515716cb2ad2ba552c6568000fc1353485e21ec545eb3ec4a364518859e3f42f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Size

8.0MB
MD5

e8b12927fdacaae93324d45c868837ef
SHA1

9245a5837afd50a6c6d3fb8cb00208ebf2678be3
SHA256

515716cb2ad2ba552c6568000fc1353485e21ec545eb3ec4a364518859e3f42f
SHA512

2bf02909d714e25b4d0ddd5e57c9617cef85f0b02036a7caf81cea02b3c306616ea72327db2314d2929768b45337f8a1e35e8a3c639d700f5b58e8a42db22aae
SSDEEP

196608:Lbv5BBy/3wau1lRZXfTHzdf8Fo9YAYKZZGh5LWVWw:LbvH2gR1/ZXbTR0iOKDNVp

Score

10^/10

adware discovery evasion persistence stealer upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe = "C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\FlashGet3.exe:*:Enabled:Flashget3"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	FlashGet3.exe
5064	Flashget3.exe

Loads dropped DLL 64 IoCs

pid	Process
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
2360	FlashGet3.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
2360	FlashGet3.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
2360	FlashGet3.exe
2360	FlashGet3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2360-651-0x000000006D510000-0x000000006D593000-memory.dmp	upx
behavioral2/memory/5064-648-0x000000006D510000-0x000000006D593000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	221.123.176.126

