498496051c7afa038afdaf016aa2e4450c8f2af456f6354b94d024b9dd636ae8

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 06:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe
Size

557KB
MD5

c02e4a7577b189d85e0e0387a66fd07f
SHA1

9ec733ef9082aabe554b662118730b13854c2570
SHA256

498496051c7afa038afdaf016aa2e4450c8f2af456f6354b94d024b9dd636ae8
SHA512

276fe2ce24f7188d34e77ca95893dabff41437d944896ac8362006741245df68f7d63ab0c12854e5c8fd6593d95bd082b5b2707064d456331894cd21fb6b8d35
SSDEEP

12288:50zxgP6UwV09TR97s42KsVhHLhSibulCM:56x5Uw8Rxd2rhHLwi6lR

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DÓÎÏ·´óÌü.lnk	setup_p48.exe

Executes dropped EXE 2 IoCs

pid	Process
2460	setup_p48.exe
2568	WebGame.exe

Loads dropped DLL 16 IoCs

pid	Process
1240	cmd.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2460	setup_p48.exe
2536	regsvr32.exe
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WebGame.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\5DGame\skin\skin.xml.bak	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_back_bg03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\toolbar_nav02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_close03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_restore01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\WebGame.exe	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_gdyx.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_bottom_bg02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_login_bg02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_zhuce_bg03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_kfzx.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\pop_close02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_prev01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\5d.ico	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_3653.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_yxdt.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_close03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\pop_close01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_prev02.png	setup_p48.exe
File opened for modification	C:\Program Files (x86)\5DGame\5DÓÎÏ·´óÌü.url	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_prev03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_popup.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_bottom_bg03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_zhuce_bg01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_gw.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_big03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_login_bg03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_rechange.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_close01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_next03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_sx.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\skin.xml.bak	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_login.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_back_bg02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_shezhi.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\skin.xml	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\tj.ico	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\uninst.exe	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\Thumbs.db	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_restore02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_qp.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\toolbar_bg01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\¸´¼þ skin.xml	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\skin.xml	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_kefu03.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_ht.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_big01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg_yxdt02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_hide.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_main.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_kefu02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_lt.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_qj.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg031.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg_yxdt01.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_close02.png	setup_p48.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_close01.png	setup_p48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_p48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebGame.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000015d39-4.dat	nsis_installer_2

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ = "_DFancy3DOCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ToolboxBitmap32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ = "_DFancy3DOCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ = "_DFancy3DOCXEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ = "_DFancy3DOCXEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\ = "Fancy3DOCX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ToolboxBitmap32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\ = "Fancy3DOCX ActiveX Control module"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\CLSID\ = "{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ = "Fancy3DOCX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}\ = "Fancy3DOCX Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}\InprocServer32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2568	WebGame.exe
Token: SeIncBasePriorityPrivilege	2568	WebGame.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2568	WebGame.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2568	WebGame.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe
2568	WebGame.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 1240	3064	c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1240	3064	c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1240	3064	c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe	28
PID 3064 wrote to memory of 1240	3064	c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe	28
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 1240 wrote to memory of 2460	1240	cmd.exe	30
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2536	2460	setup_p48.exe	31
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32
PID 2460 wrote to memory of 2568	2460	setup_p48.exe	32

C:\Users\Admin\AppData\Local\Temp\c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\~C5EE.bat "C:\Users\Admin\AppData\Local\Temp\c02e4a7577b189d85e0e0387a66fd07f_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\setup_p48.exe
    "C:\Users\Admin\AppData\Local\setup_p48.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 "C:\Program Files (x86)\5DGame\fancygame.ocx" /s
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2536
  - - C:\Program Files (x86)\5DGame\WebGame.exe
      "C:\Program Files (x86)\5DGame\WebGame.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\5DGame\fancygame.ocx

