Malware Analysis Report

2025-01-02 05:58

Sample ID 241128-d87vzstpey
Target aad837c26c32c147e23e49abac741d0b_JaffaCakes118
SHA256 e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9
Tags
ffdroider nullmixer privateloader vidar 706 aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e98c43697773e717610341e0a6f514f165dae8744e0376aef6dfd4054aa50bf9

Threat Level: Known bad

The file aad837c26c32c147e23e49abac741d0b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ffdroider nullmixer privateloader vidar 706 aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan

Vidar family

Ffdroider family

PrivateLoader

NullMixer

FFDroider

Nullmixer family

FFDroider payload

Privateloader family

Vidar

Vidar Stealer

Checks computer location settings

VMProtect packed file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

ASPack v2.12-2.42

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 03:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 03:41

Reported

2024-11-28 03:45

Platform

win7-20240729-en

Max time kernel

90s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\is-H3D47.tmp C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 1164 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc9c4e191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d879501442ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1e97cf058.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe

1e97cf058.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe

c61317e0d33fd92.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe

12d60c3323e093.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe

f43b7f406819e5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe

7c5d969bb386.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe

773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe

cc9c4e191.exe

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe

d879501442ad4.exe

C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp" /SL5="$501C6,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 968

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
GB 37.0.8.235:80 tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 172.67.75.219:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.136.39:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
US 8.8.8.8:53 lenak513.tumblr.com udp
JP 52.219.150.114:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 74.114.154.22:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:49263 tcp
N/A 127.0.0.1:49265 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC8470177\setup_install.exe

MD5 69b0cbfaac38d57e49d456752aecfa2e
SHA1 00ad1373dfc113d02bf4abbbd2f29aebfed269df
SHA256 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a
SHA512 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2596-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC8470177\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2596-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC8470177\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2596-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC8470177\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

\Users\Admin\AppData\Local\Temp\7zSC8470177\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2596-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2596-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2596-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2596-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\12d60c3323e093.exe

MD5 c465c7eb89a23837379e37046ec398e6
SHA1 00f6f8b48667dfe44d354953158c6915efd6d260
SHA256 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9
SHA512 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97

\Users\Admin\AppData\Local\Temp\7zSC8470177\c61317e0d33fd92.exe

MD5 8af735f5bc6bd037d1819b551ae63048
SHA1 3f6907f45f188c4222f671e9d900d2bc05dddf0f
SHA256 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5
SHA512 c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485

\Users\Admin\AppData\Local\Temp\7zSC8470177\1e97cf058.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2596-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2596-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2596-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2596-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2596-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\f43b7f406819e5.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

\Users\Admin\AppData\Local\Temp\7zSC8470177\7c5d969bb386.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/1748-93-0x0000000000230000-0x0000000000238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC8470177\773e151d8f03fcc9.exe

MD5 2a75a60da995428b31f915b9272693c2
SHA1 5fea2c4b689c822f27186d299fc5911a284c104b
SHA256 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56
SHA512 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0

memory/2812-108-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC8470177\cc9c4e191.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/2796-94-0x0000000000820000-0x0000000000852000-memory.dmp

memory/2504-115-0x0000000002BB0000-0x0000000002F09000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC8470177\d879501442ad4.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/2504-117-0x0000000002BB0000-0x0000000002F09000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-LVE47.tmp\cc9c4e191.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/1528-118-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2796-129-0x00000000007F0000-0x00000000007F6000-memory.dmp

memory/2796-135-0x0000000000800000-0x0000000000822000-memory.dmp

memory/2188-133-0x00000000004C0000-0x00000000004FC000-memory.dmp

memory/1528-132-0x0000000000C50000-0x0000000000FA9000-memory.dmp

memory/1528-131-0x0000000000C50000-0x0000000000FA9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-M0V4B.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2796-136-0x0000000001F00000-0x0000000001F06000-memory.dmp

memory/1528-137-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab82C9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar86AE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1528-209-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2412-210-0x0000000000400000-0x000000000095B000-memory.dmp

memory/2596-211-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2596-216-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2596-215-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2596-214-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2596-213-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2596-212-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2596-224-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2596-225-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2028-226-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2596-221-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2596-218-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2596-223-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2596-217-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2812-227-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2188-229-0x00000000004C0000-0x00000000004FC000-memory.dmp

memory/2188-228-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2812-242-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2188-241-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-28 03:41

Reported

2024-11-28 03:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-68SRV.tmp C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe
PID 3396 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe
PID 3396 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe
PID 3404 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe
PID 3404 wrote to memory of 3624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe
PID 2360 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe
PID 2360 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe
PID 2360 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe
PID 832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe
PID 832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe
PID 832 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe
PID 4712 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe
PID 4712 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe
PID 2476 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe
PID 2476 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe
PID 2476 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe
PID 2156 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe
PID 2156 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe
PID 3840 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
PID 3840 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
PID 3840 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
PID 3140 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp
PID 3140 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp
PID 3140 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp
PID 920 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe
PID 920 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe
PID 920 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe
PID 4592 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
PID 4592 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe
PID 4592 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc9c4e191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d879501442ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1e97cf058.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe

d879501442ad4.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe

c61317e0d33fd92.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe

12d60c3323e093.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe

cc9c4e191.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe

f43b7f406819e5.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe

7c5d969bb386.exe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe

1e97cf058.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2040 -ip 2040

C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp" /SL5="$4025C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe"