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FlashGet 3 = "\"C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\FlashGet3.exe\" -minimize"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\ = "FlashGetBHO"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\NoExplorer = "1"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\menu_icon.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\commonlib.dll	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\toolbar_refresh.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\softmainview_tab_bg.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\but_updown.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\BHO\fdfirefox_7.xpi	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\video_bg.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGOpenHelpOption.exe	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\nextlabel.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\btn_radio.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\start15.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\toolbar_recly.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\toolbarbutton_right.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\css\lightbox.css	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\reom.jpg	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\tab.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\toolbar_bk.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\softOpenFileIcon.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\option_page_line.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\VodCore.dll	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FlashGet Network\FlashGet 3\fgdgnss.exe	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGetOpenHelp.exe	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\ftp_2.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\quickop_show.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\but_onoff.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\loading.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\config\upload.met	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\vod_2.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\video_search.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\toolbar_pause.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FlashGet Network\FlashGet 3\fgbhoml.dll	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\FGResDetector.exe	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\sound\notify.wav	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\game.ico	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\js\effects.js	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\desktoplink.ico	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\directui_new_1322207289.zip	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\top_logotitle.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\config\known2_64.met	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\client_WeiBiaoTi-2.jpg	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\vod.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\toolbar_close.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\BarSet.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\pause15.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\BHO\fdgeturl.htm	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\vod_3.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\FlashGet Network\FlashGet 3\config\known2_64.met	Flashget3.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\toolbar_back.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\video_but_back.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\toolbarbutton_left.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\dian.jpg	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\gb2312-unicode.dic	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\LICENSE.TXT	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\image_3.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\image\option_icon.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\newgame.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\video_tab_wait.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\toolbar_option.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\win_titlebg.png	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsScheduler.dll	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\dat\directui\p4.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\banner.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\FGResDetector\data\images\ftp_3.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
File created	C:\Program Files (x86)\FlashGet Network\FlashGet 3\skin\default\image\domain_failed.gif	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\libem.INI	Flashget3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØµ±Ç°ÊÓÆµ\ = "C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\BHO\\fdgetflvurl.htm"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØµ±Ç°ÊÓÆµ\contexts = "243"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿ÊÓÆµ\ = "C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\BHO\\fdgetallflvurl.htm"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{10245650-5917-4ff8-BED6-ABB91DD73E47}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØ	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿Á´½Ó	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿Á´½Ó\ = "C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\BHO\\fdgetallurl.htm"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿Á´½Ó\contexts = "243"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{10245650-5917-4ff8-BED6-ABB91DD73E47}"	Flashget3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØ\contexts = "34"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿ÊÓÆµ	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØÈ«²¿ÊÓÆµ\contexts = "243"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Flashget3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{10245650-5917-4ff8-BED6-ABB91DD73E47}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØ\ = "C:\\Program Files (x86)\\FlashGet Network\\FlashGet 3\\BHO\\fdgeturl.htm"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{10245650-5917-4ff8-BED6-ABB91DD73E47}"	Flashget3.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Internet Explorer\MenuExt\Ê¹ÓÃ¿ì³µ3ÏÂÔØµ±Ç°ÊÓÆµ	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2974c985-8151-4de5-b23c-b875f0a8522f}	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\ = "FlashGetBHO"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E27A18A5-FC5E-4B5C-ADCC-4E7D309C1C02}\1.0\HELPDIR\	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA220044-100F-422D-9158-947D0F11B04C}\ = "PSFactoryBuffer"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IFlashGetNetscapeEx\CurVer	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FG2CatchUrl.Netscape\CurVer\ = "FG2CatchUrl.Netscape.1"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{810B845F-70F3-4B05-9625-3FB37B59A884}\NumMethods\ = "9"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flashget\Shell\Open\Command	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DD9E779-2707-4BF0-8269-E4C6BD8B39B7}\ = "IIFlashGetNetscape"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{810B845F-70F3-4B05-9625-3FB37B59A884}\ProxyStubClsid32	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IFlashGetNetscapeEx\ = "IFlashGetNetscapeEx Class"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{810B845F-70F3-4B05-9625-3FB37B59A884}\NumMethods\ = "9"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6262DCE-6E64-45D2-B080-801F1E298AC2}	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IFlashGetNetscapeEx\CLSID	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF772EB8-4116-49AE-8FA4-B5B078AA4198}	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{116ba71c-8187-4f15-9a1f-c9d6289155d1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\FlashGetBHO\\FlashGetHook.dll"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\FlashgetHook.DLL\AppID = "{2C254882-699A-464B-95F5-32F003F4F45C}"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10245650-5917-4ff8-BED6-ABB91DD73E47}\Programmable	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEButton\CurVer	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Flashget\shell\open\command	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\URL Protocol	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BitTorrent\ = "BitTorrent File"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E27A18A5-FC5E-4B5C-ADCC-4E7D309C1C02}\1.0\FLAGS\ = "0"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10245650-5917-4ff8-BED6-ABB91DD73E47}\InprocServer32\ThreadingModel = "Apartment"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{810B845F-70F3-4B05-9625-3FB37B59A884}\TypeLib	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6262DCE-6E64-45D2-B080-801F1E298AC2}\ToolboxBitmap32	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA220044-100F-422D-9158-947D0F11B04C}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\FlashGetBHO\\FlashGetBHO.dll"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA220044-100F-422D-9158-947D0F11B04C}	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA220044-100F-422D-9158-947D0F11B04C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0939A48-0E2F-453F-899C-595F6648EE88}\ProxyStubClsid32\ = "{A0939A48-0E2F-453F-899C-595F6648EE88}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2EF6B49-47AE-457F-A8C7-6C68DFB7B894}\1.0	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\ProgID	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{116ba71c-8187-4f15-9a1f-c9d6289155d1}\TypeLib\ = "{DF772EB8-4116-49AE-8FA4-B5B078AA4198}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IFlashGetNetscapeEx\ = "IFlashGetNetscapeEx Class"	Flashget3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{116ba71c-8187-4f15-9a1f-c9d6289155d1}\TypeLib	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2EF6B49-47AE-457F-A8C7-6C68DFB7B894}\1.0\HELPDIR\	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ed2k\shell\open	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashGetHook.FG3DownMgr.1\CLSID\ = "{10245650-5917-4ff8-BED6-ABB91DD73E47}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelper.IEButton\CLSID	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10245650-5917-4ff8-BED6-ABB91DD73E47}\InprocServer32	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0939A48-0E2F-453F-899C-595F6648EE88}\InProcServer32	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A15AD22-7859-438F-9EFF-DF3D06E02CAF}	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\TypeLib\ = "{E27A18A5-FC5E-4B5C-ADCC-4E7D309C1C02}"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2EF6B49-47AE-457F-A8C7-6C68DFB7B894}\1.0\FLAGS	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.IFlashGetNetscapeEx.1\CLSID	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashGetHook.FG3DownMgr\ = "FG3DownMgr"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{116ba71c-8187-4f15-9a1f-c9d6289155d1}\TypeLib\ = "{DF772EB8-4116-49AE-8FA4-B5B078AA4198}"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FG2CatchUrl.Netscape\ = "JetCarNetscape Class"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2974c985-8151-4de5-b23c-b875f0a8522f}\VersionIndependentProgID\ = "FG2CatchUrl.Netscape"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6262DCE-6E64-45D2-B080-801F1E298AC2}\MiscStatus	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{104F4CFA-69CF-4E63-A23C-2E53A597F8D5}\TypeLib\ = "{E2EF6B49-47AE-457F-A8C7-6C68DFB7B894}"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\ = "Magnet URL"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\DefaultIcon	Flashget3.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10245650-5917-4ff8-BED6-ABB91DD73E47}\Programmable	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{104F4CFA-69CF-4E63-A23C-2E53A597F8D5}\TypeLib\ = "{E2EF6B49-47AE-457F-A8C7-6C68DFB7B894}"	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Magnet\shell\open	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BitTorrent	Flashget3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C6262DCE-6E64-45D2-B080-801F1E298AC2}\InprocServer32	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Flashget\ = "URL: Flashget Protocol"	Flashget3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashGetBHO.FlashGetAPP.1\ = "FlashGetAPP"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0}\InprocServer32	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF772EB8-4116-49AE-8FA4-B5B078AA4198}\1.0\FLAGS\ = "0"	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10245650-5917-4ff8-BED6-ABB91DD73E47}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\FlashGetBHO\\FlashGetHook.dll"	Flashget3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5064	Flashget3.exe
5064	Flashget3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5064	Flashget3.exe
5064	Flashget3.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe
5064	Flashget3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 2360	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	93
PID 4460 wrote to memory of 2360	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	93
PID 4460 wrote to memory of 2360	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	93
PID 4460 wrote to memory of 5064	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	94
PID 4460 wrote to memory of 5064	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	94
PID 4460 wrote to memory of 5064	4460	e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe	94