Filesize
506KB

MD5
5ca1ca33127d71eff439da94fb116682

SHA1
a445847bb60ac03a6e5165893051bdf486dd6a7f

SHA256
6381e0e596d366141028771f63726200235e27ea9ed2267671f50319144cebd2

SHA512
36d1b7ceac1ed42e316a34d6f58ce1523d5a66feb809aaf1ea7c51ad3822ea4de6775cbad0da53afb8d8548ca4cfa86333254e3e5c357334f5fe3b792f19ce1f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\bg_main.png

Filesize
3KB

MD5
8989ed5d6354f7b864498b5b2eaa2223

SHA1
cc554ffe2a7e726a732f2196ac13209487d3c81c

SHA256
c65b7045b0ea0ad944e5188f8924a411156c0c8631cad06c51c38aa37eaa1fe8

SHA512
0af49646eb077c80901b5021c261b3f1c91f2d178a04c1778b47a50c35c8e00c7eaa93ed54e8e0412d14dc2d03d95d092e13a7538616fe9eb5383d8a99e2e187

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_kefu02.png

Filesize
218B

MD5
3e7f3bac1531e4ea3b1a8a2933c58e11

SHA1
0a40955bf64bf06f01713206cb5a5f96bffaf9e7

SHA256
46ac63ee266d74043cf506c87a94c943aea5c0c91a2a8093a7fc7338db0092a2

SHA512
e3bc726b0272cdf61cec6315f68ab5f448437ad9f2b15802f37fbc4efeecb4a49b8598799dfe92d2c0908ea3ce0f6c439bf0dbe9a12325839eff780f0aec6d2f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_kefu03.png

Filesize
257B

MD5
f507fedcc95f7767709973b51e9790df

SHA1
296eef2e57be7af71c5ca4a015d84857c82d7f9f

SHA256
86b25f8662f517e3675e06ade5f6b46fc8eee87dd8d4ba827d04f3413dd9b0d0

SHA512
a92a3ed6f752685a457835f416f6291625db17e2dabbe0f4c9a2b6329c0be026306f90bae2ccddf2fce22b873fbb49147f742e15987d369eb0df605ee1cd1f8a

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more01.png

Filesize
286B

MD5
8f439b42bf3354063bcb52e890cb4c65

SHA1
94a690dee5b863bd77a5e9d6685b5b2933b449c9

SHA256
2dfd17918d8e4ef94ceac0ac21c1cd619cf9c56afb221faf40736b3f96bfb050

SHA512
bf59a3c46b5ed58a501d9e613daf97467a3627852a2e5add5cbc7276a5e530cf3e2052cd4df06c79ed41051a0231990c3d877ccea46591f5f4c1039a23c2caac

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more02.png

Filesize
267B

MD5
0604efc23a41c93e9c99683ff09c7cf2

SHA1
424ed08c3d29de661e777be52eed4c627eb5cad0

SHA256
ba2e5a4a42ca6aa57a76dbd6832fb4a86986927050712aa14318fed57a93dc48

SHA512
50c70b45fd348bd4d4f697212044cb23841d384edc5fcf63eea69467777545d51dcdae4236a65abc7a808f7d71592aa4a6988fb5913d7c40c65a360932969767

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more03.png

Filesize
298B

MD5
e364fdf4f45864a73def205611d031cc

SHA1
913a98cd5ad74f80b84ca5356ffac0c2d028396f

SHA256
224e56237f58e5c2ceb7ecd0d4e22bc3d400fab37293faca62a280cb79d8b9b7

SHA512
55d2fb69d3007f38cc4e945ea692123f1fe63b4858645fb428a602ffb0df08193035a84c10de2dfbc014a83ef7b4b3b8cf3e42c34c686aad1106391e70901858

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_cz.png

Filesize
1KB

MD5
c0ad1cb9f09ce403fdc01df6ede3cbaa

SHA1
a2f0f03cfd9c29f8c97181eabfd51cc88d9f7844

SHA256
47f66084dc0e69201dfdddb5c364dd06b9e4f965bbd8fe0c249c5c12145a703f

SHA512
162b5f946ba05334be0a5b9c641ecb0301d6825074f55e93b0ce618e1cfda71ef33e4f4c3511b48bfe9a0fda4858ae8249ea41528ec5980c3486c8c6a0c12a37

