | ddf51b31e78480f6a2c510952c6bfb33ad431784 |
| SHA256 | ccd666e72cc984f9b8c297c86396a1e8bc965109d22bca02958a7e4b45a2379d |
| SHA512 | f7899086ffdca6c1b77d31f24599f0f110dd88b6c53560c338de6faba712a59704cc25eff01d904867bb061cbd4387fb94cfbe57e33069c652099af5eff78b97 |
C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm
| MD5 | 87203ddb486a7e0f3593e31df95d65c2 |
| SHA1 | 65333782e16cdbdee83876fe9d74180b48d39276 |
| SHA256 | e8a7cbe3d101b792975e6451c8b9279f5fce4a896d08a635b8f7c3c52e546e46 |
| SHA512 | cf212d3c92d3f20a17c870f377bb0d58d904adf3db956a11373e328e3582c8d86e1b754e2d17128f9b380667582aa0604670fc801191f909b7066a24ab986d44 |
memory/868-648-0x0000000000400000-0x0000000000759000-memory.dmp