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe

773e151d8f03fcc9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2032 -ip 2032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1028

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
GB 37.0.8.235:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 172.67.74.161:443 iplogger.org tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
US 8.8.8.8:53 187.8.26.104.in-addr.arpa udp
JP 52.219.199.178:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.199.178:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:57337 tcp
N/A 127.0.0.1:57339 tcp
US 8.8.8.8:53 178.199.219.52.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 74.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\setup_install.exe

MD5 69b0cbfaac38d57e49d456752aecfa2e
SHA1 00ad1373dfc113d02bf4abbbd2f29aebfed269df
SHA256 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a
SHA512 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2040-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2040-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2040-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-37-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2040-36-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2040-35-0x0000000001250000-0x00000000012DF000-memory.dmp

memory/2040-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2040-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2040-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2040-30-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2040-29-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d879501442ad4.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\12d60c3323e093.exe

MD5 c465c7eb89a23837379e37046ec398e6
SHA1 00f6f8b48667dfe44d354953158c6915efd6d260
SHA256 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9
SHA512 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\7c5d969bb386.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/3624-85-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\1e97cf058.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/4988-91-0x0000000000280000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TKSR2.tmp\cc9c4e191.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\773e151d8f03fcc9.exe

MD5 2a75a60da995428b31f915b9272693c2
SHA1 5fea2c4b689c822f27186d299fc5911a284c104b
SHA256 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56
SHA512 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0

memory/4988-96-0x0000000002210000-0x0000000002216000-memory.dmp

memory/4988-100-0x0000000002220000-0x0000000002242000-memory.dmp

memory/4988-101-0x0000000002350000-0x0000000002356000-memory.dmp

memory/3968-84-0x0000000000820000-0x0000000000828000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\f43b7f406819e5.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/3140-80-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\cc9c4e191.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/3624-69-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\c61317e0d33fd92.exe

MD5 8af735f5bc6bd037d1819b551ae63048
SHA1 3f6907f45f188c4222f671e9d900d2bc05dddf0f
SHA256 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5
SHA512 c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485

memory/4848-110-0x0000000003940000-0x000000000397C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MCIPF.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2040-120-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2040-123-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4852-124-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2040-122-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2040-121-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2040-118-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2040-114-0x0000000000400000-0x0000000000875000-memory.dmp

memory/3624-135-0x0000000003D70000-0x0000000003D80000-memory.dmp

memory/3624-129-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/3624-142-0x0000000004660000-0x0000000004668000-memory.dmp

memory/3624-143-0x0000000004680000-0x0000000004688000-memory.dmp

memory/3624-145-0x0000000004720000-0x0000000004728000-memory.dmp

memory/3624-148-0x0000000004860000-0x0000000004868000-memory.dmp

memory/3624-149-0x0000000004880000-0x0000000004888000-memory.dmp

memory/3624-150-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/3624-151-0x0000000004A30000-0x0000000004A38000-memory.dmp

memory/3624-165-0x0000000004680000-0x0000000004688000-memory.dmp

memory/3624-173-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 e684a991a035bd9f928fa3377fd9fb5e
SHA1 96247bac72e90b7edb6c564553c1bf68d994da1b
SHA256 5d3b250c2678a1d25d8ad183b423ff9bde801239e5519439e0a88d069cfd1a2c
SHA512 6f896ed68fe717d0b3d2e364ee6194a85f50e79545494e30dd934737cc468fde4c14919dc45c8c2d660c2631e993c218e1bdac2b4be7a5b13fae7bd0a716d27a

memory/3624-152-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/3624-175-0x00000000049D0000-0x00000000049D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 dd4996ba432639ba95a0bd157ca20f40
SHA1 4e4c570c994a77def06180a5b537eb7e46971f9a
SHA256 59294a0e45bf91a6ded8d29e77f3aaf23fb24ae4c71287a2196cde67399dfd2f
SHA512 831c9d4c273e08c736d5cb57b0169971edb54e60c0c0116bb60a4bb7c517af8622481977e21be113e9911f7758e765b52758d9b76fb91b32eaa9d924ba9e3f14

memory/3624-188-0x0000000004680000-0x0000000004688000-memory.dmp

memory/3624-196-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/3624-198-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 c2ad103cbfcc8081b8b4b6edc20bab58
SHA1 47a6bb44b9643df0954692a5477f673ac549d9f7
SHA256 ee894a72211c6d51430d2766f98f7f9b21cad32531dec252deeacfda3136703c
SHA512 2d4ea1af2c72e6f9932fe5511722c2ad8b6b3f9b61a3563eebfebad7669ce683efd1f7f25d7c179a949f9c5ab4f9eaa383cc1405b2a46689c2a354ffe27d7bdf