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_gdyx.png

Filesize
908B

MD5
dc176b3fdf7f073b7f23ef1179c8cfb9

SHA1
aa38ffe6857f46df7342dff28707e9ce75e67b19

SHA256
3b4244e51c1fd29b573af6aeacf0aa8399480b1f407c426bef1e0a70602fe57b

SHA512
e256502be6c5d27f3a62b7a3520fb9044f6177743c7cfd97dd91cc6cb7b778ddf68212c3d630676a74d6fbb4a573bd32b88f208452a36f486680044f43747abd

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_gw.png

Filesize
1KB

MD5
0d5d1091742cc0e5de1de541ed4cb0bf

SHA1
d14e18d41e15c401618e56832a9622f0095aae86

SHA256
cc22891c5b55fae6166c8e888361ff59605c955a68cf47d0e323d6110ed121ce

SHA512
54d559b6c90f4b1b5913dfb56c7080838446fe4633bbe07618f496b34ea1fa9d1b680bf9600a547f3a584a08b5df4e5aead49139b6d2419c9f492ba2d8d4f58e

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_ht.png

Filesize
820B

MD5
8be49f05a95a09d83a470baf6383559e

SHA1
f59cddb1806f0534787c452571ca7c089da0b9ab

SHA256
5594fafce7821a8c641ca446409c9e05e231a3132b0d21b6ea9390ad90004b5c

SHA512
57757d15f3bdfe431f9e0676c3258d9ec5b31c38977b2e842e4d2b62ffbbff037c064009f909e012fcde9721a1c0c033d4c476ccac4c75da879200212325dcf0

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_kfzx.png

Filesize
926B

MD5
60cb207eeb68e650d13b7a91a84e6a27

SHA1
7b21d001b69ff7b83383aa66b5826af8449c004b

SHA256
e1e67ccf204a5cb3d38d3c21359f4227201c033a002cf8ba986f56deffa9d9c9

SHA512
2e35b0cfbf04809e49331518f6f5f074dbe84ddc0566045ef138ec5444d4c9c09a02aa7b5d5d5b29c81ca0b261dd5e98439f25e017591c61a06857d5e68c13ef

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_lt.png

Filesize
1KB

MD5
233972770a2fd0c908e71342878be91d

SHA1
36510a70dd0f6efaad7d421cea474162053c4af5

SHA256
fa37413581a89d1cf0b2498fc6ef764fcab5b8913e9e03d25629da3b776b05c5

SHA512
d76766c32b52e03da114faeb83e962a47f30a01af7aec5b446af52b6b53b7a2074bf66e16ab3b3b76f8c79bf437e230e94f9a9dac865d036579907251797775b

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_qj.png

Filesize
791B

MD5
4a537631bc45b0bf36605320be8fb07a

SHA1
56960fa2b3bf05a5530829e74f869d666c0d9db3

SHA256
ce1763c5e5c804b9f7afa5cd6bdc105930479430009078c1b36dda0275281872

SHA512
0162ed23af41df0c47dded7713fc3c69c8124b2019aa8452250a0ce41b07bc152f2051a8d799d5a988a0a0ca2d4b4eda66a26dc6f052c8517caa6ddacfd86ce8

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_qp.png

Filesize
690B

MD5
4c80b8ee1f564acbd57f878bd2b158b0

SHA1
d9ac861f647d0f088f250ebde75714958f7662e8

SHA256
35d5045234b90aac968eec6cd7c77d5043b113c71012f38cc742ccaf8771ea54

SHA512
35f62e473d02a10af4e95f1a3a0b8f37c2aa438763a166ecdc60f5e8f1d71b2f1abe829c5860692574511151d3812d45e1adb5b5c69eaed08f2d22dbe57af729

