e7c8e5cd9584a0b7d1e3f19355e0d37110d5403c740b51c5ec383ff83cbc5a0f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 23:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe
Size

1.4MB
MD5

f9001b1047a78d6ebb8020389a99cf39
SHA1

bb432e4555592d63186900ba57791328eaf9e25e
SHA256

e7c8e5cd9584a0b7d1e3f19355e0d37110d5403c740b51c5ec383ff83cbc5a0f
SHA512

7c9270b1510ca5e68382591c54a8e50340e89954b6ad00ac9d3d215ab5cd4e385872fce6a149e7165589d66a9cbbc9f93721c1f0294565fbbb4bd36d0d1f93a6
SSDEEP

24576:Yutr5OUuNKJOAa/Q7lhRugqqnMx5OKASgL7sg1MMbo3O5X1UhmAeJi1B0:YuX+QC8PggXMx5OKmQxMbo3OtawA+i1B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2156	bstrapInstall.exe
2688	gameinstaller.exe
1100	bstrapInstall.exe
1536	gameinstaller.exe

Loads dropped DLL 31 IoCs

pid	Process
2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe
2156	bstrapInstall.exe
2156	bstrapInstall.exe
2156	bstrapInstall.exe
1632	regsvr32.exe
1632	regsvr32.exe
1632	regsvr32.exe
2156	bstrapInstall.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe
1100	bstrapInstall.exe
1100	bstrapInstall.exe
472	regsvr32.exe
472	regsvr32.exe
472	regsvr32.exe
1100	bstrapInstall.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe
1536	gameinstaller.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RealArcade\Installer\bin\RAInstallerPaths.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\blob	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\socket\core.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\compat-5.1.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\InstallerDlg.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\RAInstallerPaths.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\socket	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\bstrapinstall.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gtapi_signed.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\lua50.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\waiting_bar.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\blob	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gtapi_signed.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gcapi_dll.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\mime\core.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\config.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gcapi_dll.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\ServerTransaction.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\mime	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\socket\core.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\installerMain.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\waiting_bar.gif	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\url.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\wait.html	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallComcastGamesToolbar.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallTwcDesktopWeather.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\url.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\waitProc.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\waiting_to_install.png	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\OCSetupHlp.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallChrome.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\ltn12.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\waiting_to_install.png	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\lua50.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallChrome.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\mime\core.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\unrar.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\GCHROME.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\GCHROME.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\mime.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\mime.lua	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\installLog.txt	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\socket\http.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\unrar.dll	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\UnRar.exe	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\http.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket\ltn12.lua	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\bin\luacom.dll	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\blank.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\blank.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallGoogleToolbar.clf	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gamewrapper.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\UnRar.exe	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\socket	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\bin\bstrapinstall.exe	gameinstaller.exe
File created	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallGoogleToolbar.clf	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\wait.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\waitProc.html	gameinstaller.exe
File opened for modification	C:\Program Files (x86)\RealArcade\Installer\Extensions\CheckInstallComcastGamesToolbar.clf	gameinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\AppPath = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin"	gameinstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	gameinstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	gameinstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	gameinstaller.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}	gameinstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\Policy = "3"	gameinstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D62088BE-DBCC-11DB-8D0A-D0DD55D89595}\AppName = "gameinstaller.exe"	gameinstaller.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D60A064-2009-4623-8FC1-F99CAC01037E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.UnRar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A38DB794-40F4-4540-9062-0C1C6E71EF0C}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.CookieCtl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess.1\CLSID\ = "{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A38DB794-40F4-4540-9062-0C1C6E71EF0C}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B5C103F-DAAF-425E-B3A9-DEDE61F3A6F4}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A38DB794-40F4-4540-9062-0C1C6E71EF0C}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl\CurVer\ = "RACInstaller.StateCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{29F023B2-B05F-4613-A60F-2A0094DF3017}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\InprocServer32\ = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\InstallerDlg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.UnRar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48D11E12-E33E-40A7-A78D-2EAFD88906DC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.UnRar\ = "CUnRar Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\ProgID\ = "RACInstaller.StateCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\TypeLib\ = "{12631F96-F37E-4975-81D5-16E871EE557B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\ = "IProcessMgr"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl\CurVer\ = "StubbyUtil.ShellCtl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr\ = "CProcessMgr Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.CookieCtl	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{12DE7CAC-9F64-48FA-9526-212043DF0AAE}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl.1\ = "CShellCtl Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{860450DB-79C1-44E4-96E0-C89144E4B444}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr\CurVer\ = "StubbyUtil.ProcessMgr.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D991AAA3-6CEB-47CD-9A34-08E0C9D0959E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5609BFB-AC99-4F0C-AA90-5BA58C1E382E}\ = "ICookieCtl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess\CurVer\ = "StubbyUtil.RegAccess.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.CookieCtl\CLSID\ = "{748744E8-6812-4F07-9F57-5F40395BDE65}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12631F96-F37E-4975-81D5-16E871EE557B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\bin\\InstallerDlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AAA7D05-AC75-4B10-88A1-D4F6344158DD}\ = "_IUnRarEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ShellCtl.1\ = "CShellCtl Object"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5818813E-D53D-47A5-ABBB-37E2A07056B5}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C8F76629-E4F4-4646-AFC0-665082D167B1}\ = "CSlideState Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{748744E8-6812-4F07-9F57-5F40395BDE65}\InprocServer32\ = "C:\\Program Files (x86)\\RealArcade\\Installer\\bin\\InstallerDlg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.ProcessMgr.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RACInstaller.StateCtrl.1\CLSID\ = "{C8F76629-E4F4-4646-AFC0-665082D167B1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\StubbyUtil.RegAccess\CLSID\ = "{102A897A-FC92-4F8B-A7D5-7DE434FE7D3E}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2688	gameinstaller.exe
2688	gameinstaller.exe
2688	gameinstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe
Token: SeRestorePrivilege	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2688	gameinstaller.exe
2688	gameinstaller.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2244 wrote to memory of 2156	2244	f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe	28
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 1632	2156	bstrapInstall.exe	29
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2156 wrote to memory of 2688	2156	bstrapInstall.exe	30
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 2688 wrote to memory of 1100	2688	gameinstaller.exe	31
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 472	1100	bstrapInstall.exe	32
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33
PID 1100 wrote to memory of 1536	1100	bstrapInstall.exe	33

