Malware Analysis Report

2025-03-14 21:47

Sample ID 250130-vw74naxpbs
Target JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49
SHA256 d71b135996dadb5f83321c26562bda351aae22c2425970747d3b5631e7cbb08c
Tags
google defense_evasion discovery persistence phishing upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d71b135996dadb5f83321c26562bda351aae22c2425970747d3b5631e7cbb08c

Threat Level: Known bad

The file JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49 was found to be: Known bad.

Malicious Activity Summary

google defense_evasion discovery persistence phishing upx

Modifies firewall policy service

Detected google phishing page

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-30 17:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-30 17:21

Reported

2025-01-30 17:24

Platform

win7-20240708-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"

Signatures

Detected google phishing page

phishing google
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1988 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE C:\Windows\SysWOW64\WerFault.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2248 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2596 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\melt1.bat

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 payday4sonpink.googlepages.com udp
GB 172.217.16.243:80 payday4sonpink.googlepages.com tcp
US 8.8.8.8:53 sites.google.com udp
GB 142.250.200.46:80 sites.google.com tcp
GB 142.250.200.46:443 sites.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 accounts.google.com udp
US 142.251.173.84:443 accounts.google.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 104.77.118.72:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 23.37.198.101:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

MD5 ef7b9a68ff6f39725d0fe5a393b8a5b5
SHA1 45b877c185587b23557869ec1bcce36548e95d08
SHA256 3627c93ae4b6ceaa11d14c850d7abf4f50f6ebe9c7fd3f3583876014ca141b60
SHA512 403d980a08dabff771eb95b0e38949cabd1b42fdad9c7983938523c93d2c4ccd2890de6eee0add5aef5d8c2750711c5968eb0c613f7f086bd651f2e70273f5bb

memory/2248-13-0x0000000003190000-0x000000000369D000-memory.dmp

memory/1988-14-0x0000000000400000-0x000000000090D000-memory.dmp

memory/2248-16-0x0000000003190000-0x000000000369D000-memory.dmp

memory/1988-15-0x0000000000EC0000-0x00000000013CD000-memory.dmp

memory/1988-21-0x0000000000400000-0x000000000090D000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

MD5 119ac17a9ff4f3b1e1a7a310668b2902
SHA1 e35e52a52e7e437c812efc13abacd9ca50c504c9
SHA256 477fdae70db1b4fa00ebcc5351389303b6283325133b74f2c70a00067cb73d92
SHA512 52c703a8bba555754a7125370b0bb6c41a39e289672e2c48d9d589bd07143f70f3056cc04bb6dbf20c0bb667fb6105101ba136d56c3e6673cb5696b7df2240d1

\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

MD5 4f597e155aa341b31c256c70f67a097b
SHA1 c32cd541d971e6f823b085e0bea2579e5764a77f
SHA256 694ce71682d85d6c56c6ca20f9d9ff8e558166ec228602d2a6cd60ac197401e7
SHA512 6fc82a0959e42bf53d82491a565f8dbfa7a52f1e9b8bc98d5725d5fcc4dc2e377cf7a9adcb60d86fd3d816948bafc5439016f6728cd79d3426ee0586cd554af6

memory/2248-49-0x0000000003190000-0x000000000369D000-memory.dmp

C:\melt1.bat

MD5 90245e810be808bf8c77944cecd52b2e
SHA1 a6e903e06279ef15250c9303f5620e4620b5b38a
SHA256 e003882084d68483bf76bdc4d21cd4f2e853aa9c000f165e16ebef3c60509f76
SHA512 c7c790293584ac991ccede4b60e669e5544815c1b1de469d70c1334aa565919d425c78217970d482b92c4325fb1c777860b132ec0453823f824dfc9641db6f32

\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

MD5 2302eace8e12fa460b14c2e6764ac952
SHA1 e5caeb93f82243eec0d8f7fdb15efb3edc8c7386
SHA256 b19b5b4e514e71c32861a2c70d8c5f07a2c83af2f5c36e1b41e1a26c856c88da
SHA512 105676ae255d64101cb1aa7b2c6ceeb8301d5b12ae66d7542c99126c96b7606ae4a4af8ce9f07fb1ef746350f50e9b66d5d2eaa2c1cf946a2f3c3b713e8abf8c

memory/1340-97-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1340-98-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1340-113-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1340-114-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-30 17:21

Reported

2025-01-30 17:24

Platform

win10v2004-20250129-en

Max time kernel

93s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"