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_sx.png

Filesize
1KB

MD5
e5376444deb4e1116e99ab035792eb58

SHA1
a02e9023fad5a36139045108ac7ddc3f15fae8e9

SHA256
b505bb32874631f408f1fd839cb04c7aa94c798deef50eeea71aba32bf05ee66

SHA512
a9ac21f1ca04c11472e5d923147484692e5998721710f9487c6298cc87b24cee6a8e00ed358f72397204359e91e109b97280fd5150072aec11f01b63826b919e

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_yxdt.png

Filesize
803B

MD5
4cc83055491dd2b98795dfb9bdbbf60c

SHA1
a15594379994e2cd7fc692ced43bf26ff29d84e3

SHA256
9beb49dd628d9a140d4469941b481ee95061a70663398c6e2a0f0feb7a38b3ba

SHA512
f2ec10c1b67c9e8dda820099e10b6a9509aaccf110497b80b8d0201d64b735f16122ddf7463767b0514bb2736e80b72e8f231bb81a389232feeca7ee6242ae15

Download Submit
C:\Program Files (x86)\5DGame\skin\default\nav_bg01.png

Filesize
250B

MD5
ca44b23bf0012cc0a7e349a16636ae57

SHA1
55c066af9ac08d39907bc8d312e073de00dd1bf8

SHA256
382c115367b8e47e0a085f45c192fdc46e68cbec2d082509dc32f701ac312a95

SHA512
f2d1d867e1c3981495bdc0a47bbbc0826ef37929dd881657b6230bb6ebad264d08d3e8664747f3432768132ca42a585cffcdc4baa4dde93356bf0cd504be0980

Download Submit
C:\Program Files (x86)\5DGame\skin\default\nav_bg02.png

Filesize
240B

MD5
75074fca52eef6d840eb9e41c2779dbe

SHA1
cb603147cb4570b7bb4cf9fee2d3d799b161c59a

SHA256
070de1c6ba4613714b6978b6c148383abccc8341c84b5dac78cd4d8fff49216e

SHA512
821aefcae6ed650187481bb09fd23421c53ef83249039ee51f4ec5cf4b6552ddd12ff7ef92112355c7f0461e1083488cf5508eda8c047d687ba501be7863d6ec

Download Submit
C:\Program Files (x86)\5DGame\skin\default\skin.xml

Filesize
2KB

MD5
41081872767f9350b75d5cda17fbeab3

SHA1
a92b0212fef427ab6b3b1a3098cd19355fc8efa1

SHA256
6c8903347071e20c3e66f52994fa7fac7bfc7f6b703f57b15808bda0290ea598

SHA512
c91ef07bb95540d57c16a7a9eb46c7785f2a292e0673f7202ac1873a5075ca2db48ed32a9c052b49899330cf62e34e48537565ead1aa5c8ddb170c2c3a1f3b4d

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_bg01.png

Filesize
3KB

MD5
81fc6157b1c5cc30d797c308f56262b7

SHA1
a87fcc8d8fd7c27d50eb46cd66021bcafc7de4a5

SHA256
9af6bb513f42134609345cc7415ec76a630c24387ef51a491fe097489643fd12

SHA512
5e6b2693c7e01c4a4ee9b7b3e22f472fa82eccbd340e8becea217186d05cb7fc964da9b5ebb5299f5f1a8bee24fe9a8a1fab385a27e0aa8b37c47565fa8e0739

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_nav02.png

Filesize
217B

MD5
7df81bc502c0ad0b538353eb7884e160

SHA1
175cc34ac9c14d491ebc7b4b062a2dce06342df9

SHA256
74302fbf1015fce43d482d1accf4ae7d5e6e6a52ba6e8c33c8f43cefcd8be024

SHA512
d3bc7f638a1ca70bd8b612e12574514237aefc326b1a74cde43dbb5c6422556219c31a70b9ecb518b7f4974b86d4a3fa948d81da5939d3976e921b8695f2aad3