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d

MD5 73b0c0933569f114b7971b40243c3f59
SHA1 df222e9d1d5566870fb0e57b68f682bd68e58768
SHA256 5fa4fb7b7d98410c0f0b3f01b5eb2489934e89f2bbad5c96b421ed23c2555262
SHA512 5af007380b025a079d9183ce195dfc7f49de3e37363c0e932da2b772fdeb87a6c53bf31a886bf7a6e577fc33fe0d7794206bb137ac40c1693d14bc68337b4dda

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 ad06145eb6f44f093aabeade19ab6763
SHA1 778c66cc1c2aa013c8e1a5d1862b1bda3fb75c48
SHA256 31e225337bb3ae5dcc6aaf4c90f8d535dd20aab01cb3d69700d5690e736e8a6f
SHA512 093cbb713f4d1a777ae4838dd05568c3ede07f326bd3daf7ec47e35b9394c81bd500674d9eebf880455d75e76903828de8321437378bb4a46e944cffdb6bffa5

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 e590b8024a8724b7bab02373f098d250
SHA1 e8a0854e290fea24146893fde705e3f72cdb9273
SHA256 96aa24aa3fae035e8d3ebde4e79301f7b48d1495a8d9fa17bded6a4e3de5fa72
SHA512 f72d71b84892c921158ec3c790b3cb20597278617b78093c6465c3d1319c8c5478f7c95cce91014c1f739da3f387b29e0c4f6047da663a20243b6b0703dc3fbe

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 cb79dfa1c6c873c0ddd016a8fd67d0dd
SHA1 ca7e2186a1b10da067a57f7f8807e95e34da005a
SHA256 e815ee7bc5a22df803336bbd643d4a40eab82c8eb1cc3650a74fb8eed8b08cb3
SHA512 7d9ec7d936bb48500c773faf96375556b0539070dd6c87005d3b2213cbdebe544c4241173be0375a39bc43da3cbb424fea4d7978c33a66862e76d32fc2c6734f

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 82b2709bfbd934b83f777b0881e1eec6
SHA1 2a0621e1f885d721e32730f8241a4b73c0484c01
SHA256 487f41f0f61585b51918ec22a0d839ad32c5fa5c7c0b8d62f89cb29c03044d5b
SHA512 3272f8b17bc7da98615a317484e4ac842b7aaed8d0928d3ced90d51cf6132e7c58f96763192d4148ee9d3121d7fc67a80024b3ea2b4aa9db0c5f32881848e608

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 c5f06c518f082a5b309526278f4d5030
SHA1 8412fdc32de774e2b9c43ec50bf6db31ca65c87d
SHA256 5d34a33ee2c38a8eb8b79e41e54cab443228ced1688abe28a35df78db400f5f2
SHA512 91196b8a92642afab9b9453064f87eed15c1628f566d170e5378b5f0f0a38ac80f3e59d5e0a47b9d849eaf9fd9c31a3cbbb62b1bc56d244c2729a663328e9e8d

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 7eebc77600ef52234cafa9be9112d63f
SHA1 b321637b4ad47ffd020e2fb8a1ea43b5787ed264
SHA256 28827bbb755fe1b9de2ea3e2b97559914c53f0c7be213d3a6f784f0f9ac38a46
SHA512 0e5f16d0cfe552586cf14df0c3b32d1add87fe3e78a3804f97b91d1967bd8e76cc809eb8d33be7d97aa9414abe6471180178e4b7c55a059e756eebbb71042e0b

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 9f0fbaa91c4862a33348c55fb014101c
SHA1 1bda0f5bcfe6bcd44c7f8d98333ff5282e7be121
SHA256 d9c58075f6185249a2de26d6bcb3a4fa313786bade43c9d9e1e66259dac6b2a8
SHA512 0afeeb05a488b49715a210929d122b2d23ada5a11d11a9ea30223173542fa46969762f8b4fc641085ecbbb96038939d14e3cf3c29649067c20769ff28130a67f

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 04296881cfcba88e8130ceec99461585
SHA1 45f96132fc43baf229fcc99238131494a69f3ef5
SHA256 99d99f5180726db6c4a8d74e93ea7b8a109da64ca52850eeb8081940d281e09d
SHA512 cf430d45f5b873e6799aa027fa8a60b8cc1e8cc3b5f0d03cb275de1b2a871521b2f5297f64fbce9eac152ef18729a4c5a879ae0232085b797189185aef3d806b

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 6930b5fa7122738157b7e983239f9a1c
SHA1 fd2087d1cb73835b3194accc38a98a6e33643d69
SHA256 c067633c0bf7ff02d23b718fbd19bbc74a4ff91da42acc8de12cf53083efa45f
SHA512 3faf28c616aa31b7942f477e369957a6f3775768742941fb129ee68b39e332201a8265b67cf5efb756eda9972e3acaa0683b81011b4b7c0729b3f3ff054a0e63

