njrat | 4fa081be390756bb8302090c083fa8fd7e11bf5b0982060a231e5748b3ba2cdc

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 02:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2Cheat Loader.exe
Size

754KB
MD5

6f5d3bff7d5d614175bfdde78cbf88ee
SHA1

ace1d0db2171b3498888a128bcb2f7c02c39e7b4
SHA256

efd666d0509a8f5a3c480af0348c59a2a9079b89d3ca3f991239648fcdac6d26
SHA512

9babe57e2a6f53329e1084079d682ebe3800bc27c7a9fbaca4d6c1b8b95824cb0bdc01aa113f7f096785d60b183c5fdee4231fc442e08b711911fda0518f1d35
SSDEEP

12288:5hxp3lZnT9bDN2cF3jGZprjKh2VyYpriiCxppEnqYW8qJ6fgRat2KEtfMK:5Jlh9bDN2cF+uhojprYGnO8qJygRhKcF

Score

10^/10

njrat 2cheat discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2CHEAT

alokliu.ddns.net:3389

Mutex

851c1bb86c6c239085c8747c4b02db04

Attributes

reg_key
851c1bb86c6c239085c8747c4b02db04
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2400	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\851c1bb86c6c239085c8747c4b02db04.exe	audiog.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\851c1bb86c6c239085c8747c4b02db04.exe	audiog.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	2Cheat Loader ADM.exe
2144	2Cheat.exe
392	audiog.exe

Loads dropped DLL 8 IoCs

pid	Process
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
1680	2Cheat Loader.exe
2144	2Cheat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\851c1bb86c6c239085c8747c4b02db04 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\audiog.exe\" .."	audiog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\851c1bb86c6c239085c8747c4b02db04 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\audiog.exe\" .."	audiog.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Cheat Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2Cheat Loader ADM.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406d89b4940cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433132907"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d26457cb1538425a3b30b32aeac820ce10875303ef977f2d5b98a3b0769d86b7000000000e800000000200002000000055b339548b6b2b2142c8981fe6f1fc8bed8542e50ef38ffa370fb0c672b243bd90000000aba3f4d691629aa2b7b83ec248030ada92bb2441db2b8b3839f2500fb4d31c1b60dfde2a53b209eb2514ac54ce3e537e8af1211ba84214e8484792ecfbe93d40364e9c18de37631e65caa93462e39426e9a1e1bca5c3df543843051c92df45d02885e0ecd809517ea83a2dd318fe97f9ae89126678c8dd595fa9ae87c36a822fa9416b906e500a8a231d5dd1dfb0aab94000000078d7102d97e0eb0c4a5b9ee0bfd718370b8a2b90dccb1cee3a8aa1238ba923a16b78d6105f427953cb7439c60cc393ebba8409287af15dd6f85075b871f39e10	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DBBA52D1-7887-11EF-976E-62CAC36041A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DBBCB431-7887-11EF-976E-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000add5d68501a2f1dbcf49e1b366921fd00a33072851b45d0fcbaaed74c33e809f000000000e800000000200002000000071903df9485ab9ad9069826f74a194fbab9d75adc31ddd8ec47c5b589432e54a2000000018e4aef15ed88d1d3c21b591e6a294f7db00c94716dc1f3710bcf8f40617ce2d40000000f32b9135cffa21ce305dd84d6b2f026c82387f34174aa9f24e01f572c2c0f48c71932a3d2f5de4e73da4b81ac4c3fcca213205dc456c0124a33eaf8970001318	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe
3040	2Cheat Loader ADM.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	2Cheat Loader ADM.exe
Token: SeDebugPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe
Token: 33	392	audiog.exe
Token: SeIncBasePriorityPrivilege	392	audiog.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	iexplore.exe
2840	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2268	iexplore.exe
2268	iexplore.exe
2840	iexplore.exe
2840	iexplore.exe
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3040	1680	2Cheat Loader.exe	30
PID 1680 wrote to memory of 3040	1680	2Cheat Loader.exe	30
PID 1680 wrote to memory of 3040	1680	2Cheat Loader.exe	30
PID 1680 wrote to memory of 3040	1680	2Cheat Loader.exe	30
PID 1680 wrote to memory of 2144	1680	2Cheat Loader.exe	31
PID 1680 wrote to memory of 2144	1680	2Cheat Loader.exe	31
PID 1680 wrote to memory of 2144	1680	2Cheat Loader.exe	31
PID 1680 wrote to memory of 2144	1680	2Cheat Loader.exe	31
PID 3040 wrote to memory of 2840	3040	2Cheat Loader ADM.exe	32
PID 3040 wrote to memory of 2840	3040	2Cheat Loader ADM.exe	32
PID 3040 wrote to memory of 2840	3040	2Cheat Loader ADM.exe	32
PID 3040 wrote to memory of 2840	3040	2Cheat Loader ADM.exe	32
PID 3040 wrote to memory of 2268	3040	2Cheat Loader ADM.exe	33
PID 3040 wrote to memory of 2268	3040	2Cheat Loader ADM.exe	33
PID 3040 wrote to memory of 2268	3040	2Cheat Loader ADM.exe	33
PID 3040 wrote to memory of 2268	3040	2Cheat Loader ADM.exe	33
PID 2268 wrote to memory of 2608	2268	iexplore.exe	34
PID 2268 wrote to memory of 2608	2268	iexplore.exe	34
PID 2268 wrote to memory of 2608	2268	iexplore.exe	34
PID 2268 wrote to memory of 2608	2268	iexplore.exe	34
PID 2840 wrote to memory of 2300	2840	iexplore.exe	35
PID 2840 wrote to memory of 2300	2840	iexplore.exe	35
PID 2840 wrote to memory of 2300	2840	iexplore.exe	35
PID 2840 wrote to memory of 2300	2840	iexplore.exe	35
PID 2144 wrote to memory of 392	2144	2Cheat.exe	37
PID 2144 wrote to memory of 392	2144	2Cheat.exe	37
PID 2144 wrote to memory of 392	2144	2Cheat.exe	37
PID 2144 wrote to memory of 392	2144	2Cheat.exe	37
PID 392 wrote to memory of 2400	392	audiog.exe	39
PID 392 wrote to memory of 2400	392	audiog.exe	39
PID 392 wrote to memory of 2400	392	audiog.exe	39
PID 392 wrote to memory of 2400	392	audiog.exe	39

