Analysis Overview
SHA256
7be45f5f89a98f22c8cd858540497c5da3dba7cbec0fc49b4ec6eff435ee317f
Threat Level: Known bad
The file bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Isrstealer family
ISR Stealer payload
ISR Stealer
NirSoft MailPassView
Detected Nirsoft tools
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
UPX packed file
AutoIT Executable
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 01:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 01:41
Reported
2024-12-03 01:44
Platform
win7-20240708-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Isrstealer family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NZFN.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NZFN.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NZFN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
C:\Users\Admin\AppData\Roaming\NZFN.exe
"C:\Users\Admin\AppData\Roaming\NZFN.exe" "C:\Users\Admin\AppData\Roaming\aOLbK"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\nO44e7JPpJ.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5JhJK6zjQx.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\gyjwamzQXu.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\zncNdd1gLu.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\9xY74Ettgr.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\mbaIPnBIHo.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\D9m77zu0sh.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\GaRO7XDLe5.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\i0DlJyEFWa.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\XXANgO0sIS.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Wshzd4ouG8.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\epWenAQTzw.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\AlgBYsj5zG.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\vHG5T9IIFy.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TnbHeKCHax.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\V2YZyuLG0i.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\IYiobv2qdW.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\uWzbt5x01p.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\NnWhpSiu65.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\efM14BiVG0.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ytWrskekcR.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\lGrgcy9qHq.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\GzHRXSJOt8.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\OkGxFh1zXx.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\2zOmXV0kXz.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\AjNIFliLBp.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\8atR5IR5Yq.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\VvDbqSGlju.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\LgVvdagwHq.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
| MD5 | 91c3a3144ffc7eb4e31dcc26e1301dcd |
| SHA1 | 900cb5d4062f121a393a9f5e1ad0cae44a7f401f |
| SHA256 | 7f4ac188d059db1001070cf83635b00bfbdcb5c85fde88752dca479ffdefbd3c |
| SHA512 | 762d02d3de6dfef495fb44d51b2145ac48416a4123754c021fccfabf80f7b808e57129e5bacb78c5919ad4fa88b11ef555a3fb379c8a8d5f62ee94140b4584e7 |
\Users\Admin\AppData\Roaming\NZFN.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZFN1
| MD5 | 4744edba858885bfe4d513e5ba6030ac |
| SHA1 | 7706ebc3097465571daf5bc0c26721a79e8b50c2 |
| SHA256 | b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b |
| SHA512 | 14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aOLbK
| MD5 | 76896ab4efb7ebe843ab20b057417a94 |
| SHA1 | b2840a927224f8720ef5679ac1b33ffcbe97786a |
| SHA256 | 7bb7658d3556514c30c7d429ca98c4c484d318e1c338a371278f8deb5bb58fc5 |
| SHA512 | 62c11f5775168c6ee9f5e2dd07efa31f801220ff494e537fd7f167b4a5115b9838ca7d159912f75d5d0ea4796b0716892e0d3787685399ad2841622d45b88a52 |
C:\Users\Admin\AppData\Roaming\aOLbK
| MD5 | f5c1b2bce1a97ddb44b1db99bc912d3f |
| SHA1 | 750b5f15a4aad076ab884383ee9b6c9401b2dd46 |
| SHA256 | c862d73341d3ab363f21e978a320d4230576d555ccb3ba9e572a724bc4227092 |
| SHA512 | aafefc4a2e4615a31a0d76609ea465f19c0cf0241d849206bf49c9e9cebcfc3d770c299d5c31f8b519703b2823f95a61d5976b6f30f21db79e50479a0d24a2b4 |
memory/2712-36-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2712-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2712-34-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2996-41-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2996-42-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2996-43-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2996-44-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nO44e7JPpJ.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/236-47-0x0000000000400000-0x000000000041F000-memory.dmp
memory/236-48-0x0000000000400000-0x000000000041F000-memory.dmp
memory/236-49-0x0000000000400000-0x000000000041F000-memory.dmp
memory/236-50-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2712-51-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2712-52-0x0000000000400000-0x0000000000442000-memory.dmp
memory/820-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1456-61-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1456-62-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1456-63-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1332-67-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1332-68-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1332-69-0x0000000000400000-0x000000000041F000-memory.dmp
memory/992-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2156-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2984-123-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 01:41
Reported
2024-12-03 01:44
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
ISR Stealer
ISR Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Isrstealer family
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NZFN.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NZFN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb266dc5dede36e0d96e4f55b76f016e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
C:\Users\Admin\AppData\Roaming\NZFN.exe
"C:\Users\Admin\AppData\Roaming\NZFN.exe" "C:\Users\Admin\AppData\Roaming\aOLbK"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\apNLLaIMEP.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1jiMqZcg1t.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 80
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\YKeBrxQ8RB.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\cx4J02B01s.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\qnOcXxIxhD.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Z4hOlmzZKy.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\v0GWK5P5oO.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\EyQynHe3Q1.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\Aq1Hq6gKrl.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\eiBfjT4p8v.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\GYuelNslab.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ku6P0AS8gl.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4084 -ip 4084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 80
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\xgvPyA92XR.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\PkDHr8vgID.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ZwqVB9Pbnl.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\kKeQxCfhWe.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\TE00fhmV7o.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\aBtFyotk4s.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1Zy8HrIwnn.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\oeBKkLjzAF.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\vzNt2Suqt5.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\YnZgAkc4ck.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\5QRjTH1kN2.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 764 -ip 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 80
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\T8Dj3wSIi4.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\uYDre6Rily.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\WUfu3SPwHr.ini"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\1oeuTkG58S.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 920 -ip 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 80
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\hHPLiV7F7B.ini"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 80
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
/scomma "C:\Users\Admin\AppData\Local\Temp\ocbuzcI6q1.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.87.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.218.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | 194.86.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
| US | 8.8.8.8:53 | ce56604.tmweb.ru | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZIGPLW~1.EXE
| MD5 | 91c3a3144ffc7eb4e31dcc26e1301dcd |
| SHA1 | 900cb5d4062f121a393a9f5e1ad0cae44a7f401f |
| SHA256 | 7f4ac188d059db1001070cf83635b00bfbdcb5c85fde88752dca479ffdefbd3c |
| SHA512 | 762d02d3de6dfef495fb44d51b2145ac48416a4123754c021fccfabf80f7b808e57129e5bacb78c5919ad4fa88b11ef555a3fb379c8a8d5f62ee94140b4584e7 |
C:\Users\Admin\AppData\Roaming\NZFN.exe
| MD5 | b06e67f9767e5023892d9698703ad098 |
| SHA1 | acc07666f4c1d4461d3e1c263cf6a194a8dd1544 |
| SHA256 | 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb |
| SHA512 | 7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NZFN1
| MD5 | 4744edba858885bfe4d513e5ba6030ac |
| SHA1 | 7706ebc3097465571daf5bc0c26721a79e8b50c2 |
| SHA256 | b71c08e936ab72a27a822e2984a60e798591d2b71b352875f6aede464245724b |
| SHA512 | 14cf08f1227f320e36ed9b50de68fffea72393f59b921e81ad987f8cd19d9b3766f601063df474b99b6b948a8431232c900577ab633a3d8f13de0b2f69a36685 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aOLbK
| MD5 | 76896ab4efb7ebe843ab20b057417a94 |
| SHA1 | b2840a927224f8720ef5679ac1b33ffcbe97786a |
| SHA256 | 7bb7658d3556514c30c7d429ca98c4c484d318e1c338a371278f8deb5bb58fc5 |
| SHA512 | 62c11f5775168c6ee9f5e2dd07efa31f801220ff494e537fd7f167b4a5115b9838ca7d159912f75d5d0ea4796b0716892e0d3787685399ad2841622d45b88a52 |
C:\Users\Admin\AppData\Roaming\aOLbK
| MD5 | f5c1b2bce1a97ddb44b1db99bc912d3f |
| SHA1 | 750b5f15a4aad076ab884383ee9b6c9401b2dd46 |
| SHA256 | c862d73341d3ab363f21e978a320d4230576d555ccb3ba9e572a724bc4227092 |
| SHA512 | aafefc4a2e4615a31a0d76609ea465f19c0cf0241d849206bf49c9e9cebcfc3d770c299d5c31f8b519703b2823f95a61d5976b6f30f21db79e50479a0d24a2b4 |
memory/4084-32-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4084-33-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4084-35-0x0000000000400000-0x0000000000453000-memory.dmp
memory/4084-36-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apNLLaIMEP.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/1320-40-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1320-41-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2640-51-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2640-54-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2640-52-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2640-55-0x0000000000400000-0x000000000041F000-memory.dmp