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 a53f77b870064bf6ff6c1ec893754787
SHA1 6490805261d5a8f8550d849e9013ae6aabe3f126
SHA256 950c27972b0e84a2af33288af979a0642fbe0675dbac8471b1adaebeedcee185
SHA512 d4b3bc965e74c5a127a7caac6f769ab56efa2965f6d15986b13b8a108199011eb23dbf862b301630952fb41063055b23ca5bacc7a4899d319897855b8c122df7

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 321026f78b886e4b42fcd3a11d7f0938
SHA1 9c3f5cfa213a23a83cd73e93dade839b79981601
SHA256 3964a2b29ca7f1d0660186451010bdddc85b19da6283d3ef20135eb8a58a67e1
SHA512 cd1ceccb3e0c0d9fea180167ec3be8d41d0b3dbdb8e83797a75a156cc50877d3279d0a597c7e36acc2df877eceadcb2e2fe8c0decf65e09386e06972fb17f822

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 3c0390e3a0323558ff123343a697550d
SHA1 cb01ba0db2821a186f77aa8d9129a236a8427b69
SHA256 d18daf62e207ce57661df0a5f3645588cc4492386045e7037900248ea98b84f4
SHA512 fd8db9205c8400a79311a865be0f1109cc0e5dec0b6e089ce5ad3e141afb4489aab2be95183998b41c09537877dd5cb26124372b4c08c179708c8bbcf4ee1882

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 90d8b66aed3cb0c93e6fa5cb995df834
SHA1 6e8ecc1cb360bc3acd4612592a76b5e49b1da287
SHA256 26f9baae85eafaec6cf3a2117bf1a5ab0b079429f01f3b0225444a5b15bb9fee
SHA512 0a3c07b2f54b312fcda37ee0190c9558fcdc0a035c6d6238159f33dfbefdc0782bd40fa9b5ff04839a8c071fd3f1d86319abe7a6749a231bae8ca9325a4d38b8

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 fccbba6d5dbf46e3cdd1d3e16914e2f2
SHA1 8606b750a13c36e890fd5d12b4803eb98be1c222
SHA256 e2334f8517da17e9c8347cdabfbfe292fbbab1cb65091d53ad34c98a341d115b
SHA512 0d59337e0df8f78912115c4d55504db27518833ce4c53347c2d665c92cbd55308b52369755c895bb60fc3b1d77ca38b63e7201ed42805f40449a470e72e997f6

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 1453f270cbbffc28b9607fe8624523ff
SHA1 90793b393673146e112fa26ff0b65d9ebc5fafb6
SHA256 1ce0f4aa77c742e5cb6b88a37e493ac403c4f68e766c9b29e07a73ca2bc777b3
SHA512 3241c93a5d2edfc356556f1fff5846b478a1ebc6578dd414317cd2bd496027be76463b73ac7b83e5f284c7bea5f9df445a460021787cc846d2d553bb7a7bd432

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 3cc89baf5aaf62bc439840ad01976d84
SHA1 47094033df040f167b580fe2cae43d48a20aa4c5
SHA256 be94458301e54a7ae921efee75b42925082ce2aa5ee9d7b2545e7c93e9ffb2c5
SHA512 ef8ac487960ea55944f9897c2268d965b84b03c82bd8a49f76226d94391b5f2ee1dbc4b0696477b42675f040755bba1b32f1b835d14492212bb47cf1d1fb181e

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.INTEG.RAW

MD5 294893a63284275650f75704cd571564
SHA1 b3d83d3f8adbec5dc2465c5530479e4e8fcbeede
SHA256 d90b7ed0f3e7a10d65a19a52e5a4aa0630f4c458c03e4233749d8fe3032baf77
SHA512 7348f40453bf4646b407d139a4690112266904b38941702f698e6886c6000bf2fe8ba4cb819bebdfa8f8332744e9869a9ef97c664786aad105cf5ea103ff6837

C:\Users\Admin\AppData\Local\Temp\7zS44D823B7\d.jfm

MD5 9e744bfe09a5ae4e089dffedcc420bb2
SHA1 4b84dfcf34b2977e8b366cad7ab5e11e6ff246f4
SHA256 b3b3b75875ecac1f8a0c29cd02f944d3a3d62e6b5030bd5072c3cbffc1494e90
SHA512 7107e7da3bb16e1f4162c75f9078bec0d65f76a05db63380b2e73db0d4d13f6d23cd2e9792aa8171a090a323259291dcad331516a510e9c368f09250b623e29b

memory/3624-637-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 03:41

Reported

2024-11-28 03:44

Platform

win7-20241010-en

Max time kernel

77s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-9OE48.tmp C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2596 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2564 wrote to memory of 2988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe
PID 2964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc9c4e191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d879501442ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe

c61317e0d33fd92.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1e97cf058.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe

7c5d969bb386.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe

f43b7f406819e5.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe

12d60c3323e093.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe

773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe

cc9c4e191.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe

1e97cf058.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe

d879501442ad4.exe

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe

"C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe" -a

C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OQ9SQ.tmp\cc9c4e191.tmp" /SL5="$C0154,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 972