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_nav03.png

Filesize
242B

MD5
0361fd5cd757222c4952268e4c74ab9e

SHA1
1a5449d580f5391ff70e8f4ffc0dbb463f49237b

SHA256
0413da48754dd71e456abfd8a01aeb0d4fdae938cca5e57df4dc71ff01d7ac6e

SHA512
5c775796129de3d49ddce6b93731c9247155ecc961280e5c8ceaf2f4f6709e08a645a53c667c5f2c43417b9edf7bb2b6c69f7b1045f4e3bda7cfb7a405c8ccac

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_big01.png

Filesize
398B

MD5
d75c56ff2b41fecbe9c4616ddedc2623

SHA1
e7bae4b0348d2eab892a0c1d8d09279c3e4abb9d

SHA256
ff4de8e566cf49a319aee795f295d3d5f042e813c42c559bfff48233cc6f10ea

SHA512
02a0a07c1068163a20fcafeb88e463dc426f6c8371b1f65acfe3a73e89573bfdcc7a592a63404cdfbdbf876e32ce0a679317135d862703e4942ca9eefa7a3d89

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_big03.png

Filesize
337B

MD5
8cd3d38d4a5faa4bf05a231785019b76

SHA1
37642cfaa3ca2e878aff48807c36547792560599

SHA256
de6a18c601197e2d9d782afd54159363cdb632707004fe04a0c78ea49d2bbdc8

SHA512
51f03a25e85188b7f49901efcb3c79ba0a2fa6030a8986cf33a8042d441366a337600358e601aa64738ac26cc054bd53fb1660230970dcc48c782241f0fa1115

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_close01.png

Filesize
518B

MD5
db079579946e34c14e3b7e0888172002

SHA1
aa7f1f80fbc3462d3dc83b14a833d5cd7be4beb1

SHA256
0027a0096f9c9ef50166e4e249d80f1ab11364bf0602c024ed7d851c6772a758

SHA512
da9f733254f9bc8527dcceb1e34b9b558dc0c7742f0cd4a0b6c69e0634e850aa20ea32308077122462dd063e66391e4e01d994b8ed19f15ab6dd39f632e16a7d

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_close03.png

Filesize
468B

MD5
f1e3b569de59076556536310b1c7d1f9

SHA1
e7584b2c9fddf7c172ec1080a099d88f4edcfa0c

SHA256
aba101911720f563f66ec82be44b1b58c6ed741e9cc6363a6b976f2b9a2e843f

SHA512
b043305c8f3617f1a872519a57f1490dfb64fda9f1c7dc75d3ac39fe8e19f8d5ceaeba2393ba0b5867ad9308d8873dde0336487eb94bbd8183979761028e12f2

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_next01.png

Filesize
267B

MD5
4a58af71b4e8491aebc496ed04ce5b79

SHA1
0b60f0ac2d37157573e0b734ce6e986e7f2bd406

SHA256
4667a695aa09d56c87d8e1d34dd32338c4a910c0560cd67f4a094d3ddbb3abb9

SHA512
faefeb1257b0fec4eab9f73314124dd69d2059a95c8f426825784ad591e43c0f73ed8fd2b90a5915f17f971a60b04240206087f9325780c42d33dce3f6564bb7

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_next03.png

Filesize
242B

MD5
edb2d521e3c14f8309d63359f578cc60

SHA1
4f6cab5524bcfb1fe5477d53d219a9adf0258b3c

SHA256
dd3c9515bcea5ef723a6375747acaafeb434859e586b5b7a72ed813dd3b90d96

SHA512
9997434c16df396a27b947b61de4476b608a32ed31073bbb85398d9661a6224ac19be1c65ff7b044501c12b00595c04fca589d30159af80f0c6886b1619bb9a9

