Malware Analysis Report

2025-01-02 05:58

Sample ID 241129-n3a9yaymgq
Target b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118
SHA256 55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9
Tags
ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55b8c3a1997416f5c6c04663ef6f6bd2e1712ba24162f330ee31b3ec1c6864e9

Threat Level: Known bad

The file b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ffdroider nullmixer privateloader vidar aspackv2 discovery dropper loader spyware stealer vmprotect evasion trojan

FFDroider

Vidar

FFDroider payload

Privateloader family

PrivateLoader

Vidar family

Nullmixer family

Ffdroider family

NullMixer

Vidar Stealer

ASPack v2.12-2.42

VMProtect packed file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 11:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-29 11:54

Reported

2024-11-29 11:57

Platform

win7-20240903-en

Max time kernel

135s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\01a389215e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\01a389215e4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\01a389215e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\626c1e3ded0b288.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 2976 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\01a389215e4.exe

01a389215e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 940

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
N/A 127.0.0.1:49260 tcp
N/A 127.0.0.1:49262 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1808-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1808-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1808-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1808-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1808-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1808-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-39-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1808-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

memory/2624-106-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2724-97-0x0000000000400000-0x0000000002C6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2568-112-0x0000000001060000-0x0000000001092000-memory.dmp

memory/2572-111-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

memory/2624-101-0x0000000000D30000-0x0000000001089000-memory.dmp

memory/2828-100-0x0000000002860000-0x0000000002BB9000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS0ABA0E96\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/2828-85-0x0000000002860000-0x0000000002BB9000-memory.dmp

memory/2624-113-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2568-116-0x00000000002C0000-0x00000000002C6000-memory.dmp

memory/2568-117-0x0000000000460000-0x0000000000482000-memory.dmp

memory/2568-118-0x0000000000480000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBCEB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2624-135-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6259994a5e70d6435f0b6ede8edf3cf
SHA1 46228c0fabf563dc3b3a8b207b8c868d9fd18919
SHA256 f7defecf5d7b4ce2909648aaa0e6627b2ece62588f2a631a8c69d0e08c26c1f2
SHA512 a6ebdb3a81a21f4d9f66440239b93adad8fe3f568a890b0cb859dd2d33a423a095eea5b54ff5ab73f8ff748909c6747789ed2ba8fa6d91bc1ad173920629e005

C:\Users\Admin\AppData\Local\Temp\TarC8BC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1808-195-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1808-200-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1808-194-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/1808-202-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1808-201-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1808-198-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2452-205-0x0000000000400000-0x0000000002CC8000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-29 11:54

Reported

2024-11-29 11:57

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe
PID 3356 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe
PID 3356 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe
PID 3124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3124 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe
PID 1920 wrote to memory of 3352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe
PID 4264 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe
PID 4264 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe
PID 4264 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe
PID 1576 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe
PID 1576 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe
PID 2664 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
PID 2664 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
PID 2664 wrote to memory of 544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
PID 2008 wrote to memory of 2456 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe
PID 2852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe
PID 2852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe
PID 2852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe
PID 3208 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe
PID 3208 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe
PID 3208 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe
PID 544 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
PID 544 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe
PID 544 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe

01a389215e4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3124 -ip 3124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 356

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2456 -ip 2456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1028

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 cdn.discordapp.com udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 db-ip.com udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.4.15:443 db-ip.com tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
N/A 127.0.0.1:52914 tcp
N/A 127.0.0.1:52923 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3124-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3124-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/2320-83-0x0000000000400000-0x0000000000759000-memory.dmp

memory/4440-85-0x0000000000310000-0x0000000000342000-memory.dmp

memory/2320-79-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/3352-71-0x0000000000850000-0x0000000000858000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/3124-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3124-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3124-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3124-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3124-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3124-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3124-33-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3124-32-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3124-31-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3124-30-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3124-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3124-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4440-87-0x00000000022A0000-0x00000000022A6000-memory.dmp

memory/4440-88-0x00000000023D0000-0x00000000023F2000-memory.dmp

memory/4440-89-0x00000000022B0000-0x00000000022B6000-memory.dmp

memory/3124-101-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3124-92-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/3124-100-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3124-99-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3124-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3124-96-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4972-91-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/2320-106-0x0000000003A10000-0x0000000003A20000-memory.dmp