C:\Users\Admin\AppData\Local\Temp\e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8b12927fdacaae93324d45c868837ef_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe
  "C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGet3.exe" -statistics install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2360
- C:\Program Files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe
  "C:\Program Files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FlashGet Network\FlashGet 3\BugReport.dll

Filesize
244KB

MD5
62a022792b6ee8cd4a2988c61fa908ad

SHA1
7f097d7944dbef30880ba0a7177295fa5aa9815d

SHA256
81848a26eb8495a27b4a293e966764cadf286fade5ff6503f4673842836fec5a

SHA512
020cd746c9b85419c868bb49956b1bc0561deba62b4b2c3ad8d28c3dcc6014e10fa755fb3219375266ebfdc7782ede47b77af0c92f848456484d010a5ef9181b

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\FlashGetAdProcess.exe

Filesize
189KB

MD5
c856428b84e79c613443a21fd1c4bedb

SHA1
49cf2de5d3c5857165aec7cea5927a3a4b90f1c9

SHA256
43977dc69bb5807ec9fcfe75c6098c81be26a9ab99f46ef666d0a07dd1b191f2

SHA512
22c66b776f6645fd081f5f3683838033fe86755aa5f675e3750e49a8589f94c5cd34e750902d8299cc860fe1bd12726677228b888abc871fe5521f2557a679ca

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\Flashget3.exe

Filesize
2.9MB

MD5
8b10d68b79ab023cd34cc0904c473626

SHA1
05d292a70549cf69db21ec87bbf3ccb6681d77c2

SHA256
93118afb180790cc6bdfe87b786c3acc74f3d1d642c77f7f1b60bda43b1b41ec

SHA512
bd1177c10e3f37567ae82e65268e969d32050619174587048962c8055ffb005b7a09cca9f877c3fbfd3b41661eab0346d1c33510c4c2adb6f214a28a7fbcfcb7

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\P2PCore.dll

Filesize
332KB

MD5
01e48c225b05c81f7de9ffb39acce18f

SHA1
30936a7163bee7e0d575c0a324d8538f1db4b72f

SHA256
de4083bb1443866b161aa0a1c9f2cc9e3cc2e24c2a2f4792db3587cbf7a3655c

SHA512
cebb642cdbfe6da88675fb496c512525169d15a3a2b1db65129facae3edf79ddc8a5317c28c4784dcc9c55a20bf7b16df118e8fdb1ba57bea862c03c2f535566

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\btcoreu.dll

Filesize
1.1MB

MD5
1032eb08bebfa4fa858fe3601771a840

SHA1
daf097b498e64f9cc6d9c3da19a3a1df145e4c53

SHA256
405b92c7774a995de71d70681a0caba73db611a81710ba0c9943612e85ba2ebb

SHA512
12d677fbcaf3d91b65c337f322ba8512c36594c767dd9c6fac5e7f508a0c8cf0f59893d92c24326db17a42636d594b61ed57f590a5e904789e74ad03c8d9255d

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\commonlib.dll

Filesize
536KB

MD5
250a45c90a52ece8ec58dfacfbdecf0d

SHA1
25eb09d9aedb87b125a7c50a008cb7d8cb2fd702

SHA256
4d905810324a6e285918ff03e69380138b930ab8f1f6cedebbda259c1a3a9bc5

SHA512
782c40331636bb9be90d99d5661941a1549e8cc8aba5549267a9892958d2375601fb4e6901663dcbab9a648a305c6e93f81c09a2387be1a84353925fb3ce2564

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsArchive.dll

Filesize
452KB

MD5
98cb739bf5517fe3b8794aa9525eb804

SHA1
29b11386e52f950e7e13144224024df6f0b1e28c

SHA256
b31a2dd5177a410e8e86308ec914a4721f79f1870a4fb7a8d9fe075d2abc186f

SHA512
15e5af5eeffca79b91054d95489a88b0092ee36b359977776e48074a7eca5042a789c6d56776be72309a69f92fb8c5f1c4eb1f07bee1345e68c2d679519f8804

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsDirectuix.dll

Filesize
224KB

MD5
cea25e63c21707e59fbd0a7b6a4ba514

SHA1
93c80130f81efee8a57cabfca39064217d5479bc

SHA256
e788f8cdceb77154a7076cd3cc8ba82e23bf5068f0610cf2b7d5d07a0d3a70e5

SHA512
044ce2cbf33495ec5275a5db374d14c6a5d6f37e2bcb96b1d787b158e7a3b8926bfd651ad351470270cf91dce24bd832d3df4460c0ab66e0c4363a963d420a66

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsScheduler.dll

Filesize
292KB

MD5
b35a573ba7b11c65e6ecf9a17282e3a5

SHA1
bef15d1f3c9a380f6468d9b8eb4da570661ebdfb

SHA256
05570d225fc27cc4597af76bb2b95d3e792d9c841e95539574394ef26abf9833

SHA512
22ce66e39123cd5df23615713891878ce8d6d261566cee04d0b25ac08e20ebb6783e6fe428f025446d5368275a8bbba77873dbf29713915fc1321561ecea17d4

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsSecurity.dll

Filesize
116KB

MD5
44155e2d3dd6873e51fe3f0618998a5d

SHA1
5f4ffc2892c92831523a5f205e183fc9c98ba395

SHA256
a271cff54a1601f7f80c7372199df106ff2534301e4b21dfe74298fc3c78a1e3

SHA512
c8808729aee4687206fdf199fef819fda44ce5bcc5d45247fb5b02c0f67dd6681dda3a302653ee124d8d6d291d8777922676402c2026474edf5a3d0eecf09f7a