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_prev01.png

Filesize
264B

MD5
827b802f581b35adb607620d59ec72a4

SHA1
3436d352a88690f354c20c9acde95b382458fd3e

SHA256
6282974d5192a6f8d986ffc2cb7cbcb8a480649a7e261d4e146b57d3596fbbfc

SHA512
00568bb17d8b72ef517822cee645faab3bc50a7e8902c66a0ac8cbb705a9c9d3d4db5df4e9c1ec6dcea649e5306afc0f6965f048eaf5e8fc414ecb24700b2b49

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_prev03.png

Filesize
247B

MD5
76eec3e4fd42fc648d11741c757d0a97

SHA1
b1e9a0e0fa172ba546c0d36acca6bf5096d6c97d

SHA256
088e70bf38c3c9f2d1d8ca87804c196457702e86709a1dc8a74713e641ee9f97

SHA512
4ee2d93ed878305344b7eecc1feb6f5d0bac4e6d98dd172c4c5b7db08f284e7f438e3ec01207ce3da780d6c1cc1c94550b7f9ccd69cefa8e1aac0d4826e6cd1c

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_restore01.png

Filesize
447B

MD5
56690eec0ac3b891f95bac19db3b244b

SHA1
82ff06f617ba3c1da2a819067c93744dda481e59

SHA256
87522a413f0e13e9d142aa0611af17ef144bd869e9f987a1766f9e8f18b8e98d

SHA512
8c92a1f125a22ac5400e115754267da5262a8f59c935e54e729fe74c0539fd1af522c5dfaafb13fbc4d5428b1245949174fc9fd8554a9c9b5ac978e62229f289

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_restore03.png

Filesize
368B

MD5
f4cf01f92b1078fbb4a8b74f8f9d4da8

SHA1
0e0fdee8eb818679593cb5e5cbd485e784025f9f

SHA256
a07fcd00ffba3c6d41d28c20f21e9603d22b5e963d107c330e4b2cb5a4d32f8a

SHA512
e29a87eb394a69511db18064e37853aef4ff02144e89eee495ffe6061a62513472891d4784cc8abcf4b7c9f26ab984350d603a9ae147775ed8a8d74c9051f844

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_small01.png

Filesize
349B

MD5
1d210d606cf7600801718943d807f753

SHA1
1d0cc736f026b1e21df99975d2fa1579c7a2fddf

SHA256
24b32a228886e034ac856ec0fe7fa6af7836640b65fb39cc2adfecf2dff0a2cf

SHA512
951b652a77690cd310d9e5c6bb9997f53a61ef3c39d7946fe66b888145385c43e9dd8a322b76e3c1e8a8160f8f93207cf7fb8cedb930edd92e979e16f4ec4a1f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_small03.png

Filesize
301B

MD5
88be351cd6521b336f9ad4365bf59d55

SHA1
81549e1de2de29bf308eb8f2937d024da7e4cdd0

SHA256
4527281a721855a9e5434bd8d1a942f5c97b99d93e0b9155489a907df5cefd25

SHA512
fa12a25cf2bdd12d2ac1806fe7506e541b21b91a8d3463b95122451f209fe2ad7ed205cae228989cd5232c280137aa2051f156f1c42e40f1e350d6ae95aeee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\~C5EE.bat

Filesize
35B

MD5
bdda9c88674686a72a54c42113eb76e4

SHA1
60f86743b5571be9f225e29cd8cd4c1f57096a0c

SHA256
fc03657ef5f8edc4782ecfef263c8071e5c53c1f55ea9a960f7536c2507d8c5d

SHA512
66ccfa56c839193aec96e3ce5ad13c9f9923389dca88d6017da31b2da6955c1eca396e175c3b6e6279805d02affb94f7ab56c2ab7d69061c9d5aa2ed8f77930a

Download Submit
\Program Files (x86)\5DGame\WebGame.exe

Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Users\Admin\AppData\Local\Temp\nsyC718.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\setup_p48.exe

Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
memory/3064-141-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads