gcleaner | 106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-04-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
Size

3.4MB
MD5

ca48a01552acf9cb77202bf0b77a7a1c
SHA1

1daba5dbab15456462e1ac3e80b782aa867889c2
SHA256

106d93ced41d81795f66bb29ad5c847a25a1e2c094fe28a67dc576f1c33fcad4
SHA512

f5942e6a162c2b3e5df3ac14b24350f36e393ddb80400fcd47070e70b6eccaa366ef3406c8452b795c7b28cf2266fd8eb1339f51dcc1910a004c72e14cbe8a55
SSDEEP

49152:Kj4FOCYYcrX7JGwyTL2RhE3IiSKVFGclOt45MaUEr7NSv2opoSH7QirAnN4tSqJS:cRCHCowyTL2RgSWj5WaU28wN4t0N

Score

10^/10

gcleaner lgoogloader onlylogger raccoon vidar 87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a 933 downloader loader stealer

Malware Config

Extracted

Family

vidar

Version

41.4

Botnet

933

https://mas.to/@sslam

Attributes

profile_id
933

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Extracted

Family

raccoon

Version

1.8.2

Botnet

87d2a2b472952d29d9ef08f8b28a7b6b1e587f6a

Attributes

url4cnc
http://telemirror.top/jredmankun

http://tgmirror.top/jredmankun

http://telegatt.top/jredmankun

http://telegka.top/jredmankun

http://telegin.top/jredmankun

https://t.me/jredmankun

rc4.plain

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2480-19-0x00000000000B0000-0x00000000000C2000-memory.dmp	family_lgoogloader

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 4 IoCs

resource	yara_rule
behavioral1/memory/2272-490-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2272-491-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2272-494-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1
behavioral1/memory/2272-496-0x0000000000400000-0x0000000000491000-memory.dmp	family_raccoon_v1

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/484-166-0x0000000000240000-0x000000000026F000-memory.dmp	family_onlylogger
behavioral1/memory/484-171-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger
behavioral1/memory/2780-179-0x00000000045D0000-0x0000000004610000-memory.dmp	family_onlylogger
behavioral1/memory/484-507-0x0000000000400000-0x0000000000790000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/2572-157-0x0000000000800000-0x00000000008D6000-memory.dmp	family_vidar
behavioral1/memory/2572-159-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar
behavioral1/memory/2572-418-0x0000000000400000-0x00000000007F1000-memory.dmp	family_vidar

Executes dropped EXE 19 IoCs

pid	Process
2780	DownFlSetup110.exe
2480	inst1.exe
2572	Soft1WW02.exe
2360	4.exe
2644	5.exe
2272	setup.exe
2896	EASS.exe
2304	setup.tmp
484	setup_2.exe
1484	9.exe
1708	Calculator Installation.exe
1456	setup.exe
1508	Chrome 5.exe
2624	setup.tmp
2556	services64.exe
2104	EASS.exe
1072	EASS.exe
2272	EASS.exe
2212	sihost64.exe

Loads dropped DLL 45 IoCs

pid	Process
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2272	setup.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
484	setup_2.exe
484	setup_2.exe
484	setup_2.exe
2304	setup.tmp
2304	setup.tmp
2304	setup.tmp
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
2304	setup.tmp
2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
1708	Calculator Installation.exe
1456	setup.exe
2624	setup.tmp
2624	setup.tmp
2624	setup.tmp
1708	Calculator Installation.exe
1708	Calculator Installation.exe
1708	Calculator Installation.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1508	Chrome 5.exe
2896	EASS.exe
2896	EASS.exe
2896	EASS.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2556	services64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	iplogger.org
26	iplogger.org
28	iplogger.org
50	iplogger.org
62	raw.githubusercontent.com
63	raw.githubusercontent.com
22	iplogger.org
25	iplogger.org
27	iplogger.org
47	iplogger.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 2272	2896	EASS.exe	53

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1728	2572	WerFault.exe	30
2648	2272	WerFault.exe	53

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00040000000194db-99.dat	nsis_installer_1
behavioral1/files/0x00040000000194db-99.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
572	schtasks.exe
1848	schtasks.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1508	Chrome 5.exe
2896	EASS.exe
2896	EASS.exe
2896	EASS.exe
2896	EASS.exe
2556	services64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	setup.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	DownFlSetup110.exe
Token: SeDebugPrivilege	2360	4.exe
Token: SeDebugPrivilege	2644	5.exe
Token: SeDebugPrivilege	1484	9.exe
Token: SeDebugPrivilege	1508	Chrome 5.exe
Token: SeDebugPrivilege	2896	EASS.exe
Token: SeDebugPrivilege	2556	services64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2780	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2480	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2480	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2480	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2480	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	29
PID 2912 wrote to memory of 2572	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	30
PID 2912 wrote to memory of 2572	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	30
PID 2912 wrote to memory of 2572	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	30
PID 2912 wrote to memory of 2572	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	30
PID 2912 wrote to memory of 2360	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	31
PID 2912 wrote to memory of 2360	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	31
PID 2912 wrote to memory of 2360	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	31
PID 2912 wrote to memory of 2360	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	31
PID 2912 wrote to memory of 2644	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	32
PID 2912 wrote to memory of 2644	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	32
PID 2912 wrote to memory of 2644	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	32
PID 2912 wrote to memory of 2644	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	32
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2272	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	33
PID 2912 wrote to memory of 2896	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	34
PID 2912 wrote to memory of 2896	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	34
PID 2912 wrote to memory of 2896	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	34
PID 2912 wrote to memory of 2896	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2272 wrote to memory of 2304	2272	setup.exe	35
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	36
PID 2912 wrote to memory of 1484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	37
PID 2912 wrote to memory of 1484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	37
PID 2912 wrote to memory of 1484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	37
PID 2912 wrote to memory of 1484	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	37
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2912 wrote to memory of 1708	2912	ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe	38
PID 2304 wrote to memory of 1456	2304	setup.tmp	39
PID 2304 wrote to memory of 1456	2304	setup.tmp	39
PID 2304 wrote to memory of 1456	2304	setup.tmp	39
PID 2304 wrote to memory of 1456	2304	setup.tmp	39
PID 2304 wrote to memory of 1456	2304	setup.tmp	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca48a01552acf9cb77202bf0b77a7a1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\inst1.exe
  "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
  "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
  2⤵
  - Executes dropped EXE
  PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1324
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1728
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\5.exe
  "C:\Users\Admin\AppData\Local\Temp\5.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\is-8CVSN.tmp\setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8CVSN.tmp\setup.tmp" /SL5="$8001A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\is-PE218.tmp\setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PE218.tmp\setup.tmp" /SL5="$9001A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2624
- C:\Users\Admin\AppData\Local\Temp\EASS.exe
  "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\EASS.exe
    "C:\Users\Admin\AppData\Local\Temp\EASS.exe"
    3⤵
    - Executes dropped EXE
    PID:2272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 184
      4⤵
      Loads dropped DLL
      Program crash
      PID:2648
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:484
- C:\Users\Admin\AppData\Local\Temp\9.exe
  "C:\Users\Admin\AppData\Local\Temp\9.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2736
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Creates scheduled task(s)
      PID:572
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:972
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1848
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
224b3af33854ca174124527d521a2679

SHA1
d674dc44e5782fa9b8cb8481e1c02cc71a2169aa

SHA256
1b14ff04246963b96e4bf54f9b4e2530932d878560c13006fdc0392cb71b73d7

SHA512
651986b842d9e5daf26dc52228a91ea57ae574ba583642e79ab56028a1c8597ec947682ba0e27a7c23aa6d55970f2d3664347cbe0e24a38ba7d108460c629adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
317f23f43014f326e72dc5eacd1a738a

SHA1
f580e08c7f05174dd336ef45fb7b416f34b68fcb

SHA256
11c8d3b426355e1fec3dc5c143055ee21ed55d8da53b5b11379c90a30c9482e5

SHA512
ddda4152406c9519beaa9781f6f2482094a804f1cf24275f57170a7ac664f4408859c47f055099fa523fb196f704ab5be3f6c64e8f87b188b52a96e682c26ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7bc9b7a05556ace8af39fa26ab550983

SHA1
ddd40c831e1995fda3bce2285b95a16d35b6993b

SHA256
4638b68f6de68417d0113d1e12699492d93ded9e85aab9cb1eae89dd3feaeed4

SHA512
33f29947e61b38f3044d44383d19f91e825b548c253497568607cb798b31643f33864fed18edbd1c03d8093bd11452691cfbdf325aca360d0906a030871e138f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
792cc2d3fa5f7beb1beefc0082f8fbe1

SHA1
43a9b18b2c79a851a93ac25e75b2ee857935d4b3

SHA256
b5caecc66794cf0dc80f3bce7f6d7fd70562b53fa3a8f488280d7f81c6dc0838

SHA512
c16d4d3ea4e36846030f5c0beee31b0d8b610e78bc30444ea8070e18c74594365eb043d1f9318a5c6c8345b882e6c1516e25cab43f2f13239a8fc079a3131438

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
301966cace77dc87eeaab517d3996109

SHA1
00f287eaedb60b03583ae26c8be7a727120955b9

SHA256
90acd250f2277e850e787674c22683f752a2b1719bfa07dd5fbe8b3866098251

SHA512
80ae8900db21631b9480977a7327530e8e146b226aff151e105e1064610295d0da36f666bd61ab628069a3f67d62cdaed4865d4a8cf434e564a75b584967d72e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3439a235093b9045b23b423f1e89232e

SHA1
48ae733084a7054fe5509a0236c25e939e639ba0

SHA256
130105131b3259add84c90b91bf6aa8c37bd70ea2e4f98d4af2b2e42660e2532

SHA512
f07f213eac9d9ac50be5ab606bbe0486c994d0712a210abeb0c44aa08e18c715798f4b4e5f65f18ec4849315a11fd34cf1cd80fb9c8ca351420a91169ad679d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
8KB

MD5
320681737aca2a42ef41a7a802e7e395

SHA1
bc6974316d2668a7d0e92cb1ab61a8a758cbd76b

SHA256
5e40c7686d99670b996cae8582dcf3aef6885f87934273f03d7bf10a232e0b33

SHA512
01e25cfb81095a7b0f37d1f69a35be63e6df8c428a0a2a37610c49fb3516dba69d91a6e98738fe7aefe77fd71a3978221817e20dd9dd1bfffe2b09c0deca1bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\9.exe

Filesize
8KB

MD5
3c7203aee224472579c502ad5adb8fb6

SHA1
f4ae3519f99431a4fb8130e929c94d89824b29fe

SHA256
f82dbb015721f197b206f377d1b0676c52c9725ad463a5ad09e12ca1cfc798e2

SHA512
9eae3f0db67cc1597d018203c9a0f53291fe08a3892c404e07093e658ef989cc77765669c19884e362ec0452946d75cb38749d74d7fa23b618e6dc021bd5c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab78E9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A50.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78F8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7AA1.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8CVSN.tmp\setup.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\5.exe

Filesize
8KB

MD5
f37e479ee64ec5b9d75689a12aa79cd2

SHA1
d6b2c01e90a1488cab24063e29bed1a22de5ca9b

SHA256
8127fa63cb781d32e4f0f91dde38c2c9d0307e9267c721922c6b8d9a31c915f0

SHA512
468245b2b9237de8cd9800da7881770525d14462faa95c0b608b3c972f70c6306851be7a41d92447f4dba9450f462be9328f7c867844fe42a8e7be123be13c17

Download Submit
\Users\Admin\AppData\Local\Temp\Calculator Installation.exe

Filesize
328KB

MD5
7c4dd7df0090fafa88ea953ebf7e82c6

SHA1
587b32f765393a33aac665d2ead53012840ccb75

SHA256
bcc5b73bd77beae3ff24c384562c0902f90b212f4c345b99f97cae8452111f65

SHA512
8ab5dfd7ed4654e3f738a74ba3ec2c31ef79ea463edc81b5c781411401fac6982b6436ae668476f2a50ae88006379a57c85fec2f98c886bbb77a4d749969cdf1

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
978582a03929afba9f50b7d149dfdb25

SHA1
fd27dfbd0ffec108b3c2ab648993817592010bbc

SHA256
7f413eeaf2db3ec6c7f94d3a5d06644fe5406afdde27e3552a736eaec373f283

SHA512
b37d706c64c15b6aec33d8c104ad18de335cb08dc831103669fd58995ef174f5306a0b5a083790a0f724d5cd9c5c0b7e384d243604e931a1f347521a863b7eaa

Download Submit
\Users\Admin\AppData\Local\Temp\EASS.exe

Filesize
1.3MB

MD5
c32404b0c8f851f345c1c48692ebc017

SHA1
41d93e106962f20ad85b70dd525a1c3475496a33

SHA256
175a43161c32ae6f4f66e777411304d07e0196156251c9756e61432cd577c70c

SHA512
30c837fa76ed4c3eeab7289db8115ba792131caf325ce9192be7d0bd2dc7669ee1ba1b1596ae40185e27716e65b9f8f7d3ee3dddd4308f5706b8e055e28923ce

Download Submit
\Users\Admin\AppData\Local\Temp\Soft1WW02.exe

Filesize
765KB

MD5
dd505d9dbf82b624095781c1a01e4dbb

SHA1
2c0d3d6e6b70435e8e5608ad8a3c20db7d76b23e

SHA256
bb1ad922f27d0bb3b41988829a5716bce113ac947f6ba9d66ef12876b7af78fe

SHA512
7668c2ce458d96b9e0a6f8ab9d72799582dfd316e2e28b293f3697f3d1cf47f2fb0fd9cd3e0b99f92d44aa91df6dbcaaa24a348baa3f1a62f07d93922ecff0d0

Download Submit
\Users\Admin\AppData\Local\Temp\inst1.exe

Filesize
221KB

MD5
39bf3527ab89fc724bf4e7bc96465a89

SHA1
ac454fcd528407b2db8f2a3ad13b75e3903983bc

SHA256
460cd65ce2698135e30e978ea9e4048a015c34dd4284d735b0f7061e4b9c1a69

SHA512
bc9cdb005b54187e1277cb4de9a6e273a3efda886c7735ccda188f164745ceb2a3a449c94f02b18ed71e79ae0c0f289c846f5f0e66290e299429f1458d7f457b

Download Submit
\Users\Admin\AppData\Local\Temp\is-NKP0M.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NKP0M.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\nsj670F.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
\Users\Admin\AppData\Local\Temp\nsj670F.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
379KB

MD5
429d0e06d7add76fdbfeb404a7bf4469

SHA1
11dedd36c146ae82f6a46360a6c5019284cc86f2

SHA256
32dccba4478d58b4e41bbf18f9d7532fd7d49ba6429b460b377f01e3f9bab736

SHA512
1443c7fc5a07ea82bb1a19211ee73a14e17961dd275e0d9118196ae99fae0de47a67e3ca74e50e90248923691d816aa50acb88329407f6128a2fe30bf405bee4

Download Submit
\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
376KB

MD5
571f9ac1a144d07f5f8e5054ebd737d9

SHA1
6aebb0894669814622bf9417e91870e0c81e0fc1

SHA256
8760d706dffea96fd453a150ba18a3110518fbdc7dfa8c48f84b94a06d7ab47c

SHA512
13ef865efd4c61cbc95c570e956a9bc70ee3a261d60ac6ef138c8c285bb093859e499f92e5f8ac7180b9c017e4ed362f2b1c40ba567f179d658d5978751f4ba8

Download Submit
memory/484-166-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/484-471-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/484-507-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/484-171-0x0000000000400000-0x0000000000790000-memory.dmp

Filesize
3.6MB

Download
memory/484-165-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/1456-110-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1484-83-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download
memory/1484-158-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1484-466-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1484-163-0x0000000000A80000-0x0000000000B00000-memory.dmp

Filesize
512KB

Download
memory/1508-477-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/1508-133-0x000000013FF20000-0x000000013FF30000-memory.dmp

Filesize
64KB

Download
memory/1508-476-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/1508-482-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-463-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/1508-148-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-515-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-648-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2212-516-0x000000001BAB0000-0x000000001BB30000-memory.dmp

Filesize
512KB

Download
memory/2212-513-0x000000013FDC0000-0x000000013FDC6000-memory.dmp

Filesize
24KB

Download
memory/2272-489-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-490-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-496-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-492-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2272-488-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-486-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-114-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-491-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2272-53-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2272-494-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2304-108-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2360-468-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2360-172-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2360-162-0x000000001B0D0000-0x000000001B150000-memory.dmp

Filesize
512KB

Download
memory/2360-46-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2360-474-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2480-17-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2480-19-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/2556-483-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-481-0x000000013F080000-0x000000013F090000-memory.dmp

Filesize
64KB

Download
memory/2556-506-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2556-642-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2572-157-0x0000000000800000-0x00000000008D6000-memory.dmp

Filesize
856KB

Download
memory/2572-465-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2572-418-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/2572-159-0x0000000000400000-0x00000000007F1000-memory.dmp

Filesize
3.9MB

Download
memory/2572-156-0x00000000008F0000-0x00000000009F0000-memory.dmp

Filesize
1024KB

Download
memory/2624-154-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2624-421-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2644-147-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-164-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download
memory/2644-47-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/2644-462-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-469-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download
memory/2780-426-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-179-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/2780-461-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-12-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-10-0x0000000000930000-0x0000000000948000-memory.dmp

Filesize
96KB

Download
memory/2780-43-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/2896-467-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2896-497-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-155-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-485-0x0000000005910000-0x00000000059EA000-memory.dmp

Filesize
872KB

Download
memory/2896-161-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2896-65-0x0000000000E60000-0x0000000000FA8000-memory.dmp

Filesize
1.3MB

Download
memory/2896-357-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/2896-464-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-127-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2912-0-0x0000000000C40000-0x0000000000FB0000-memory.dmp

Filesize
3.4MB

Download