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsSkinX.dll

Filesize
188KB

MD5
9498164f78f5124df6500a454bb19dbe

SHA1
e3bcab73a424e2731ee36b5943a6487d2fd32c90

SHA256
b8822d92b40f145106e517aa7fbc02d64e4224506c817f83c4a151b4bc87a091

SHA512
b045b90850a5849e4a78de1e771db0f465c9972c4cb975b94319346275f89a3d39380ec3337995ed34634617d4950e3167d55ce2838d1152729a2df15ee9393d

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\fnsStatistics.dll

Filesize
240KB

MD5
7c4706d7b3d3af38527e5a249b89db92

SHA1
c0fe9d53645a638c95c0620013e9091060454066

SHA256
354755338f7742b40797b1c45af369959a5b19fd631f53bce6ecb27a5db29819

SHA512
e752fa1890023230479f42b0eee1bc85cc7201fbafd08da47e931d822e0b1001bf2ed528592d37ddd5a9426129721353c5ce8c4ee3ce2e819ddd5eedbb1f5a5f

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\p2score.dll

Filesize
432KB

MD5
d0d37653b36689a270ed58a102c88a44

SHA1
2a4bd555a50659b1668ae141d03baf388689e960

SHA256
0ba748263eb62c35b40160338ac49210b2f9f913e4cac50d29fed6b60b5daa3b

SHA512
22f2b4331e5501f958c4debce7e3e0b1d5dcafbb4fa3a93d0a66459969eccdf63b76a55c8890b0d3b7657069391636069af18a8f12e3bb66fa7ef7c8d1bc6b35

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\zlib1.dll

Filesize
81KB

MD5
392f1f6a15e57a9b3e4e655715070e6e

SHA1
9630abb63fa7ae6fd10499b66c50b4283a9d92b3

SHA256
2c5d1e6fa220b4f4de9ab7430ebfa5b1c3f9309d8e797f9a112462d48a979b40

SHA512
b4afaea743093fc42931a888d10d60c4c6d2c1a797329f81892a8c28246f4061020581b8b9421f9197602dab295f04a7d5711f13af17b3ab56c39639d9d161aa

Download Submit
C:\Program Files (x86)\FlashGet Network\FlashGet 3\Æô¶¯¿ì³µ(FlashGet).lnk

Filesize
2KB

MD5
3ea78e9bd32210d183c388be6375a921

SHA1
fdf18a65c2099905a750c1d9efa0b77506122188

SHA256
e1b0f78254917f26d6d58780210eff1c587a265a3e14ceea5342f9d0728ce5db

SHA512
cd276db3edf4a112fdbac1fd29d2b01ea5e7f3a735a2497a05d18ab88ce2206d40c6a391d261da5aae6793164cd73895cb893c71698a86f22280a93c0296f0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\ProcDll.dll

Filesize
54KB

MD5
4bbffba241d51d447a527891c49cd1f3

SHA1
df6e9617bbf060c9373e173144a9943375874a2f

SHA256
7883866a9143135bcec5c173293265778ac68a331bfae7efbd9d92f21fb254cd

SHA512
ff366b7db3970c31352dc05ce3d8b53818555b768b3d2e52ba33cc7338ba47c4aa8ae48391fe6ac8072b150aa7947e0133b558b86b9cc2a3ec286472b98f01f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\SetupHelper.dll

Filesize
36KB

MD5
09e1911d6db8fe82021d5a0107ea4371

SHA1
c507c1274c38112d2f6e4b80bf99dfee12b27da1

SHA256
469cdd1682296434d5f811bc3de833beeddfa988200bdc9404eac6a9bb235c92

SHA512
b34f01369d14c8925e35aa12f3ab0dbee3c01d3b585f6f3a066512bd8a244ebaa51b13adf38571465ff7b5ed580a5457528fba6a58536b056f68e4fb83f4e78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\System.dll

Filesize
10KB

MD5
0ae9c427fe7bbbbf1368c1c6d3933ae7

SHA1
c8e5131613302531c88512dada29a18886259268

SHA256
49437f4b9fd38007f3b2735f0a8a12830b995305c75118b440202980183d5c6a

SHA512
59b76b00f2b0d6242dc5bc3cb36d3ff78867445f502e34cea890c6f493c2adf9b97cec539963204ddd1c641e1a77139f46fc33dec4dc636f4b06d2edffffec6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\rfshdktp.dll

