Malware Analysis Report

2025-01-02 06:04

Sample ID 241128-hvaqjswjcj
Target ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118
SHA256 4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8
Tags
nullmixer vidar aspackv2 discovery dropper spyware stealer privateloader xmrig loader miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8

Threat Level: Known bad

The file ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nullmixer vidar aspackv2 discovery dropper spyware stealer privateloader xmrig loader miner

NullMixer

Xmrig family

xmrig

Nullmixer family

Privateloader family

PrivateLoader

Vidar family

Vidar

Vidar Stealer

XMRig Miner payload

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

Executes dropped EXE

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Program crash

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 07:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 07:02

Reported

2024-11-28 07:05

Platform

win7-20241023-en

Max time kernel

21s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1548 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_7.exe

jobiea_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_5.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_9.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe

jobiea_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732777384 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 424

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
MD 176.123.2.239:80 176.123.2.239 tcp
N/A 127.0.0.1:49283 tcp
N/A 127.0.0.1:49285 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.46.73.244:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 sanctam.net udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 71f8873392df70981a5e02f4d33930dd
SHA1 66cacadd474eded6b3582389c96866d0dee8ff4b
SHA256 e17ed5dd93ee4943d5b6776705d3b149f8e426d0c1d44a57f467d31e55f47892
SHA512 e55eeedc6c114c85cb0ee13d8f11907504deeae731bcf6c4a204b394ba3e21c4a2c8ff47adb28eea979ee179050e4225f8ba57abbb2d2c361c561b89a6ca2db8

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\setup_install.exe

MD5 1af4f66c85d7fc29a5ab35bedffc6c37
SHA1 bfcd91d0491ff96ab7846ff1eb7d75e66b3dd13c
SHA256 66cd5d1cd30870d048de14d482b3b69a728aaa6ff0e8b4b9e4f5b5f9c7c07291
SHA512 6e4703d0f1b89ce170ecaa7cec448ced3467e4bb52a0c69c89433410c77d05e9fd58d3e2e9367a7c4c591830df4011d2ab66808ca27788cf3b9a0bfcb63d1bf8

memory/2984-52-0x0000000002F00000-0x000000000301E000-memory.dmp

memory/2984-45-0x0000000002F00000-0x000000000301E000-memory.dmp

memory/2752-54-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2752-63-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2752-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2752-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_9.txt

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_8.txt

MD5 c85639691074f9d98ec530901c153d2b
SHA1 cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
SHA256 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
SHA512 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_7.txt

MD5 fdaa4ceadfc95047aa93dbd903669f25
SHA1 97549c52142d192383e8f2018141901a1a0ec112
SHA256 22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b
SHA512 598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_6.txt

MD5 28e40b1adae683f70b178d025ea7bf64
SHA1 24851934bbb9a67c6d07e48503e6296c91fff502
SHA256 1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5
SHA512 f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

C:\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_5.txt

MD5 8cad9c4c58553ec0ca5fd50aec791b8a
SHA1 a2a4385cb2df58455764eb879b5d6aaf5e3585ac
SHA256 f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294
SHA512 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_3.exe

MD5 8595f5515fac09b73ff463056cb07a15
SHA1 80f39da9a52cffb70edaa4d7de82f543ba4d417e
SHA256 8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1
SHA512 26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

memory/1936-188-0x0000000000C50000-0x0000000000D3E000-memory.dmp

memory/1740-190-0x0000000000340000-0x0000000000378000-memory.dmp

memory/1852-189-0x00000000010C0000-0x00000000010C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_4.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_2.exe

MD5 44dc205a5701b53f391a3a750c2c4712
SHA1 14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc
SHA256 508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768
SHA512 02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

\Users\Admin\AppData\Local\Temp\7zS8AB9A696\jobiea_1.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

memory/1740-203-0x0000000000510000-0x0000000000516000-memory.dmp

memory/956-202-0x0000000000400000-0x0000000002C66000-memory.dmp

memory/1604-209-0x000000013F600000-0x000000013F610000-memory.dmp

memory/1740-212-0x00000000006B0000-0x00000000006D8000-memory.dmp

memory/2936-213-0x0000000000930000-0x0000000000A14000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1740-220-0x0000000000520000-0x0000000000526000-memory.dmp

memory/2752-85-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2352-225-0x0000000000520000-0x0000000000604000-memory.dmp

memory/2752-84-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2752-83-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2752-82-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2752-81-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2752-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-86-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2752-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD97F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD9A2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2752-269-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2752-273-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2752-272-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2752-271-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2752-270-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2752-268-0x0000000000400000-0x000000000051E000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/1252-299-0x0000000000400000-0x0000000002CC2000-memory.dmp

memory/2240-320-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2240-321-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2240-319-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1252-322-0x0000000000400000-0x0000000002CC2000-memory.dmp

memory/1604-324-0x0000000000760000-0x000000000076E000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2676-328-0x000000013FE60000-0x000000013FE70000-memory.dmp

memory/1936-333-0x000000013F380000-0x000000013F386000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 b206d19b0f4c9c49040b26bbb2acd7a1
SHA1 541ec7a1039cf2be31d827c33686dc80848c6c29
SHA256 dc29bbd815c2598dd5ce2119fef4f8f57d452f1ea2e00a289eea0755938d9971
SHA512 2f828a9eb7613856522d94bbc26a40952a65bec4917f807f615b3ef3e504b2498c2a85e6b40555d3310104e386bfa889b3334a3904ec6524a7c4eabfa5cba00e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 07:02

Reported

2024-11-28 07:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1596 set thread context of 3764 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4692 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4692 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4488 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe
PID 4488 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe
PID 4488 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe
PID 2604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_8.exe
PID 1072 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_8.exe
PID 4672 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_5.exe
PID 4672 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_5.exe
PID 1516 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe
PID 1516 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe
PID 1516 wrote to memory of 1648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe
PID 4644 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_6.exe
PID 4644 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_6.exe
PID 1772 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_9.exe
PID 1772 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_9.exe
PID 3220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe
PID 3220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe
PID 3220 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe
PID 3812 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe
PID 3812 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe
PID 3812 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe
PID 3128 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe
PID 3128 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe
PID 3128 wrote to memory of 3864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe
PID 784 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 784 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 784 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 1648 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 1648 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 3488 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 3488 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 3488 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe
PID 1648 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1648 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1648 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ab6a2896f6b05c4acb603916a2fd88ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe

jobiea_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe

jobiea_1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2604 -ip 2604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1832 -ip 1832

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 360

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732777383 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 db-ip.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
N/A 127.0.0.1:50592 tcp
N/A 127.0.0.1:50594 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.89.13:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 13.89.15.51.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
SG 37.0.11.9:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 71f8873392df70981a5e02f4d33930dd
SHA1 66cacadd474eded6b3582389c96866d0dee8ff4b
SHA256 e17ed5dd93ee4943d5b6776705d3b149f8e426d0c1d44a57f467d31e55f47892
SHA512 e55eeedc6c114c85cb0ee13d8f11907504deeae731bcf6c4a204b394ba3e21c4a2c8ff47adb28eea979ee179050e4225f8ba57abbb2d2c361c561b89a6ca2db8

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\setup_install.exe

MD5 1af4f66c85d7fc29a5ab35bedffc6c37
SHA1 bfcd91d0491ff96ab7846ff1eb7d75e66b3dd13c
SHA256 66cd5d1cd30870d048de14d482b3b69a728aaa6ff0e8b4b9e4f5b5f9c7c07291
SHA512 6e4703d0f1b89ce170ecaa7cec448ced3467e4bb52a0c69c89433410c77d05e9fd58d3e2e9367a7c4c591830df4011d2ab66808ca27788cf3b9a0bfcb63d1bf8

memory/2604-48-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2604-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2604-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2604-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2604-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2604-64-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2604-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-80-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_1.txt

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_9.txt

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_8.txt

MD5 c85639691074f9d98ec530901c153d2b
SHA1 cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
SHA256 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
SHA512 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_4.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_5.exe

MD5 8cad9c4c58553ec0ca5fd50aec791b8a
SHA1 a2a4385cb2df58455764eb879b5d6aaf5e3585ac
SHA256 f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294
SHA512 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

memory/1648-102-0x0000000000200000-0x00000000002EE000-memory.dmp

memory/1808-100-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

memory/4860-103-0x0000000000060000-0x0000000000098000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_3.exe