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
GB 37.0.8.235:80 tcp
RU 186.2.171.3:80 186.2.171.3 tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 34.117.59.81:80 ipinfo.io tcp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.16.35:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.16.35:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
N/A 127.0.0.1:49280 tcp
N/A 127.0.0.1:49282 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 57c53637861a01384db30fad33bc9459
SHA1 52ac6fef11da2c17aca7677ceb46459b72ef74a8
SHA256 787c2734ffd8d3faa404896595d75ef6806edfbfd1f059e4a242dcba086f67a4
SHA512 be649443e3c4eaf133aefbef2bc710398496e1a6abfa2d8a52655136a992578f1a330fdbd117cbd73e9d4ef0a77216a35bbff8a6254907063ecf1543fdd0fb2f

\Users\Admin\AppData\Local\Temp\7zS42A7A387\setup_install.exe

MD5 69b0cbfaac38d57e49d456752aecfa2e
SHA1 00ad1373dfc113d02bf4abbbd2f29aebfed269df
SHA256 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a
SHA512 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2964-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS42A7A387\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2964-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2964-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2964-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2964-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2964-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2964-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS42A7A387\c61317e0d33fd92.exe

MD5 8af735f5bc6bd037d1819b551ae63048
SHA1 3f6907f45f188c4222f671e9d900d2bc05dddf0f
SHA256 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5
SHA512 c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\7c5d969bb386.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

\Users\Admin\AppData\Local\Temp\7zS42A7A387\12d60c3323e093.exe

MD5 c465c7eb89a23837379e37046ec398e6
SHA1 00f6f8b48667dfe44d354953158c6915efd6d260
SHA256 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9
SHA512 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\773e151d8f03fcc9.exe

MD5 2a75a60da995428b31f915b9272693c2
SHA1 5fea2c4b689c822f27186d299fc5911a284c104b
SHA256 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56
SHA512 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\f43b7f406819e5.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

\Users\Admin\AppData\Local\Temp\7zS42A7A387\cc9c4e191.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

\Users\Admin\AppData\Local\Temp\7zS42A7A387\1e97cf058.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2664-114-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS42A7A387\d879501442ad4.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/2444-120-0x00000000021D0000-0x0000000002529000-memory.dmp

memory/2444-122-0x00000000021D0000-0x0000000002529000-memory.dmp

memory/2120-125-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2120-126-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2904-135-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

memory/2260-136-0x0000000000320000-0x0000000000352000-memory.dmp

memory/1304-138-0x0000000000B70000-0x0000000000BAC000-memory.dmp

memory/2260-140-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2260-148-0x0000000000250000-0x0000000000272000-memory.dmp

memory/2260-149-0x00000000002F0000-0x00000000002F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCD7C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCDAE.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2964-180-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-179-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2964-178-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2964-177-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2964-176-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2964-166-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2964-208-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2964-210-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2964-209-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2964-206-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2964-203-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2964-202-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2120-227-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2988-228-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2664-230-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2132-229-0x0000000000400000-0x000000000095B000-memory.dmp

memory/1304-233-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1304-234-0x0000000000B70000-0x0000000000BAC000-memory.dmp

memory/1304-236-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1304-246-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1304-251-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2664-252-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 03:41

Reported

2024-11-28 03:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A
File created C:\Program Files (x86)\AskFinder\is-OBKJU.tmp C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A
File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2524 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2524 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe
PID 2204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe
PID 2204 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe
PID 2756 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe
PID 5096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe
PID 5096 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe
PID 232 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe
PID 232 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe
PID 232 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe
PID 1004 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe
PID 1004 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe
PID 1004 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe
PID 3188 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe
PID 3188 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe
PID 3092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe
PID 3092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe
PID 3092 wrote to memory of 868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe
PID 2672 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe
PID 2672 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe
PID 3064 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
PID 3064 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
PID 3064 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe
PID 3056 wrote to memory of 1868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe
PID 5044 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp
PID 5044 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp
PID 5044 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp
PID 1592 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
PID 1592 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe
PID 1592 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\aad837c26c32c147e23e49abac741d0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cc9c4e191.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c61317e0d33fd92.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d879501442ad4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 12d60c3323e093.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f43b7f406819e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 7c5d969bb386.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1e97cf058.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe

cc9c4e191.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe

c61317e0d33fd92.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe

12d60c3323e093.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe

d879501442ad4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe

f43b7f406819e5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe

7c5d969bb386.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe

1e97cf058.exe

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe

773e151d8f03fcc9.exe

C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp" /SL5="$A0040,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2756 -ip 2756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 356

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 1032

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
GB 37.0.8.235:80 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 proxycheck.io udp
US 172.67.75.219:80 proxycheck.io tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 219.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com udp
JP 52.219.163.46:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
JP 52.219.163.46:80 24643052-4208-477f-9c6c-8ffaba0337a7.s3.ap-northeast-1.amazonaws.com tcp
US 8.8.8.8:53 46.163.219.52.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
N/A 127.0.0.1:60804 tcp
N/A 127.0.0.1:60806 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 57c53637861a01384db30fad33bc9459
SHA1 52ac6fef11da2c17aca7677ceb46459b72ef74a8
SHA256 787c2734ffd8d3faa404896595d75ef6806edfbfd1f059e4a242dcba086f67a4
SHA512 be649443e3c4eaf133aefbef2bc710398496e1a6abfa2d8a52655136a992578f1a330fdbd117cbd73e9d4ef0a77216a35bbff8a6254907063ecf1543fdd0fb2f

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\setup_install.exe

MD5 69b0cbfaac38d57e49d456752aecfa2e
SHA1 00ad1373dfc113d02bf4abbbd2f29aebfed269df
SHA256 5fb9c65b6a755b6a8ae0536d8a4544a1cd3602eb480a47ac97f949226c2ae39a
SHA512 4c1650d2d678d5ae1c9a2c093a4311c7bd42bb2b750d0f6dd01f32b9f7918039c4df4cf3b50e06885cc972cd3f63951b08567d3080b4bc9b950edb87b5c8d180

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2756-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\c61317e0d33fd92.exe

MD5 8af735f5bc6bd037d1819b551ae63048
SHA1 3f6907f45f188c4222f671e9d900d2bc05dddf0f
SHA256 859652ead95300f7f186d7ee96d731e7dc09271bb6b5a6e3da24e6fc7865cbe5
SHA512 c74d438abbad236aea92eafa43b392ee1a05532f595ec03f0b7da27d9e8a0613be95b469da03cc0dcd0898365e5ef7fbbe672cccafe193b362227c9f2a2c4485

memory/868-95-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\7c5d969bb386.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

C:\Users\Admin\AppData\Local\Temp\is-0MLG6.tmp\cc9c4e191.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/4476-108-0x00000000008B0000-0x00000000008E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\773e151d8f03fcc9.exe

MD5 2a75a60da995428b31f915b9272693c2
SHA1 5fea2c4b689c822f27186d299fc5911a284c104b
SHA256 1640d9d8122fd6cec294ed40b3ec1c03da19184a99c1f427f99272dcc8585c56
SHA512 7ec6fd8674597b15703650ab2e3f1970760afc6f67e09e468cbd84ec4aad2fa547b5d3d9684359a3d91c702a9669598cefaf07937f6004d71423b70312c1d7d0

memory/2512-104-0x0000000000B30000-0x0000000000B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\1e97cf058.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/868-93-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d879501442ad4.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\f43b7f406819e5.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\12d60c3323e093.exe

MD5 c465c7eb89a23837379e37046ec398e6
SHA1 00f6f8b48667dfe44d354953158c6915efd6d260
SHA256 430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9
SHA512 9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\cc9c4e191.exe

MD5 58c203a58312c6121c932e9a59079064
SHA1 f57f41180fbe8e5dffafef79ea88f707c5cb748a
SHA256 3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
SHA512 e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

memory/5044-80-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2756-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4476-111-0x0000000000E90000-0x0000000000E96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AI4R0.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/4476-122-0x0000000000EA0000-0x0000000000EC2000-memory.dmp

memory/840-120-0x0000000003940000-0x000000000397C000-memory.dmp

memory/2756-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-48-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2756-47-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2756-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-45-0x0000000000B00000-0x0000000000B8F000-memory.dmp

memory/2756-44-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4476-123-0x0000000001250000-0x0000000001256000-memory.dmp

memory/1708-125-0x0000000000400000-0x0000000000907000-memory.dmp

memory/2756-126-0x0000000000400000-0x0000000000875000-memory.dmp

memory/2756-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-135-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2756-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-132-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-130-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/868-146-0x0000000003D70000-0x0000000003D80000-memory.dmp

memory/868-140-0x0000000003A50000-0x0000000003A60000-memory.dmp

memory/868-153-0x0000000004660000-0x0000000004668000-memory.dmp

memory/868-154-0x0000000004680000-0x0000000004688000-memory.dmp

memory/868-156-0x0000000004720000-0x0000000004728000-memory.dmp

memory/868-159-0x0000000004860000-0x0000000004868000-memory.dmp

memory/868-160-0x0000000004880000-0x0000000004888000-memory.dmp

memory/868-161-0x0000000004B30000-0x0000000004B38000-memory.dmp

memory/868-162-0x0000000004A30000-0x0000000004A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 926df97a3a0224c56b150192ca02c26a
SHA1 20f04f6dd8b4d9aa68b9769dee5a372e20b4b1b5
SHA256 c8f57c477de90ddce1e493adbe5eeae482afeb0db7b768ada81e50c5802934ee
SHA512 9aaa8e03cce0c14b44797a059f4683bbd11449e1afbded0ccdb6ca2d6b6b73df67e15fcdd305266c0990874c9f0f85fd5908ff1656351ec18e83ba4e2b966709

memory/868-163-0x00000000048A0000-0x00000000048A8000-memory.dmp

memory/868-176-0x0000000004680000-0x0000000004688000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 837bc0e548aa719a597c957cc9bd6b18
SHA1 bb7407dfa4bde03acd780ee33ca44277ad1ceda5
SHA256 03522aac3e0bf704538b550f3f8a1ed4aedf9e01c3c558a79615b2543aa857be
SHA512 f1653c9f95ad2ebbeca535069e1142e09006a24db515693174b9ce12871f6cf94e92b0a11350a47862bbfb96a849d799960484e88b1e4cbfcf8ae8d8c1472c2d

memory/868-184-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 f217ff7b6e9ce0e688b517ef4e2dcc9f
SHA1 fabc7a8c1efac143759016036bbf091eaeee9d4c
SHA256 d9817406234f13db7090b0383325af4adc5a37c2e5c6bd0a13a4f604018674d8
SHA512 2bf30553e3ae60a041c5478f68ad0a9bfddb882f6216a1a6fbca75c951a10df79e7fd493172204d6d5aa12dff7586bdfb20275a5455732b7f75a91160a4cd8e5

memory/868-186-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/868-199-0x0000000004680000-0x0000000004688000-memory.dmp

memory/868-207-0x00000000049D0000-0x00000000049D8000-memory.dmp

memory/868-209-0x00000000048A0000-0x00000000048A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 cd9904036c539f78d528fcf339757e56
SHA1 abedfa972ced73239ce6e64d2e46bad17e887663
SHA256 1e808be850e04237b72dda5472d602b5fe788881a01751f503f0c1af9d1f20d3
SHA512 1a0f66ee21a8ef96e907b0e8ba912834a1424309a938354ca5f7829c55c94e9e794517f417b64a62171bc0ef046c514df48881c3a2e1c41cbcc4b12c88059287

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d

MD5 07204525af6d33957ef82f5897583999
SHA1 920b9fb29727a81c93a0933460b7f32e870757ca
SHA256 01736304131a88c7484167983d2be95e457dc996856825ea3606aba18fe9a522
SHA512 b6d2a7f290ded118d6f4abf6c63fb76ffba8dc1e233d4e7a2f36397b51962b689687d01daa3bab3b2368390f6c210b79533ed2485370e287ab54b255657ebd57

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 df0285b1a9b7779cda430fe6cd13639f
SHA1 ec44d36954d4d54b1f1a9bd357c53c2550eb2283
SHA256 5f9ba1dd53b6c2dfbfafd65372e559f6b73d294f967e8449f2282a4a675b11e2
SHA512 0ba5e79719a232cd595a9a5ccf1d0e05efda47376aecc4fd7721114843de8c98c7659ddf23038ac53d0717210e1e0ffee8fe9bc655440f9bbf0806476d1a2174

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 e9d171a2edf6efb67803a54ea2ef9e05
SHA1 8f2c53198b3497b207879674e4dc0a180176d9dc
SHA256 505cc3b841636b891822bfb91150cbc13a03a0bdcd0021869859f84328005f64
SHA512 1e4cc52b8f5a8ef868cde0d4b1e0c8395069419283fc8600ee22579a25edb9f4e6eff9854afea999ff628fa21d280e65963beaca58881d7c57b01e5e434427af

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 12f8dacef87e53355879bf5e78353439
SHA1 9034d6317fc0e169ea95b38b7656f8303009981f
SHA256 34a86b118b6398b614b356d0420890e7706af36a9721e5b03153121dc4e0dca1
SHA512 013606bcc2c76f06116e2e6ef9d987e9da9579f7703ddbcbdff308e15d902e75b39a39a513a29c3802c1118af6163cc53351046862e022cd471e8b93b6cc32f7

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 994b032d219e6e3bd8d1e9ddd40cc18c
SHA1 67613c23c6a8c033cb1bd015efae56a01af716c3
SHA256 f0b106dba175c13fb5f5c13d51c5bce736533232ee59ea3c2a3e1524f09f9189
SHA512 f2c112219a107c84214ee2fb8567cbd1bbb0e9765dea6a98a088b1264c530ad8c69f9cbb3c3a11f762a55dccc8b355d264a31bfe1a9884d8312084b4f17eae81

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 67c1e057a35b790215faef16626e7179
SHA1 8c39c1edd1ad3ca4073a6345d181cac48fc6f810
SHA256 6f68bc9a8928635fc5bb4b7562d32c61df7aff853e1e44d8ad3c230a4cd29e46
SHA512 c2dae56b41bc95e3ec270459c4da8ed21886c0b1a07f66e28b7deee4057ad7e917629bebdd58169346970cb93c551e64ac78d67999cc88af23f5f0636d7bdb42

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 adb268f97622da46275ffdf531850802
SHA1 6224c8bf2ff2625540a64c9451ed27aec5906bce
SHA256 26c6dbd7f0bd93c1276e107ecbddbf917a63180222fcf4dda94c870d46e54998
SHA512 021e4b3f067480dadf4909b9a842502689e26e6f935b04ffa38e2af4bb503a6461f53c9f505cd2afd2b4cafe4f05b936957435f552c730c3874d414b1efe8a7e

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 6237ad2937e89b938d4baa9799a5d313
SHA1 6ffd7987d701a8bda649a0734454125fc7eb338c
SHA256 dc2030a5b438393f0e449a2e4000a4e8fafed32e564c336deaa6dae991594aff
SHA512 58721add3c70f3c16a2813a0ae8fa71b8ed87c072cca9dae8994af70829950b0e1dce1d4f7eeb75ca16d078c50063f40d1e40b58a2062cf634a55b0475843e4e

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 2314aaf805c678e093b909858b43e3ab
SHA1 9a49dc296c1ef911269e10faf1d989c2afa854da
SHA256 3d6c814b3873353d618ddc7c388048b42c97ffb3341014e728ba7b0c4b11b6d3
SHA512 c7dd67c2809d9f7d31e47e5dd09619d7c7cbd711d4a048b975ee322f6ea691da84a9fd0d5f3cc891abad7dc1dfec28859350778e1f3143e25ba8b68bd246c513

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 9917883c06a1b147e9348a1b4493c570
SHA1 8cf59a061922251594bc09eeb71703faecee1689
SHA256 fec9988851a7cfcd86383cb503bb45e683d8d271091577599887482e386f37b3
SHA512 c51d5f6e69b43499f8a3d10be09368aaefc3e41a47b804139a8900086cbef1b284db2c470a538ab8cd7c9586958e9465e01c1de637ba96b85123a588dd68c013

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 9c2a6244ad6f87995e0306038615d6ee
SHA1 f089e5b569d1676c0c7879dc5ed3177be17c8a5f
SHA256 c3f4dec997261a487767533681eb6ce288f602f13dfb203dd6ace77e80e37c2c
SHA512 d470327e91a53f787c61665324d40637157f61944b2863e1b29cb14edfbb36fd2a22de9aa2da2262ff018bca281d5a5273143fbcdddad9878f37f14caff1546f

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 f7f8501c36feb49989a1a196cd6e190d
SHA1 c9f1c7d645cbad282988461a124a927cb7dadebe
SHA256 8bf6658af234ecf5ec48e99e723458d48af3a5f7bc4efd4e7c747e0a32377422
SHA512 5a38936a7d675b45f7176a30483b9ee7603022a0aa590e25719ba9cf43a326902dc61708eb83a0aef53fab3791be2eda07b73605aef7dc3eb393f24ab5f81b9b

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 5ab6440f76d3e60669e9b0e1820d39bd
SHA1 4300effc979d293af52c9f7ea8dd14b0318db6c0
SHA256 cd5c3e4b1cedaee49c6790e87ca8bc65438d09664d56f5202290fc86c8dec8eb
SHA512 029ada0a93ff80143e86daece5f1364d0414c592d1246d3697f2e476ef923fd14f27e4b6e76af6786c26080d319b0729e7a3a5f8142805c393f38c42070f30c4

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 38654360829b0ec038aa6206512b74aa
SHA1 cf9776994745502b0c6d6d85887240e1e9538128
SHA256 f1ff7d03336df258a21a9471c481560f5fa9ad14dedace3b8309df4c44c97d7f
SHA512 19466c8abe47837092ec48d14e072164e1b3b7cd8f0397170a005fde46fda4e72cd680b406e2e646e3b73910df3042ecd1fe901b842ec94c1d2867933f4679cd

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 abb1d60d7e43c6480f145956138a2ddd
SHA1 fb429a737681cbb8f87662ec631fbd098b35e1a0
SHA256 d6e8b067e2c10fa34ef7a5d22c794e28e0ad9d241fdf7436227dd3e049e0e6dd
SHA512 604a42b9e1151b9e2be329734cae008a8407abfb9f0fcaf1610c12fb7c321b4577cdffb81f16595ff1afbc3de5f8af760dd034da5a1adf2689455eeace7c1f28

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.INTEG.RAW

MD5 e999b7d63f2e78493edfc018460dec04
SHA1 ddf51b31e78480f6a2c510952c6bfb33ad431784
SHA256 ccd666e72cc984f9b8c297c86396a1e8bc965109d22bca02958a7e4b45a2379d
SHA512 f7899086ffdca6c1b77d31f24599f0f110dd88b6c53560c338de6faba712a59704cc25eff01d904867bb061cbd4387fb94cfbe57e33069c652099af5eff78b97

C:\Users\Admin\AppData\Local\Temp\7zSC98A21C7\d.jfm

MD5 87203ddb486a7e0f3593e31df95d65c2
SHA1 65333782e16cdbdee83876fe9d74180b48d39276
SHA256 e8a7cbe3d101b792975e6451c8b9279f5fce4a896d08a635b8f7c3c52e546e46
SHA512 cf212d3c92d3f20a17c870f377bb0d58d904adf3db956a11373e328e3582c8d86e1b754e2d17128f9b380667582aa0604670fc801191f909b7066a24ab986d44

memory/868-648-0x0000000000400000-0x0000000000759000-memory.dmp