C:\Users\Admin\AppData\Local\Temp\f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapInstall.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32 /s .\bin\InstallerDlg.dll
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1632
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe
    .\bin\gameinstaller.exe installerMain.clf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Program Files (x86)\RealArcade\Installer\bin\bstrapInstall.exe
      "C:\Program Files (x86)\RealArcade\Installer\bin\bstrapInstall.exe" sfx:"C:\Users\Admin\AppData\Local\Temp\f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        C:\Windows\system32\regsvr32 /s .\bin\InstallerDlg.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:472
    - - C:\Program Files (x86)\RealArcade\Installer\bin\gameinstaller.exe
        
        .\bin\gameinstaller.exe installerMain.clf "sfx:C:\Users\Admin\AppData\Local\Temp\f9001b1047a78d6ebb8020389a99cf39_JaffaCakes118.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        
        PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallChrome.clf

Filesize
1KB

MD5
9c3a2bf9190a2af36f58a2bb01aaf6cf

SHA1
1cdba6f58a902749296c328d1649ccf68c461fe6

SHA256
fbe15fe74c760bcec56153ba382f2871e35015e75eefdf62569ff841159790f4

SHA512
0e16e295f5a0f036feab6cacabc7252024e8ccbdd38a180185336ae8377e6dc93b2a1c52505124d4a617e657e4e6221d0cc0115c29eda9470629070dfb3c4339

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallComcastGamesToolbar.clf

Filesize
1KB

MD5
b047d29436a53a4ee2acdae3c97cea30

SHA1
31a46a5a344144ed5845bb629d1802cfa2b0903a

SHA256
aaebc806285499bd1615eaef7cf1d16ff879630add7665684246abaabdfc55b5

SHA512
4a804e188c0d3bdb4ce0e74440813e0c9d58c4dc48772010d0354b92bcbae20947b995691f84e39cb675c9f17516f7329954aba2b635e65b12eb29cf8f162f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallGoogleToolbar.clf

Filesize
1KB

MD5
f8a019ba47b49f4b3bb56452337af8e2

SHA1
63835c55ecd165cd3eac632541bad3ce04089fdb

SHA256
2491600a96a9d686b1b8a89df3ce645eca32deaebf99f22ba7eb687fb384561e

SHA512
8761928a0a321f3bad708b9588f103a4a3bb89d6df81c41cfba3ee52d46b830a5a14457b7ab9b4b882e2d5b5a9516d6b13e4d3b4fed5e359bfd7c836bfe522dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Extensions\CheckInstallTwcDesktopWeather.clf