Filesize
2KB

MD5
9410591a148871a6d0629cf25b94526f

SHA1
be1e8b0fe8327f185136a0d2460a68f720484535

SHA256
acc76e81f71e7f2ba58c36d678bc9ae4705e0187a3cdfa6d0025190467d9c0c7

SHA512
465d3e418e769b907262e07cbca3d2c5132bf328431d456be09c059821be20a6d30106562d7ef0bfa93ca219b2abe57ee891d937419fc4b8840987b184b45df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\task.ini

Filesize
711B

MD5
0fc7e0a4eb5a069f7aba92fdc219a6df

SHA1
8e99b142be2a3e7124dbb85411799ac0c39e0d93

SHA256
0d9774dbd18128278f1d38202f1438b567e2c82ed07e1b2121ecc32c11fdd12a

SHA512
9298066d1ac58256b4e92ec7f15540802b64047a2400671e0bcfeb16e0a36abcd816f847f64f118a26ea8f2fee7494ad6c1766abd1d75e3936129a0d039836bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl55C3.tmp\wel.ini

Filesize
412B

MD5
3e36d4c18abae01c78621a72939fc3a1

SHA1
054102da55b80195c81fd0fa893c29230c2a4fbf

SHA256
9e061606aa014a5d2e2ec196dff88e5f301c9bfb4dd32869e14c45e67572d9dd

SHA512
c49160a812f82d15020353316d523d56ca7f1b2d90ede11423f6c960b7d32660496da77029f445e4f2cf624195481e1304feec5474361112f78c8fb86ffa9661

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn5A59.tmp

Filesize
166KB

MD5
7afe66f3f815b4aa2d196595ec7b5ea6

SHA1
84fd18cc7832ddc47820496394010e5f5a3cb138

SHA256
92452b96fe5b3205067fae0c8122adc36921cbe540ca81a97272b8515bc916e3

SHA512
5cd493cea9be4e1a769c3fa9864424ed9cbf8a873d5653df6161081de5d207fcaf00c89de67d285fd748baa07fa25ecbda2203660771fa6e51a7f95c8b251080

Download Submit
C:\Users\Admin\AppData\Roaming\BITS\P2PCfg.ini

Filesize
111B

MD5
39ca8ec44df4f5950213ea85cec0f551

SHA1
a7d8119399bf87de2d96599db3b13555dcda6cca

SHA256
62bdc4a7ce167885e711a46a85dee003e0e8a3c757757a5391618c988d9eae9a

SHA512
a113ab43f01ff1125697aa0266eb53af52351a90d6f5413b02c5f166d818e86e669dc723f8fbefda417a4c62be560658a48b4e26f7e40817b3cea5ff190f2585

Download Submit
C:\Users\Admin\AppData\Roaming\FlashGetBHO\FlashGetBHO.dll

Filesize
145KB

MD5
28a771c59443042325abea714bdb6ab6

SHA1
828b596ec44669083672e1bb0746b505cba2725a

SHA256
def92eb900ea4efa2ffbbfc3eabc86482453131f3760065abe511d0bbf3fd53b

SHA512
52db8b9a59b016846b62745ca65bfe003d1fccef8da4b7185df5bda2e32d46e2808ebb73c6e1a226f906dae6614d4117d334f22c8e0b13de398efe651fb9266d

Download Submit
C:\Users\Admin\AppData\Roaming\FlashGetBHO\FlashGetHook.dll

Filesize
293KB

MD5
96541a0ae99b6f16c1ac66e8ee5fa2dc

SHA1
cac7522080c841f06aef89ad51484470eadc63d5

SHA256
7912a84402db68c9abf9804832d124e33a32fb6d37d2c61942d89b0f070fa971

SHA512
d2766a81a502c1c56fcd688c86c1d1ff9b6890dfa7c78ff2a8435448cc936344104e60e273be6aa55ed51c93da0953c010ed079c6ecfc8dbc5f048f0fcbd4924

Download Submit
C:\Users\Admin\AppData\Roaming\FlashGet\v3\dat\FlashGet3db.tmp

Filesize
676B

MD5
8668f329086b3ca588a26aeeea563807

SHA1
7d1a058d70ab6081624776254a0be2de8d3e1b71

SHA256
66ed677228de7da90072f84fa7896d251570bc4c70b9028324bf205251c12bf3

SHA512
cc44b102745d62dd172f968b159f051f387dd47c7fef0ca75e4dc80c7f872e3fc8fa68d694e1a6c345bbc23aebeb4d61f3cb7dac58fed190e17ee20ae42227b1

Download Submit
C:\Windows\libem.INI

Filesize
25B

MD5
6ec55e88c0fce0339759cb37fc118b78

SHA1
48665316bee43ee73e5a4a6c576716c60d210e02

SHA256
1f4cc471ed9d30ea44d2fc11f29a58c1a9b2c9888a7b7cb5753591e53ecc8ca2

SHA512
4a50a7b0a72b3ae32c387ca0727c51ae564b3539c449d2b4f8d5d2c8342f419377ada43e4e020db11d1adf1ab999c5fdd4db1f5a06a001c0f9481208f43d5a49

Download Submit
memory/2360-658-0x0000000002BF0000-0x0000000002C4B000-memory.dmp

Filesize
364KB

Download
memory/2360-583-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2360-674-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2360-649-0x0000000000820000-0x0000000000831000-memory.dmp

Filesize
68KB

Download
memory/2360-652-0x00000000024C0000-0x00000000024E7000-memory.dmp

Filesize
156KB

Download
memory/2360-651-0x000000006D510000-0x000000006D593000-memory.dmp

Filesize
524KB

Download
memory/2360-666-0x0000000002EF0000-0x0000000003014000-memory.dmp

Filesize
1.1MB

Download
memory/2360-653-0x0000000002B70000-0x0000000002BDF000-memory.dmp

Filesize
444KB

Download
memory/2360-592-0x0000000002580000-0x00000000025C1000-memory.dmp

Filesize
260KB

Download
memory/2360-661-0x0000000002C60000-0x0000000002C84000-memory.dmp

Filesize
144KB

Download
memory/4460-477-0x000000000A9C0000-0x000000000AA2F000-memory.dmp

Filesize
444KB

Download
memory/4460-484-0x000000000AA30000-0x000000000AA8B000-memory.dmp

Filesize
364KB

Download
memory/5064-647-0x0000000002E70000-0x0000000002E94000-memory.dmp

Filesize
144KB

Download
memory/5064-670-0x0000000005EC0000-0x0000000005FE4000-memory.dmp

Filesize
1.1MB

Download
memory/5064-646-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/5064-663-0x00000000038F0000-0x0000000003912000-memory.dmp

Filesize
136KB

Download
memory/5064-665-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/5064-641-0x0000000002C20000-0x0000000002C8F000-memory.dmp

Filesize
444KB

Download
memory/5064-648-0x000000006D510000-0x000000006D593000-memory.dmp

Filesize
524KB

Download
memory/5064-654-0x00000000030C0000-0x0000000003109000-memory.dmp

Filesize
292KB

Download
memory/5064-668-0x0000000005E00000-0x0000000005E72000-memory.dmp

Filesize
456KB

Download
memory/5064-657-0x00000000037A0000-0x00000000037DF000-memory.dmp

Filesize
252KB

Download
memory/5064-672-0x00000000061F0000-0x000000000666C000-memory.dmp

Filesize
4.5MB

Download
memory/5064-637-0x0000000002390000-0x00000000023D1000-memory.dmp

Filesize
260KB

Download
memory/5064-640-0x0000000002400000-0x0000000002427000-memory.dmp

Filesize
156KB

Download
memory/5064-643-0x0000000002DA0000-0x0000000002DFB000-memory.dmp

Filesize
364KB

Download
memory/5064-639-0x00000000023E0000-0x00000000023F1000-memory.dmp

Filesize
68KB

Download
memory/5064-699-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/5064-700-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download