memory/2320-112-0x0000000003B70000-0x0000000003B80000-memory.dmp

memory/2320-119-0x0000000004620000-0x0000000004628000-memory.dmp

memory/2320-120-0x0000000004640000-0x0000000004648000-memory.dmp

memory/2320-122-0x00000000046E0000-0x00000000046E8000-memory.dmp

memory/2320-125-0x0000000004830000-0x0000000004838000-memory.dmp

memory/2320-126-0x0000000004850000-0x0000000004858000-memory.dmp

memory/2320-127-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

memory/2320-128-0x00000000049F0000-0x00000000049F8000-memory.dmp

memory/2320-129-0x0000000004860000-0x0000000004868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 f58dff1cffc5ddb7119ffb5e0b86ebca
SHA1 cabe178acb2a8b8cb3b45ef5fb17062026198fbf
SHA256 fac1d7532de42495bd900c711f77a2ce384734f54a9345e9fa06d19fedd6bfcc
SHA512 a84bfff406ab9e35b2ea68ad7bac7a53091303995260b1b5a8e0c0e39a92cdd8324d58895efdaee99523ee3774d49cbc97b7d412f795351ed3a910e5aee97c89

memory/2320-142-0x0000000004640000-0x0000000004648000-memory.dmp

memory/2320-150-0x0000000004860000-0x0000000004868000-memory.dmp

memory/2320-152-0x0000000004990000-0x0000000004998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 79b24d35a3e4957969a3a35c1e8ad84e
SHA1 e0059553c072c306b09acb43404b10e2b7319d0f
SHA256 40cf719dfa4fe48f4e69454227a0fc4db943f4b28a562c4d0ac4365327fd2c46
SHA512 5d1db758b49a8aae63fa1c1bb25f291c7e3e3b427c6d7ecdf3fbd8591e5e5fb35f85826224a40e99b9b9fda0c675bae1c4ef6cae8f032723488fe4c09d96a171

memory/2320-165-0x0000000004640000-0x0000000004648000-memory.dmp

memory/2320-173-0x0000000004990000-0x0000000004998000-memory.dmp

memory/2320-175-0x0000000004860000-0x0000000004868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 fd07cc98b76ae7b5e2c747d1e2354455
SHA1 8791246c72139e112f5a32b751bdea766c0b4fb3
SHA256 52f737b5b240fc4660c23bc0d0e913b6d95fb77f6639ccf9d40f2a604d437dde
SHA512 86347138ad5d4c010e183273a30e8c0fa97ef660e4c68c8619457b003d70585e5d9dae4608ff92b7ee3009a186a86bf89a316a717c9b3be2b9e3817ad1c1f64f

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d

MD5 97f23c52803d34ed6fc9e061af66a150
SHA1 66c0c341ed9b5408a8589f7e507759c8e0f2f743
SHA256 2a5fb26eb0a5b81f3a63123f970a55523fa5de1fe479b210abfa94ab80975d5e
SHA512 01ca527ff5521a0326f13d94030ec7c445e130499adbb2f93e0ff2b89d51e8c3066819fd6eca63de5b108d29e4c6f9b8935abffb612da00ad117e04ad477a886

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 b4b5acd7e20099092a15fccb2b33d3c0
SHA1 af76179b10bc82da565b0d32ff552aadea04612e
SHA256 0952e941176134cb60c4d1069b1852706af041d70e3fb5aad01996ccec242a57
SHA512 b8e0248c80077e85d6bfb2f8fa3b1c70db7bacd1394433c96801d8ef3427d3c01b008b5bca670370b897766baaef0b975e05a13cdb4bd73f7b5ff72c96fb35fa

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 08093eef352c2b58a5384bdf8c8a7521
SHA1 3ccae7d884af0850a69a4cc802151bc395fa2c05
SHA256 e3b32cfc68e9c2dedb30e28b5bc91db8ab024908d5547df0c14d3178df565e0b
SHA512 3b018d6010d01a315851dfaa936b4ac6e14530fd569aea3028de16235ff39d83fbe169585b312a9f5eaafdad1012bbc80d930a2d1c906dcdc723df04259796d6

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 77e874ff0a4d917b597c62778929522a
SHA1 1522ceb9498d5ef5bc141cd5fa6af85890c3a813
SHA256 53316053e66158f9e571d61a35ec98cc300fca6c90f665fcb6c410bd37aba93f
SHA512 7575ebacd079d56c93a8ea727af6718c589e14cd23eade11bb93a24e4dd6749f40418327778c131e2ec1feb1bd70208d175217d4f1750fa30683e718bc320b02

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 dd8cb5c03eedd0d2a166b3a0b5494557
SHA1 eb9eaa081c3bd2edab34b6a1fd0972ab1e29b852
SHA256 6ad7b793b547f16ea4e8f2ddbd3c47cd0759f0e8178dcb4f90996aaf4c9af03d
SHA512 2d6d539bded366a402bda9734ab4f513a49be065bd45ee894aee0c75805a528ca39936fa1ed99ac479826478abb8e8415caff0fda20ebee1219f7bc3838f0c6c

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 7b29fc44b9f9730ba528c27395e0a684
SHA1 2b06ee28e9961a98e5b5f77742672a29104e91fa
SHA256 f1864086aa500a7bc2cae87b740e0833adfa3a64577fc351609affa0b11cbe3d
SHA512 ff0b047aba5b2b15f8f3060182b3249c4d7fa93afb49c0d786f5ab862f43e75cea0e3d90a1fa1207783b9be1b136c680f265e07d7224e983b0e777b2dfb601cc

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 4b0e152e7614656c119399a0759eba98
SHA1 fcc298500c697b149756519a5e14292e85e066ec
SHA256 da5f6f2e6374deb5fd58eceef157f4b9fec65d5bb8d4866e3b09290a3a4384a4
SHA512 3157ba501e9396b3b03fd2066ca51ad0185c75a9a8d369119c2d886334dcd59c08940ad81e42f73ba64127e36de277a9c726d6379cef6af1c382da3941e52399

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 70f0d4d099e81e0aa84d0e7c338da7e4
SHA1 5f1f002de16e033ab5237b4879b18e4ad4dc1d50
SHA256 acdc2415ad0ea4cca6cbfd89e2c710af593eb21f77a544e38a221eafa3bf8b72
SHA512 77d68abb715b60e61a18588f69fa3457651a118b48cc40b778918ce33a77e85892dd956000d904e9082a3251df71008f70666eeaa5f7f3a10a468e0a27cc9910

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 9fc77d27c0a902df61733e54e597ec1e
SHA1 4117ebfdf25ab0ee883435b331d4b8c8b07a478c
SHA256 83efdf2521e60c891941a4ceadefe1049fa39e5a55836989687335ef3f8ebafe
SHA512 b684c02c13da9e392f59509132384a93422353acd3e75899a6b19853f0123352dc67ec6e057d49577d3e0abef6b2849b0651bd9ec05902c1a41ec0ad68397271

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 fae00bd40debd396059a1c657298bda6
SHA1 814283d431075b1b0be9ab8da278e7de82cb36ba
SHA256 3a51ba535fbf45af5b8a8d7394fa2ce47063fd92c81a6d700c8c745402f11c82
SHA512 9e778faef2ea59c9499569ba45ee3a28244086094c48b757c823d4543bc3a997f305dd8916befc52fbbcd74a0fa3fe79c4e28cd0e155e28e08fe927bb864e888

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 a40d7b9940da5a61dfd434a6d9513fc6
SHA1 4dc229114c71e8f92304da91d1f934b51c3e2838
SHA256 ce00b10e59430568684de82576bec8ccd4fcb1d894b94c6db5cb4550dc9d4233
SHA512 f60da8aa50e2797221f051830f215a8e80917cd141738f6953b299c3d16d92bf6afc249e77ee238b1b5ffce265e44ecea3f3ec995643d0ae47981820a13f7ad8

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 c51f247207d653ca6afdf8c8d9c1a86d
SHA1 3a6d4fdd7e296a53bc440af91a33fa7dbdf697d7
SHA256 82689ddf956c32332158db84dfcd613c422291f44bcc2be67cf3bab448ca04ac
SHA512 2071f7d23ef00ee9400e8fb2a6106b91bab031d6963f53199c6be549b5762c98d4dd0baf2b09de379ff21976beeff392d485c280fa87acf49c378a45bdc4546c

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 4ac3b45828982f0c2ce1a0caddeca0e2
SHA1 eee2aa918917d334d7fe12e6245901011086b829
SHA256 50366547d11a371029b8ed8f30ed0156e8c7e3b87be29ce3bad07f42fdc4999c
SHA512 98e35b128de049c0aab8b1a02f889dd1765d0ea53abc792571db4e32771cb10a534bb17c7e9b11bfd82c036d57441f9ed7ce24d32eb78f8151d0d185ed69fe55

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 3f6a20ae7f4cfe03e8c29e28cc74e2d0
SHA1 860d22b6cea942cb360c3036bae3d820772a81ba
SHA256 a74430b32e07e2ee4c9eee659713fe287287484ffc697ede01634a3e59bad80d
SHA512 cfc971120656b47685c79a8eadcb6107ba3954b67169f9908e274b129e84fa174a680cfeeebc5c148facea51987150b4e833e3c14f3fccd8d2a8c96978f3db30

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 c32877f026ef64846ab9ddd95636b38b
SHA1 6a0431169552f7da20eaed436625432eb32ce704
SHA256 247417a478cdd08a035629b132bbcb81b794b9fa7beb223c0e3aac20e0c59dcb
SHA512 f8e46215e466b3b3059a2b80bcc072a42fbfa4f6dbe17da3d1a37df701b7706b54cff064bc057ac3a7e40d2aa5064f1acf70a2700a7a4d9e3d4a11ffd77d4696

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 20c1d6f7c91e152b9912628e077c6311
SHA1 0dfb504a6edbd524916d684ec0915b470dcb7ecf
SHA256 0931f56a37b78c9909c00d1236e409e6c1956ffe8f6a96d77952b9897cb7e759
SHA512 f03da7c09c0e4407d45b03e3696eff01b389284638074602d7932cbd40dd2446ec00401fff313375079c0414380166b649d82551e0f78ec93eb88b9b1d48ee03

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.INTEG.RAW

MD5 4cc67c140cfd5a5a86294429ca2ab33a
SHA1 b037acfeb90788679cb3bccef90fc4d0882c6e8b
SHA256 177d14b5605bb27a635736a11b82063fe07f6f0e667c24e8c51773f9674adf6b
SHA512 7bf18d97b275a8ab6522a7576bec6f1f9acc450e913b9d97b2bb447cde36243519ca1ab1cd6b46189ba3ecce230d146909425909bf267a3c26880edecd65f66c

C:\Users\Admin\AppData\Local\Temp\7zSC1D5FFB7\d.jfm

MD5 3444dddc5444da0ad818d500e7e026c6
SHA1 3bc462c3e5bba2c9a85a82b7dc7e29f0a3d8d96c
SHA256 b24c132bc996f7dcb0580ea4a5a63eabcae1743a8627f7adb50e3b0e97098309
SHA512 cf88b072eb7f5c7382e2fe6e4c907bba62e989f6089e9ab6c4e4668a409c33ad2513adcef5857532bf50b8b9dad05fb62fb7732f4aa007757f6c08b86977ba7d

memory/2320-604-0x0000000000400000-0x0000000000759000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 11:54

Reported

2024-11-29 11:57

Platform

win7-20241010-en

Max time kernel

72s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\01a389215e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\01a389215e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\efd22e6e99d7ee86.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\c98f61652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\c98f61652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\01a389215e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\626c1e3ded0b288.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2044 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 768 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\01a389215e4.exe

01a389215e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 944

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
RU 186.2.171.3:80 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.22:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49275 tcp
N/A 127.0.0.1:49277 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp
SG 37.0.10.236:80 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 918769eceacd168684def1b316ff3198
SHA1 044df161143e5e5c255b4edea7199364703776ed
SHA256 6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
SHA512 b0f4dc956b8aeee77724d0424d6c5f8c5b7c503e184ef54caf9bb47bd509205e843d91784329327010726e73fc28140d63a7e461b61fe86278caa86fc4530a17

\Users\Admin\AppData\Local\Temp\7zS003AFCD6\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2424-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS003AFCD6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2424-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS003AFCD6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2424-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2424-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2424-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/1140-127-0x0000000000400000-0x0000000002C6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS003AFCD6\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

memory/1676-128-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/1676-130-0x00000000002B0000-0x00000000002B6000-memory.dmp

memory/1676-129-0x0000000000290000-0x00000000002B2000-memory.dmp

memory/2824-103-0x0000000002100000-0x0000000002459000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS003AFCD6\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

memory/1804-118-0x0000000000E00000-0x0000000001159000-memory.dmp

memory/1804-117-0x0000000000E00000-0x0000000001159000-memory.dmp

memory/1804-116-0x0000000000400000-0x0000000000759000-memory.dmp

memory/2824-115-0x0000000002100000-0x0000000002459000-memory.dmp

memory/1676-114-0x00000000001E0000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE0EF.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1664-112-0x0000000000E20000-0x0000000000E28000-memory.dmp

memory/1804-107-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS003AFCD6\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

memory/2424-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2424-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2424-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2424-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2424-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2424-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2424-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1804-148-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarEC15.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2424-204-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2424-206-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2424-207-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2424-202-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/2424-205-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2424-203-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2724-208-0x0000000000400000-0x0000000002CC8000-memory.dmp

memory/2424-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2424-216-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2424-215-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2424-213-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2424-210-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2424-209-0x0000000000400000-0x00000000008E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 11:54

Reported

2024-11-29 11:57

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\6eee9f336da6fcf1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\626c1e3ded0b288.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1148 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1148 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3416 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe
PID 3416 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe
PID 3416 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe
PID 2496 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe
PID 1488 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe
PID 1488 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe
PID 3936 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\6eee9f336da6fcf1.exe
PID 3936 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\6eee9f336da6fcf1.exe
PID 1372 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe
PID 1372 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe
PID 1372 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe
PID 1936 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
PID 1936 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
PID 1936 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe
PID 2512 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe
PID 2512 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe
PID 2512 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe
PID 4292 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe
PID 4292 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe
PID 4292 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe
PID 4936 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\626c1e3ded0b288.exe
PID 4936 wrote to memory of 744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\626c1e3ded0b288.exe
PID 4616 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe
PID 4616 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe
PID 4616 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b111b18faad3cf644558f0a84ebea9b6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c98f61652.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 01a389215e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 1a693a205739887.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe

c98f61652.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\6eee9f336da6fcf1.exe

6eee9f336da6fcf1.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe

1a693a205739887.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe

9e27a03aab64665.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe

01a389215e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe

efd22e6e99d7ee86.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\626c1e3ded0b288.exe

626c1e3ded0b288.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 356

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe

"C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1572

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 db-ip.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 104.26.4.15:443 db-ip.com tcp
RU 186.2.171.3:80 186.2.171.3 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
RU 186.2.171.3:443 186.2.171.3 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 3.171.2.186.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:62841 tcp
N/A 127.0.0.1:62843 tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 918769eceacd168684def1b316ff3198
SHA1 044df161143e5e5c255b4edea7199364703776ed
SHA256 6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
SHA512 b0f4dc956b8aeee77724d0424d6c5f8c5b7c503e184ef54caf9bb47bd509205e843d91784329327010726e73fc28140d63a7e461b61fe86278caa86fc4530a17

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\setup_install.exe

MD5 b11a656f94670d490972f233b5f73cc0
SHA1 5b84f9bac9a1fe59b2e27eae58912f8364654025
SHA256 5c80f27dbdc4d89f9c7356c6107eb106aebb556df1818ac94b72ff7b94a3c82a
SHA512 1cce0b001ebb86047eef77ac4479e8a18d3df9e8c88cfa1f9c6749eeaa1803695f829d8edd8d626d58151e210462bcfec2ff45bfb38e64dcb35c35c5796ddbed

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2496-46-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2496-45-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2496-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2496-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2496-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2496-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2496-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2496-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2496-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\1a693a205739887.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\efd22e6e99d7ee86.exe

MD5 9b55bffb97ebd2c51834c415982957b4
SHA1 728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16
SHA256 a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11
SHA512 4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

memory/3288-92-0x0000000000400000-0x0000000000759000-memory.dmp

memory/3288-91-0x0000000000400000-0x0000000000759000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\01a389215e4.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\9e27a03aab64665.exe

MD5 80a85c4bf6c8500431c195eecb769363
SHA1 72245724f8e7ceafb4ca53c41818f2c1e6a9d4cb
SHA256 ec2f50a7156383b9d3ea50429c2f2c15e2857045b3b3ac0c7e2947c6489eceb6
SHA512 f0fb6e7869578f8a43d98d01b928def1661512c51878a1ab186f600e147ff78a04ba8975fdc0f94c8f1d2678c0e679e288a1684da48b78258c1a1d718ea0ceb2

memory/4988-83-0x0000000000010000-0x0000000000018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\6eee9f336da6fcf1.exe

MD5 5b8639f453da7c204942d918b40181de
SHA1 2daed225238a9b1fe2359133e6d8e7e85e7d6995
SHA256 d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6
SHA512 cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\c98f61652.exe

MD5 3d82323e7a84a2692208024901cd2857
SHA1 9b38ba7bac414ef48ef506f4270ddec9fcdf3a3c
SHA256 38783231ccacb73543d658b3acd6d834b5c9bf8ff2b4fdc6c16c73b7707433d4
SHA512 8bd7aa8af7806e97a0b5bc6d2bd5c4f3e5f1732d43ff81f5e51f576ad3baa8753f9e736a406fad04295ad049db0378c7fc10946e2dd2f4f25e67ee4d74aa11c5

memory/2496-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2496-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2496-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2496-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2496-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\626c1e3ded0b288.exe

MD5 c5437a135b1a8803c24cae117c5c46a4
SHA1 eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf
SHA256 7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1
SHA512 07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

memory/744-99-0x0000000001480000-0x0000000001486000-memory.dmp

memory/744-98-0x0000000000B80000-0x0000000000BB2000-memory.dmp

memory/744-100-0x0000000001490000-0x00000000014B2000-memory.dmp

memory/744-101-0x000000001B750000-0x000000001B756000-memory.dmp

memory/2496-109-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2496-110-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2496-112-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2496-111-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2496-103-0x0000000000400000-0x00000000008E1000-memory.dmp

memory/2496-107-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1700-113-0x0000000000400000-0x0000000002C6C000-memory.dmp

memory/3288-118-0x0000000003A10000-0x0000000003A20000-memory.dmp

memory/3288-124-0x0000000003B70000-0x0000000003B80000-memory.dmp

memory/3288-131-0x0000000004620000-0x0000000004628000-memory.dmp

memory/3288-134-0x0000000004700000-0x0000000004708000-memory.dmp

memory/3288-132-0x0000000004640000-0x0000000004648000-memory.dmp

memory/3288-138-0x0000000004840000-0x0000000004848000-memory.dmp

memory/3288-137-0x00000000046C0000-0x00000000046C8000-memory.dmp

memory/3288-139-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

memory/3288-140-0x00000000049F0000-0x00000000049F8000-memory.dmp

memory/3288-141-0x0000000004860000-0x0000000004868000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 f59f19449a13ab972d0deb55b8272840
SHA1 3948f98b14cb57aa80c610b98bc2063c495df130
SHA256 1dc56cf1967a94a10ca0da0a5804358b40741ef040a8abdb8d8d4d07f474473d
SHA512 5e204c75561abd5e4df9a025ee82790a4f164d51384ccd901c6ea4416c287e3e7c1fe6340a6c3a72cef030ab217c47acd33c288ceaef5303c127381fed78a1ed

memory/3288-162-0x0000000004860000-0x0000000004868000-memory.dmp

memory/3288-154-0x0000000004640000-0x0000000004648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 5721b9ee6b1bf5db48ff1b56f2ac6065
SHA1 d20e652e6d49bb123d33c381053b45fed3713121
SHA256 885197a2c5aa2889b4d47bb019e01fbbd610d38f5a0e23d728c7e694e4de4f73
SHA512 305c536d44235329235ed722dfa57313beca4d07601c72fc6e4d746cc22b5ab653fdc0d37aaa5e76db12eef618372d7b5c09f0886583eb02724c650a463d6294

memory/3288-164-0x0000000004990000-0x0000000004998000-memory.dmp

memory/3288-177-0x0000000004640000-0x0000000004648000-memory.dmp

memory/3288-187-0x0000000004860000-0x0000000004868000-memory.dmp

memory/3288-185-0x0000000004990000-0x0000000004998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 8849a6a94179ce954d93b45200b157a8
SHA1 7ffe7bbad92ec72add0804f59a4efd24ef1c8f9e
SHA256 c8cf075cf2ee13a7e7beac4d0c3dbc76cecd4cf6392b47e59e9916a782429dac
SHA512 8535078ac16a69584379995965b3a0ff4d7d20390deaf64f2c0e05fc8462657389bed3379d420a9ff7603bda1c0f95b7b453a8a0e45143d367b954783579d13c

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 5b0f0e366ca8461587aaccdd60e97108
SHA1 4ca12bb8326473924a758667afa156c02d1092bf
SHA256 65f0b7706b53f78e5bf074dbbad88e403db15ffdf33e08d9a22b3e5b76df56d0
SHA512 ac50d45cde98ed44d9ac22a6caca7b595e975fbef52eb3615907e989097cb2b84cdc222b27417d4bd1ae327ccd1c02a45b90f7047ec7b1c8392fff4e36740692

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d

MD5 fdd5c1745ba897f8ae13a88fb2a7d5bd
SHA1 e8d8943b6d4fbef76568f8b07f727d3ba69c041e
SHA256 7363e53a95504576352a001c0844ebbc34da3cbd31e84312714d21979939936a
SHA512 0a31b185a326d8ee3251324e891e4f412cb4db191d2725dfc2f86cc553b1fe65a0ec632f474a2592d6a2404ff70644f91ab52a4dc00bb277fc55665cb05029c1

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 ba6cb424dd3ac0e5ba58bdc9e5a9a2ba
SHA1 1da22f60252bd47727ebb9e0b16a35a2b2cd12b8
SHA256 92f505276dc4a28a0d41dd88e3aa785558c11a0afbc0c75c7512ba8c9ec32ec7
SHA512 8be30da11e21225b6674b7339b6143faff06cf7722100053cdee7d262f4fb25bcb74afe28e3410cf49eff1ec0ae4abeef36723b765fd5cb02de58ee5fd1ccd00

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 92fedd689275935095f1b0dc1df9056e
SHA1 cd607467bff1efd8387f0e6f2f22a348a3af0de2
SHA256 03bba1b6e7b585de10814ad1e09c29846456ee233ffc7cc07b37835e931b9f73
SHA512 0af2d887a09be26a157d9360c7bacd1097d1822d1d44b40a460d0af910abc190b38baffb94c36e5c03e04a43676b477a5aba9466b7852f5cb23758dbbb3f443a

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 71bfe607a0b3ad4565a09354506e2ec3
SHA1 87c18eb5a0a407a04b13617f7b1011d89d220e6c
SHA256 872bb01bb5b8e4a5979c7085d22edf5af7fe5deeabfb3e6bd407c32e814e7a05
SHA512 52bb371bfb58a5103cd45463898dbb426ab22a6064ba595adf731404012609f621f7552ecd0c60226fc758cf51e581ff7b1322a20bf180bd798a3bd14bd5cf34

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 9a30368628fe3c1f71b616fa7a37cea9
SHA1 31a945aeb7abf4896dc2204f868e8dc3e05a1eba
SHA256 e5031c1caf1cd3344b18cf2427248250c0ea89969e9fdb522ea761c6368138f4
SHA512 7990faa865783211022e966a534864468fef024d2c07895c23819c8e016e38e50d6c669158786210b8f58bc7e9c23a53aaef28ab518b11abf3e146fbebf5e0ce

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d

MD5 c8af9b07fe9031e9d6c433ff30b215c9
SHA1 ef6d3ca948667e6972153077908804808ddd7778
SHA256 d3588d1024e26c6a70171eb9b06888b7f998380cc1dfbd3dab4df9b17af3e067
SHA512 6046fe8cd30f31f054781b5e5fcd57b3ca24f767abbd46d3feebc0891afd657f0c45af7c38227b7fe851d2885fbf606376b13b6544112c58f2ffb77ada41a3cc

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 4c44f2268bb23568cf480667cc2b8aa2
SHA1 e2025b923f95c993b592c31811ffffd61492cab9
SHA256 6531ef668c962c5877ef4139adcad44bcda9b44ea54735577a5de79874e87ac1
SHA512 08d57ea32e45177e6d9c2b7ecd1305c794ca67618f5c12dd30a2f7624863fd5e0dd455e43468695612559f9a36c5f42ce727f41482a4422b94e5d199d4c955db

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 0beef1309ef7afea1c6de8aa8c22f0f3
SHA1 57d4400184db5ea3e321b1baa2b4d8c209ed958d
SHA256 5b6d448ebfdac206c605c4f7ad758d431f70f6de2aa1429a6ab65d537971deee
SHA512 bc2a621194f175e942dd00010ba813e78049a5dfea07a078f39fe6c5241e8bcfc6936a6c1eba9a32a35c9d33688ef56c028034f49ae13c763fd214e024cbb359

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 fbd1fc8fedc67f4a29c377c0d81d1b12
SHA1 68b4c70688ee94c37b36d5ff87766fbcdd302995
SHA256 1f9d70c6cde48733e72ba39141f5ad48b6b3b07c230ff75d97b02b7f68577958
SHA512 4b3a5b5697f878050ef684c15b014005551f33c61e12deb613cbe6c406f4f4c9a655e96bb1dcd57c8c3b052971d50b8ba737fa8107b7851baac6b6fcb1135e7f

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 1cb1788451daacbc49e363b59cc10ac9
SHA1 f25cbeb5a201c7d3c6290c29a8b0337ec75a9ac1
SHA256 e34ec380dd8b120893310732fbf162c883be2108c0ab94281294302f7b48b95d
SHA512 d254514ab49def99494ceb052edcf9378fc3aff895abda01cac39952548f0c1585c69faf54b16dfa5d27153ab18461be98c4c0071c0d997dad45e210506ddb21

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 e5003e4121323321952d74461aa3665e
SHA1 446f5202ded3c160c89d7a0a551232655f916777
SHA256 40d0228ae7430a21dea141c7ebb45e8955617d3f93cfda7ea67f2aec7b73cf99
SHA512 396d1b45deba4a5afeba0ec0d0315b2edca62395e02359ee1518fab1141f3804df58948ab9c68159fd627948fdc8445bd29f0d64732e06858c5d00e08c28af94

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 3907cfc1a950a332b4a979e1c2daafc3
SHA1 8e698b826d9ddbac2882953ea918b1560e8b49d5
SHA256 42bcacc41d588cf97aca51835e327dc83d0a6507fc10685766dc9da6717597cd
SHA512 21193e29343ef0e1e090b265fbbff82999ef9aae110c1ad23dd8058271d884a355255072388f1254dcd0b80d3efd46664d0ab3e50b3185ef11a8c3e3de87910a

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 37d0555ee371de4c9a06ebb363ce584b
SHA1 b698a6b133d95fb11714e0413248c281801ced8e
SHA256 1d2e2c79f9dc416655e847cd4eaba050d7e81b89cd108f8852398b20cd99a54b
SHA512 0f639ad7729e3cbe90efab6d169844672c0d013e0b1c364a47c2a2cc8fdc38acbedaac34abd5161a394ddc4649cb4a06520b81ba97c18d83d32ffd76868760d0

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 2e3c06a772b0d0768852ad309667025f
SHA1 9bbe1856ec69bea4429c806b40b8b9f87217f6f6
SHA256 f2d9379132de767add9742b19c6746b711e94b0aea28bdef11c20517606241d6
SHA512 687fd1d8c9e432bbfb19d8c01c9999a0babd0787e04b74bc4f6ddb2fe0f8ce80cefb26bc9c91512fbe167203d7341b5fea2e04e5dbb6418792668561a89e6b15

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 5c148dfa3c7a65551b3828eabbdf60e8
SHA1 77e4d5937198a4af04cd7d2a5e322181c4c42cb6
SHA256 8827d50255c681993e990023ed4dd397efe2eb400ec08ccc267a072e0980072c
SHA512 33b56087bd7c6137c56f57ad035d9696a202f48d4f0e8fcde6dd3984542ec0c10de1de1ada325625769ece07d8f5eea87b6b2e37c7cbebafda6942c1cc7b5c5d

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 615bdd229a4b0d35c717165c9ba8a5fc
SHA1 db1fc949ba97ef3bb8ca335d42d7f10a12c55d50
SHA256 d5eb5cea71a0b6dfcd9ab3e9bd220cd50ae28d8cb68d9f882a5eb9e6e09cb6ee
SHA512 c6fd9af031d00a3e1bb0f27380558aa7fb091b545ca468036c44c651f4a2e753eb525fa092698a1b45cfc325cd39acc3554ace937dd9aa65eb408cc316549763

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 addd2d836fb72adb20db74afeba25c32
SHA1 f45655bbed22db5160b47cd4e16b4b4b0f3b934e
SHA256 2518336c0c1e16af16314642156559701080c40e1acab93f10124cfd85066af3
SHA512 67cf301406b454ca492ebefe4508d5450363f2c1ff9d7ead0524dfe65001fcbe591823d5cafc1e058a44b7f5feec33c4c1a9307a83f96ab4e3cb0679e78785b9

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 fa706cc1ee313cd1ccca21441dc4e3e5
SHA1 14624004eb9125e440f007f2dfecdd865c43fb40
SHA256 a085780c6aeab55def214aa731919d53a9e9473a65974e592dbbfc26b9a2df3d
SHA512 4338e239313b7f020c03e795afa39c8786e8e9209f1bdaa3bef1f0035a7ddee2b68bb16a71a567fc1a1b0bdec2d358478054f0f7826f2f61df573dc3404ee927

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.jfm

MD5 a9ccfab56c681cc72a575ae35877311a
SHA1 aae7f6541566523b28b701f208c5f8fd962a575c
SHA256 c28f92afd3b2a82be3e82f3103b76b2ff6e33b92d67a681ac988f807c2d2c913
SHA512 56c3957cf6e71712bde6db152e6d22f30ec4a9454957b39ebea595e071389631b9c02f0ee541aa7db814b2183836f390e2f10de7461e8a2415b930cbcdb6593f

C:\Users\Admin\AppData\Local\Temp\7zS85D53C87\d.INTEG.RAW

MD5 20ab8be3366b17a322b0b22751e82cd6
SHA1 c7869b48ba0849e80bb4b41ca9d9ed9b6287892b
SHA256 a05f6b2e84318b3fde4fea57e41bfd8445b79dda035e558619c514e456d63e5a
SHA512 91b35ce0b937c88a4158d20274fb84c2a3b145417a81d5275826dad603f853c6dbce820abaa174ee6e3de71e149a4b58840104caf854fd6fb54012cadbd1ad38

memory/3288-619-0x0000000000400000-0x0000000000759000-memory.dmp