Signatures

Detected google phishing page

phishing google
Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\G-PROS~1.EXE:*:Enabled:MSWin64" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A sites.google.com N/A N/A
N/A sites.google.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\measure.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\base.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\kvw\default_lt.kvw C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\gps.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\kh20 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File opened for modification C:\Program Files (x86)\Google\Google Earth Pro\common.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\evll.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A
File created C:\Program Files (x86)\Google\Google Earth Pro\googleearth.dll C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2672 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2672 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE
PID 2672 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2672 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 2672 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe
PID 1236 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 1236 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 1236 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE
PID 3176 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2796 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3956 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3956 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3956 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2784 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2784 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3176 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3176 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe
PID 1236 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe
PID 1236 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64faf7f0def69d994bf0e5c5a0358d49.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3440 -ip 3440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE:*:Enabled:MSWin64" /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\melt1.bat

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 payday4sonpink.googlepages.com udp
GB 172.217.16.243:80 payday4sonpink.googlepages.com tcp
US 8.8.8.8:53 sites.google.com udp
GB 142.250.200.46:80 sites.google.com tcp
GB 142.250.200.46:443 sites.google.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 243.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UYKSUI~1.EXE

MD5 ef7b9a68ff6f39725d0fe5a393b8a5b5
SHA1 45b877c185587b23557869ec1bcce36548e95d08
SHA256 3627c93ae4b6ceaa11d14c850d7abf4f50f6ebe9c7fd3f3583876014ca141b60
SHA512 403d980a08dabff771eb95b0e38949cabd1b42fdad9c7983938523c93d2c4ccd2890de6eee0add5aef5d8c2750711c5968eb0c613f7f086bd651f2e70273f5bb

memory/3440-7-0x0000000000400000-0x000000000090D000-memory.dmp

memory/3440-8-0x0000000000400000-0x000000000090D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Crack.exe

MD5 119ac17a9ff4f3b1e1a7a310668b2902
SHA1 e35e52a52e7e437c812efc13abacd9ca50c504c9
SHA256 477fdae70db1b4fa00ebcc5351389303b6283325133b74f2c70a00067cb73d92
SHA512 52c703a8bba555754a7125370b0bb6c41a39e289672e2c48d9d589bd07143f70f3056cc04bb6dbf20c0bb667fb6105101ba136d56c3e6673cb5696b7df2240d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\G-PROS~1.EXE

MD5 4f597e155aa341b31c256c70f67a097b
SHA1 c32cd541d971e6f823b085e0bea2579e5764a77f
SHA256 694ce71682d85d6c56c6ca20f9d9ff8e558166ec228602d2a6cd60ac197401e7
SHA512 6fc82a0959e42bf53d82491a565f8dbfa7a52f1e9b8bc98d5725d5fcc4dc2e377cf7a9adcb60d86fd3d816948bafc5439016f6728cd79d3426ee0586cd554af6

C:\Users\Admin\AppData\Local\Temp\Setup_ver1.1433.01.exe

MD5 0c2450793d726f341f6870737a5d8437
SHA1 14106a326bf8b088c4b4c756dcb0adc6b2e2635c
SHA256 cd3fa12a3a450bffa8b8b1d3652073b2936960a6129df35c7ab37fabd7eae4f6
SHA512 ca634f978c982b7414c5925913bb0079f4d89e8783970b49cd2bd1f62ca9f6a44ce6d901bbfe5145c2e7d989d18b020d28723b069dc2a3a14656fd09a86a0412

C:\Users\Admin\AppData\Local\Temp\akkarik1.exe

MD5 9f58363d60a4a95aa9aedbc524d315d0
SHA1 8ff2c023521babb322696e928d7d7edf093a3a20
SHA256 a61b0a185d31a6ec2eee965046780f9afb6a8d4c528d8f92ed7ddb51d31d5f90
SHA512 927961e06b0b12c3c3101b19b74e9b5430bff25bf096e37f83c8ba5646c6e90f6302822586605fa9173713f7a6275ee269dfe5ff11ec602666ac2e14e2f4239d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Crack.exe

MD5 2302eace8e12fa460b14c2e6764ac952
SHA1 e5caeb93f82243eec0d8f7fdb15efb3edc8c7386
SHA256 b19b5b4e514e71c32861a2c70d8c5f07a2c83af2f5c36e1b41e1a26c856c88da
SHA512 105676ae255d64101cb1aa7b2c6ceeb8301d5b12ae66d7542c99126c96b7606ae4a4af8ce9f07fb1ef746350f50e9b66d5d2eaa2c1cf946a2f3c3b713e8abf8c

C:\melt1.bat

MD5 90245e810be808bf8c77944cecd52b2e
SHA1 a6e903e06279ef15250c9303f5620e4620b5b38a
SHA256 e003882084d68483bf76bdc4d21cd4f2e853aa9c000f165e16ebef3c60509f76
SHA512 c7c790293584ac991ccede4b60e669e5544815c1b1de469d70c1334aa565919d425c78217970d482b92c4325fb1c777860b132ec0453823f824dfc9641db6f32

memory/4388-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4388-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4388-79-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4388-80-0x0000000000400000-0x0000000000420000-memory.dmp