Filesize
1KB

MD5
22be30c1e6c61cf7031dbea80f497cac

SHA1
86641adee18c37b170a5824cf9c1d136c37e914e

SHA256
db16505e706a0d1d2146faf0549ae0e309fe4b256fbc87587337c272a6ec133f

SHA512
a61b04bd65dece724c41ae7b02c5e15ed9f0f9fbc0c7802937e86408faf281b22cbc99a0063a9b2e1c1babb6f3f3321f7efff698a7bc87839ffa35ba3972812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\GCHROME.dll

Filesize
61KB

MD5
276b1dbbda51ced5366e94b6a2959b5b

SHA1
c0c5583160f21b414fc14ccd2d52a1f6a9293ed3

SHA256
dcad58d338175cf9fc617086360fbe9ec1a46ff124b266fe700c386b5ca32467

SHA512
7ac2fa533edfb517a1beaa4c3ff292fe293d145e0922233f95dec7d082adb49309e2a8be08a94ebf7b69034b4d6e6312520d3b40ef983b1998c1a2c5cc410265

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\InstallerDlg.dll

Filesize
401KB

MD5
0f91917aea4d789b37bde97686d505d0

SHA1
ff6da6abe91122e2e1fc37a773823a4ee46938f9

SHA256
156fba599df6c6b168b79eb5fa9dfc743b99bb2d384ff3822c600468a62dc2a9

SHA512
27f6b53aa8c9079545901107c6a719417ac540dc0486035ec1817c7f99223476f60fd9bcee8fa590abcfdabb5da4ce507788edb74dce20d6a4449a5920bd1632

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\OCSetupHlp.dll

Filesize
755KB

MD5
f80c1e7bee26a6688b2e8d36e23b35d6

SHA1
eefb241edb534614004d6fa41f2ebfabe9aafb39

SHA256
b6bb73e018c4846cddf68d616dde8db3cc61854b4fd355f7139c18a2921e05c5

SHA512
af73bfca4c4211529654f43d3ba65218bfdc1de278a6e78b4e35dd3e19157fe0a828a436b515a551fd5200aef633bb370a742793898851f0ad8790628dcc96cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\RAInstallerPaths.dll

Filesize
50KB

MD5
ee5dbf50e8d510a65a054d37b9e41490

SHA1
6ad6f7cba1e21aa537486cf7f64e78666acb735c

SHA256
9e28a3b4fc3b3a3dbe87610d5897b8c348779e41d066bcc94bf01218058309e1

SHA512
68f5c4b52e7eb2cd02f1c5cbc10412016bcd90bc38c3dd2417ae436d3563ac1268afb17fd239e7821d8806b737bd7fad4d11514630d0972b2e0e3ab25ce59c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\ServerTransaction.dll

Filesize
96KB

MD5
696de80d5aad7ad89540bc1145ae0392

SHA1
320239f21cbc407a773e69fe9ba0cbccc6f4e5ce

SHA256
27f8ed354b181eee30b771f711fbfcb3c7fb6043a3cceac071f62fb942407b7f

SHA512
5d84babd97af696cda2b77f7c9dcff700ef5ee0f5fccb1745e75305aed9a3c65538fe4a4133aa27e8b8b9661179e1c2feda2e03cf5137b33cd50f0bd5fe54a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\UnRar.exe

Filesize
240KB

MD5
49710e363e4c247716508672f909d5ba

SHA1
74538e7a6515166fd6e83b9c72ee28e529e462e8

SHA256
cffd9238edb8484c2831508505e81a733f5074ba002f98e573dbdb7118c687ad

SHA512
e863b4bcb332a552d73a9dc2e41a4e86a4b528cd46991d3489c129ff46973778f65fac73051bd4a6d33e5c15b1154bc761bda376a767f48a3cc1d9391ada700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gameinstaller.exe

Filesize
95KB

MD5
179a9c99cc10fe735ce91ec577b0536a

SHA1
5b9a7fa31bc8dc7a92f5130d23091c1bbb80b787

SHA256
fed1829be18f024fb32e67b94e8118308ad07bff18cbe823ee6406767b99eb31

SHA512
0ee5fa47c8d2a375923c16184e0459872f19d42e7563ff20ddcc43b22bffd7405da29bd01890042f36bee89ec2f23d39e7db16cec10ef3c8231e87c284bbcd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gcapi_dll.dll

Filesize
62KB

MD5
a689eb4192ac28683b18c4e81b32559a

SHA1
aa436608c0e1a1a21153346a046ff00ee60aff1d

SHA256
cb81506dcb4de19a8c300ee010061845a7f20448c2387ae845f2d2099b54c981

SHA512
992c8f6e441e096c5def826c5665469b89642b0fc9a381f2cf63a98eb08bd58e4186a3a615078cd2775b78240f519c27501f46dea40e9b8b82b6d91b95d5ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gtapi_signed.dll

Filesize
71KB

MD5
7950e8dcc2cc61cd975c4c7e0c518b02

SHA1
19be847844e2402988272f004b5bb5365aeec1c3

SHA256
be251267d1070de814f09e8ed9ad6e57ed2cee0f9c4ad0203cfae21bbe3f6390

SHA512
f3d38d10ed9a8365d4632bff63115b0b7134a77e0150b745e5e6b93cb03c8a74978a3188ec1346aba43815afeec6f9202492731f9df2bb28a7ae053ab2d8c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\gtbCom.dll

Filesize
60KB

MD5
44cbc5eac5b9d55339fa4d01841414d1

SHA1
2725d94b44ae09cf0fdfe1e4ef419b71d06e4762

SHA256
221d9627aa82dd4a7c98c338c1d9cd5c519727524c13ccf72f6239a65bdc22cf

SHA512
a4255b207ecbe58b84989b913f409ad82508feb10b092a39b4768289caf06748a4ff3c1ad3162c597610513d609c21bfa6fc4f48a6678d2d41094703b3f43fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\lua50.dll

Filesize
92KB

MD5
913973aad1d92e274b0691ca15a3d78f

SHA1
a00ae78ce78d5f3d9834579a0f2e456c2a3be863

SHA256
eb55fdbc8a12ddc41d281964068c2369981da0a9d7459283ab875178b9fd49fc

SHA512
068978f3f3a92a61578f140b50a6174c4e76a4046ec0ac55b6511c3270005f3a5d8e715c66f97cdee4846978ca0d21e3315c68faefd8040bac19efcbcda03b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\luacom.dll

Filesize
136KB

MD5
3cd7899d4638fed3d474c506f4557d72

SHA1
f1497894bbc1a2bcb8f217ccf9b05c139afaee30

SHA256
74c0412a8f39d399a9731299affb2622749ea48960f80c72bcb6c0442d196cb5

SHA512
70f35d10bd9a54602597d6b0a6fe900a8f2b169b88c541348c50fadbee88492daf87b4df1e6119ce56211693b32b25dd44e7cc7cae6f8ef44b88baea9547c628

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\unrar.dll

Filesize
138KB

MD5
4cb9b59ec41b06ee32c1fe12d5893d1e

SHA1
10376eda4b4e1b57dfd42b70cc4fbced47af2adb

SHA256
1b97d14c45e070f52be81d34000cc309814f346a5e9cbc3fe09fc8389aded65f

SHA512
39093172d07f590d2f36f75881ee0ca8231b9198cdf42b1a15097ca12c1b1233805453d2b7630d4341e79aa8f99dadacd385582a86e541198c32a79b269fd648

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\blank.html

Filesize
766B

MD5
e5fc626ab40084b54fe291b2a9ee741c

SHA1
59ecebfdf9e38181ed2f0fc604ac66e453385f06

SHA256
1cec7c791db1c78c8af588304b303c3b05b0ee48017d4d86e4a1619f6b6a2ecf

SHA512
3bb84e10d8771b5f3ba3ba848964d8d6ab4e87a925b59eb403212ef4dc688970bf7c3cd712d46ba3c85019f2ae56ba1a473b3ca69b9b137b04267469f74b91fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\blob

Filesize
231KB

MD5
a7e494eb97abf72eb5ab34cefdac4fbb

SHA1
a5431235781b5f8520ff52a7823b19e300e81cf7

SHA256
0a0bf833cde834021b80b363e6ceba4ffc5890130c1747fb6ed18ab485387076

SHA512
b254363a368ac431bc45eab955002df8b1356edfc7a0f470ce910a1db4c472bbd376bc4e615bb349dc7f299bf4fc10c3fe1ed27b61a0d1715d294f16d1c6adce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\compat-5.1.lua

Filesize
5KB

MD5
199607e50cd446a1f24249397568f814

SHA1
c22bcdd7f1628681e8aa93d0b4d801e00bbb2ee4

SHA256
86bc8a577082f61a89e235c9251abcc80333a204c494d60dc9b3245d118da08d

SHA512
d030810e77c9974a64e2a38ed9cf13fa9ba453db6cd41c4454c8ecd8c6fea00dabc54bf909d677b2b10c85daf004e5272079d26c4b223b80ee46773de531a28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.lua

Filesize
1KB

MD5
7f750417fafc1be8c8ea7d6610bbd3c7

SHA1
c33faf5c0485c32d3f692a5570d19a347a8eb189

SHA256
6329973f73494d38cdc6af01a717bcee899f8fd0afbe09cfab12a82957a94697

SHA512
d29574f5009aeffb5bd00cd60c7cea79e5561dec30e31b760f7e9f753c4b1022537e0ef3ef4e4de9449cc8f8c045404178bade457209a15dd7f5e210bb811a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installerMain.clf

Filesize
50KB

MD5
ec954495769232bfdde7bf8255cac480

SHA1
ad82c4f48ea56296ed61e408abbc3efb088c849c

SHA256
46f3dad32a7cd655170930e7c759ad5a1d57f98d14075536fa63d6cb0e3784c8

SHA512
bea206891558072e936ea118ac2eb1c367df0105496694a946fee776fee1fb5243e9024d0e20b5ae31617d6a0a7cfa72a1b5c1e3d15f291d3017ad1d52da4957

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrClean.clf

Filesize
3KB

MD5
501207c36c628580e78d32366175546f

SHA1
df2d6d6e0975c8c6ba96f6555399a9f6f8625e0e

SHA256
a7d6d4ad877d91744a6f345dda421bd9467da04d369c26d65b8b4945bb9ea029

SHA512
d0aea03e1173f2d3b40f0a3a56ed608405b53d688e0e85d669e7bf0be87e40946af619edbbff8dff7d5042b292e643bbd10bb59bb58806836a1ab43ab31fbd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\http.lua

Filesize
11KB

MD5
726309c05a4658fb8e8608ecbe5eb4aa

SHA1
5587c6eb9de86183718a05b973e1fde0f6407ddd

SHA256
c3b9c340f1cd2255eb7bd54372df7383e6b7bb644db24a9c5f59efafb4e0d483

SHA512
a4730dab6023d1978960a2bbcba7d7e73609f20164112da483b6382ad97f4b4613f42d7a9c0bdb46abffe7bc48583eaa9590c58e647f75a5b2a2290d0ca5700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\ltn12.lua

Filesize
8KB

MD5
2ce994424bc66a99d3fe29dc87cda481

SHA1
26339be6ca6cfb7b9c0725801643945d489fce37

SHA256
4c91fc1bd2871c53c9b4d3e7293f0a7ffd12c477e5721eab80aac871e3e22f85

SHA512
495a7ec3e95b4cc55b645169e12d81860171efb5fcbec6ebf94f2c2847da6cc4dd17624610b7c777dd5e65296da6e296ebcf627cf7fc231b39f6dd68d3bfa117

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\mime.lua

Filesize
2KB

MD5
c7cc9ea4f6038095c45995a95da66d0f

SHA1
84911c0e24238f218019a0b280c1408a42cc609f

SHA256
3fe83f8e918c874dae8331653b59ca88891a9c1a8005b7e2eb40e980b0933ea5

SHA512
21a5e56e0ff1ef3552d3f13be45f56a06830a9b6b5e33888c6554ba24e6b4be69f7e32a199e0e3f50f3e20465c2b6c2cbdf97129dbd1362e2791c5bf8ef2e67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\mime\core.dll

Filesize
24KB

MD5
8eb923b32f76b4aa1c324c0764a6bd95

SHA1
e15d2d5c065c689d2f107e0381645339a2baefbc

SHA256
87cb3cdad3b854598386350d1c169f93996c74ba45f1394d843e07780b5d79e8

SHA512
494861bb8a55af17396bc5b62b62a2cd94658702a04544b8ed31f2d608ca6fa23fc7ed449c2eff136c9a4a86d69d3af4bfab8ba2db35664616813ff082fad4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket.lua

Filesize
4KB

MD5
7f689483b773e1b8cf3f1e7ecf39691a

SHA1
9da5f292d6b59404b48e5a0b36bdf15a26c4738a

SHA256
2ee5259b65c4493c3b49dac2cb1894753b67dffc65ce4ce5830e6ecc802e47b9

SHA512
97a22a1d4dc3435c9d920b3d2b1b4cf9c60efe4297961b9f15c23612d899349bc7f4b7279243a1851d139545c3813a0e730f275b390cee496e6930769213cefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\socket\core.dll

Filesize
36KB

MD5
fc3c96670e67eff3a9064fcbf9398b6e

SHA1
a3c89ecd29745fa34cac76bc3773cd3c5018c2ef

SHA256
e4ede13a74a2eb38397dcf8bd1794f2231ee6fb4abf5e9df76af65f945700978

SHA512
12113c136c9316fc7d68ce90c02a52540e208af6e8ede2c46da301dc55e17c3b933c959541c0e3068ed3c00d08bee183a56b524dedb395137d48dc144331225b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socket\url.lua

Filesize
10KB

MD5
d26c368bd8f0062de33367337d705c58

SHA1
f4586e48bf73afb204b6c2dba2701ec013594ac3

SHA256
0b5703fbeaa8f7036d1bf91a90241cf23586850c571e4cf7cdbb78fb6b824157

SHA512
b85ecdc7acd93d5a34b20f5f50ffade7344f29023bf86a051f22e2b12fb296a433565e8274c10ebead8a920a4eedd51e362d4e787c1632bc33736456213c07db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wait.html

Filesize
4KB

MD5
24a32a52b62fbbfaa06e6642138f8b0f

SHA1
26d2ba8b8718d25f365344beefc66b2e2922c75d

SHA256
43f7595559754c0fb25fb0f1081713223d9ca615bb64ffba314c347f3766f902

SHA512
3c1c0a59080017bf53683e42e944ec11066ef215af96a270876da41a7941969b9785b65a1764e099a16511dccd60e21c8aece6265c0db038d2c18cb1e5d446d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waitProc.html

Filesize
4KB

MD5
dfea99793cf4f8bf5db1e58618274bdd

SHA1
693a9206f9e5d8256601621df1da31bba306ebc9

SHA256
5c853be5af79b2c0afaafc76670eb850447843a23d53b9db638d3459fa61c724

SHA512
25cfb3ce62fd4f765f1e6bd506b68a76c6cf63a7a3393e43d043e8fdb6165b51e5666a49300c56148e1b4cf88a69fe209ad9626a3876df814b1652923fef2d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waiting_bar.gif

Filesize
10KB

MD5
7d61a7f4cb6a0d3e7f03873cf55db8e0

SHA1
3d97b561200a36bda2778e0a17462470f1a3fe23

SHA256
dcd61a04f134719cf1235da25342d4823896974d4de0dffe53dc38f78c7e37ef

SHA512
b25515d845a424b1bd5e10d16b4384dc87d528af646107fea1d29ab29b32d3d22c223c2024a7003ec1867cd931792505a573e1704c67dd3d4a319e801a97c685

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waiting_process.png

Filesize
82KB

MD5
d28590e91142b723d660b2d69105df1b

SHA1
e6212d478750dc3b4b6986a96ed430cd6e4a0d69

SHA256
b3e964026fbfffad0120b88d02cf627d819f0d05f563de8771b403dd54f929cf

SHA512
4f094515615c6a2e3824ce4d213f1a4280367c107885eebb7e14a099d9577a179d0c7ac1267b97fc8a0b934bd0c269caf6a4fb5b3f8542cf547813db4bb0891c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\waiting_to_install.png

Filesize
91KB

MD5
fa62c74c39866441733bbacadd7af26c

SHA1
fb691cd43bae0e0c37dca870b110d09d9a7544a5

SHA256
91a4b0ea722233a0c2280f7232709bba85ce06757f809cb0dfc5af38e7c0a412

SHA512
02ed41bbb078b1c774c1255c33ac6c5a86228bbd483a2a15c7783eb700009b2788e61b4f92da801fced461a91e39442156ed5bc341740570baf54e86c09e72cc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bin\bstrapinstall.exe

Filesize
39KB

MD5
6c3edad257f9a509a41d02e6e829c87a

SHA1
ae79453bd3e50f1e946e2942cd4795a9dd0e4d12

SHA256
ea68b7f9903745a3406014f234525a5f91953829eb9066a43d3eb43c309bdbb6

SHA512
2d59ea7317424e492b31becd7c969ed9915df2045d76e160fce2b4de9dbf0e1bcaa045ed1e661ec5ec389207188f5c361c619e17c22eda53b49975db0c0ad7f0

Download Submit
memory/1536-260-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/1536-259-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2688-142-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/2688-134-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download