MD5 8595f5515fac09b73ff463056cb07a15
SHA1 80f39da9a52cffb70edaa4d7de82f543ba4d417e
SHA256 8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1
SHA512 26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_7.exe

MD5 fdaa4ceadfc95047aa93dbd903669f25
SHA1 97549c52142d192383e8f2018141901a1a0ec112
SHA256 22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b
SHA512 598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_6.exe

MD5 28e40b1adae683f70b178d025ea7bf64
SHA1 24851934bbb9a67c6d07e48503e6296c91fff502
SHA256 1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5
SHA512 f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\jobiea_2.exe

MD5 44dc205a5701b53f391a3a750c2c4712
SHA1 14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc
SHA256 508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768
SHA512 02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

memory/4860-105-0x0000000000840000-0x0000000000846000-memory.dmp

memory/4860-106-0x0000000000860000-0x0000000000888000-memory.dmp

memory/4860-107-0x0000000000910000-0x0000000000916000-memory.dmp

memory/2604-79-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-78-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-77-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-76-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-75-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2604-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS88120EE7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2604-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2604-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/4872-119-0x00000000009F0000-0x0000000000A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/4844-129-0x0000000002100000-0x00000000021E4000-memory.dmp

memory/2308-141-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/2604-158-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2604-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2604-156-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2604-155-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2604-154-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2604-152-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1832-147-0x0000000000400000-0x0000000002C66000-memory.dmp

memory/4872-170-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

memory/4872-171-0x0000000003010000-0x0000000003022000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/3972-198-0x0000000000FC0000-0x0000000000FC6000-memory.dmp

memory/3764-200-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-203-0x0000000000D60000-0x0000000000D80000-memory.dmp

memory/3764-202-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-206-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-207-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-205-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-204-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-208-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-209-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-210-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3764-211-0x0000000140000000-0x0000000140786000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 07:02

Reported

2024-11-28 07:05

Platform

win7-20240708-en

Max time kernel

57s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_7.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2968 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe

jobiea_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_7.exe

jobiea_7.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_5.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_5.exe"

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_9.exe"

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732777383 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 424

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
MD 176.123.2.239:80 176.123.2.239 tcp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49268 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.46.73.244:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\setup_install.exe

MD5 1af4f66c85d7fc29a5ab35bedffc6c37
SHA1 bfcd91d0491ff96ab7846ff1eb7d75e66b3dd13c
SHA256 66cd5d1cd30870d048de14d482b3b69a728aaa6ff0e8b4b9e4f5b5f9c7c07291
SHA512 6e4703d0f1b89ce170ecaa7cec448ced3467e4bb52a0c69c89433410c77d05e9fd58d3e2e9367a7c4c591830df4011d2ab66808ca27788cf3b9a0bfcb63d1bf8

memory/2968-40-0x0000000002EA0000-0x0000000002FBE000-memory.dmp

memory/2968-41-0x0000000002EA0000-0x0000000002FBE000-memory.dmp

memory/2052-43-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2052-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2052-49-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-88-0x0000000000C90000-0x0000000000DAE000-memory.dmp

memory/2052-87-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2052-73-0x0000000000400000-0x000000000051E000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_3.exe

MD5 8595f5515fac09b73ff463056cb07a15
SHA1 80f39da9a52cffb70edaa4d7de82f543ba4d417e
SHA256 8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1
SHA512 26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_1.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_5.exe

MD5 8cad9c4c58553ec0ca5fd50aec791b8a
SHA1 a2a4385cb2df58455764eb879b5d6aaf5e3585ac
SHA256 f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294
SHA512 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_2.exe

MD5 44dc205a5701b53f391a3a750c2c4712
SHA1 14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc
SHA256 508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768
SHA512 02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

memory/2996-173-0x0000000000400000-0x0000000002C66000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_4.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_6.exe

MD5 28e40b1adae683f70b178d025ea7bf64
SHA1 24851934bbb9a67c6d07e48503e6296c91fff502
SHA256 1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5
SHA512 f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_9.exe

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_7.exe

MD5 fdaa4ceadfc95047aa93dbd903669f25
SHA1 97549c52142d192383e8f2018141901a1a0ec112
SHA256 22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b
SHA512 598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

memory/584-198-0x0000000001300000-0x0000000001338000-memory.dmp

memory/1824-197-0x0000000000100000-0x0000000000108000-memory.dmp

memory/2420-199-0x0000000000960000-0x0000000000A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\jobiea_8.txt

MD5 c85639691074f9d98ec530901c153d2b
SHA1 cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
SHA256 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
SHA512 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

memory/2052-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-69-0x0000000000400000-0x000000000051E000-memory.dmp

memory/584-200-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2052-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/656-207-0x000000013FF50000-0x000000013FF60000-memory.dmp

memory/584-211-0x0000000000410000-0x0000000000416000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2292-213-0x0000000001EA0000-0x0000000001F84000-memory.dmp

memory/584-206-0x00000000003E0000-0x0000000000408000-memory.dmp

memory/2124-224-0x0000000000240000-0x0000000000324000-memory.dmp

memory/2052-74-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2052-72-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2052-71-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2052-70-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2052-86-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2052-85-0x0000000000C90000-0x0000000000DAE000-memory.dmp

memory/2052-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2052-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2052-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS89B0EF96\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\CabD3D5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD3F7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2052-283-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2052-287-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2052-295-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2052-294-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2052-293-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2688-292-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2052-291-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2688-290-0x00000000001D0000-0x00000000002D0000-memory.dmp

memory/2688-289-0x00000000001D0000-0x00000000002D0000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2584-302-0x0000000000400000-0x0000000002CC2000-memory.dmp

memory/2584-322-0x0000000000400000-0x0000000002CC2000-memory.dmp

memory/656-324-0x0000000000650000-0x000000000065E000-memory.dmp

memory/2452-328-0x000000013F3F0000-0x000000013F400000-memory.dmp

memory/1248-332-0x000000013F440000-0x000000013F446000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f92c1b3ada8513d446320345230ae7ec
SHA1 ed2babfc43b44b62b1562bce89ad7a7b12ff607c
SHA256 7c7e617423aa6137faa4af8179e0017bf661300841fe409bb42ef1842f2f5a6b
SHA512 58aef73977e37e0cb0154f22915f455b7c14ae193e4f00faad2be01715ac6e39db90d76fbb5f73f2b81626ab234e26e4259533c2b23e6cda3d9e7dacc189b665

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-28 07:02

Reported

2024-11-28 07:05

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

Vidar

stealer vidar

Vidar family

vidar

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_6.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe
PID 2228 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe
PID 2228 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe
PID 984 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe
PID 4988 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe
PID 4988 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe
PID 4452 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe
PID 4452 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe
PID 4452 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe
PID 232 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 232 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 232 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 1008 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe
PID 1008 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe
PID 1008 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe
PID 444 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_6.exe
PID 444 wrote to memory of 3308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_6.exe
PID 2652 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_8.exe
PID 2652 wrote to memory of 4940 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_8.exe
PID 2388 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_5.exe
PID 2388 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_5.exe
PID 4728 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_9.exe
PID 4728 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_9.exe
PID 4248 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.exe
PID 4248 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.exe
PID 4248 wrote to memory of 3796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.exe
PID 4868 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 4868 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 4868 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe
PID 220 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 220 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 220 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 220 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 220 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\winnetdriv.exe
PID 3376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\winnetdriv.exe
PID 3376 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe

jobiea_1.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.exe

jobiea_7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 984 -ip 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 556

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 344 -ip 344

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732777384 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 360

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3636 -ip 3636

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1652

C:\Windows\system32\sihost.exe

sihost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 34.117.59.81:443 ipinfo.io tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
N/A 127.0.0.1:52276 tcp
N/A 127.0.0.1:52278 tcp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
GB 37.0.8.235:80 tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\setup_install.exe

MD5 1af4f66c85d7fc29a5ab35bedffc6c37
SHA1 bfcd91d0491ff96ab7846ff1eb7d75e66b3dd13c
SHA256 66cd5d1cd30870d048de14d482b3b69a728aaa6ff0e8b4b9e4f5b5f9c7c07291
SHA512 6e4703d0f1b89ce170ecaa7cec448ced3467e4bb52a0c69c89433410c77d05e9fd58d3e2e9367a7c4c591830df4011d2ab66808ca27788cf3b9a0bfcb63d1bf8

memory/984-36-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/984-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/984-50-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/984-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/984-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/984-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/984-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/984-54-0x0000000064940000-0x0000000064959000-memory.dmp

memory/984-53-0x0000000064941000-0x000000006494F000-memory.dmp

memory/984-65-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_9.txt

MD5 5c2e28dedae0e088fc1f9b50d7d28c12
SHA1 f521d9d8ae7381e3953ae5cf33b4b1b37f67a193
SHA256 2261a3d740572f9d0ee42faad5b0d405df16506e104bd912e7c7b24d7fddcc5f
SHA512 f6f100508acb77af5b3442673c9d01a6a16cc39521b618eebccd482bf9f50b3991109f82b97e48e8c3cc0221f0be9e164867ba79ac2f2bc4e25cbdb5f7daa15f

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_8.txt

MD5 c85639691074f9d98ec530901c153d2b
SHA1 cac948e5b1f9d7417e7c5ead543fda1108f0e9ed
SHA256 55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4
SHA512 4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_7.txt

MD5 fdaa4ceadfc95047aa93dbd903669f25
SHA1 97549c52142d192383e8f2018141901a1a0ec112
SHA256 22af1522526444b485228e2021f039523e03003bd1ab68b6da275b69c96b018b
SHA512 598e77c39f5e443228a7f1926540ad3ffa6eaf8bb9b7f10be9e24fd49f96446511166f0750deebe708a7dbb2d8bb98adcdd330132a24fd932f75068f6524c696

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_2.exe

MD5 44dc205a5701b53f391a3a750c2c4712
SHA1 14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc
SHA256 508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768
SHA512 02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

memory/220-91-0x0000000000E40000-0x0000000000F2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_6.exe

MD5 28e40b1adae683f70b178d025ea7bf64
SHA1 24851934bbb9a67c6d07e48503e6296c91fff502
SHA256 1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5
SHA512 f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_3.exe

MD5 8595f5515fac09b73ff463056cb07a15
SHA1 80f39da9a52cffb70edaa4d7de82f543ba4d417e
SHA256 8223619e305ec5063e9e2c1490fa25f6e924c317b08fd5eed938bb5de2e57de1
SHA512 26f0a15484a8780fedcea91f9d90ab4b81a91598fad4cad54f45fd18eccf73914215851909bf8acadeafc7b89c656c98ec988a46aa43e17a364b39b5d8ac477a

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_1.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_4.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS4B88CBB7\jobiea_5.exe

MD5 8cad9c4c58553ec0ca5fd50aec791b8a
SHA1 a2a4385cb2df58455764eb879b5d6aaf5e3585ac
SHA256 f092024f873461b61234b97fcb07c8589dcc9a801cf8a0a6e302dbd746bab294
SHA512 1eeac808dd992a7b99448d8a1c5470a2964b14705b4e987d9cb2e227a8142122faa17bf8a9acba6db4e80a42b50b58536e748a3231736b9b705d630f941159a3

memory/4940-87-0x0000000000570000-0x0000000000578000-memory.dmp

memory/984-69-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-68-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-67-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-66-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-64-0x0000000000400000-0x000000000051E000-memory.dmp

memory/984-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/984-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/984-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/984-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/984-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3308-93-0x0000000000EA0000-0x0000000000ED8000-memory.dmp

memory/3308-94-0x0000000001680000-0x0000000001686000-memory.dmp

memory/3308-95-0x0000000001690000-0x00000000016B8000-memory.dmp

memory/3308-96-0x00000000016C0000-0x00000000016C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1544-109-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/984-135-0x0000000064940000-0x0000000064959000-memory.dmp

memory/984-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/984-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/984-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/984-128-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3376-119-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/984-131-0x0000000000400000-0x000000000051E000-memory.dmp

memory/344-147-0x0000000000400000-0x0000000002C66000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2388-164-0x0000000000010000-0x000000000006A000-memory.dmp

memory/4248-166-0x0000000000010000-0x000000000006A000-memory.dmp

memory/1544-183-0x00007FFBE18F0000-0x00007FFBE198E000-memory.dmp