C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
"C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Roaming\2Cheat Loader ADM.exe
  "C:\Users\Admin\AppData\Roaming\2Cheat Loader ADM.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://bit.ly/2ppsp50
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2300
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://bit.ly/2oERYld
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2608
- C:\Users\Admin\AppData\Roaming\2Cheat.exe
  "C:\Users\Admin\AppData\Roaming\2Cheat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\audiog.exe
    "C:\Users\Admin\AppData\Local\Temp\audiog.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\audiog.exe" "audiog.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
d5c5a96df7e16a3f01869828d707cd4d

SHA1
0fe094b1ccd2e55f28f25a36f42179dd8f7790ba

SHA256
1d8235e3f7c5dc22da753037992e13345a93bf4f6fbee2aa2e65b0060836f29e

SHA512
311bba915a3433c4ce0d7450bb4a7b9d4bdc68f3d82e3484a29d2eed724c3973c61b1f6016324314580ed60c2c634ad37759ba128bc5906822b073ab0071068c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
e2f2591b141b9a60f5b5e20b295a38bd

SHA1
e9d53fb84184487296122d934649d0cc628c5997

SHA256
143a51838a14850c3d23c8968e9c995984ab9069cffbb745c5d6c35cc0a94530

SHA512
cdccf2f41f4064e9e11d6e2e177fec5f46750a1c1b7685677f5169c4fac0b35a83d5cfdc0fb9acc0006f61018866dac73cb4ef6a5430914777000bdf0744a7cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
939ba2365a6585b7e5db58dcb92d6376

SHA1
4932761a4f1ddeb2681cd612f843ebe111048787

SHA256
7183b6921993cf89d36e66e6699c3dc52d5a745c047722ed84624fd00427600a

SHA512
e815fb4f3673540d83236678dfc2e6663da0de2180c02a31fc1495f0bb82514668d78c7d1f52207dcd13f4feacbe84708959574182a64cb648b726f7f3e8fe01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
a0c99cc1e9886276c9dd79d967168773

SHA1
ae8d94ced978397528a8c782bec1f8bf2d7e2ccb

SHA256
afb25db9fb6f14986cfd198118936498d380b0a481f4fd7f17531fb644a7ac82

SHA512
f9084ae083855135cb311dddfab7f0a7ea652c22905edec5e09b78c5f0bfddaac3329be952b3c857c16f81857cee2790a23ec7c1a0a5befa982019eac297723d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
1a03267a8a043022dad526945398a1b6

SHA1
fb9ef101ea42ec778efd5bc5ce95a4db20a859f8

SHA256
5114d2e0b323386f0635956d0c9e6c154865f16b8ec81c3137edba19244d4e9a

SHA512
07ca2c1a1ad4bb54393d5868ee9533a8c3239605b9bc7d5cbd0cf71b71108aad9cff34f9a1e48e6332bf3b7ec0cf09c0894c95480e7acbc4ebbb3ce5da57d01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a13be0bea41861bdb98d596d6166a19f

SHA1
dc8aaaddb377274e015e370fc3355364fa0eaf2e

SHA256
e3024d72df01b7820d720a63c66d26d958569005820e6e659044edf6c6671742

SHA512
cd7e02a8e5398ebfbeed1528d36406b6522f64f956f0a184b85de9305c5aeec261483cbd03c56b990f8dbbd1ce954abede613bd046ddd9a054d6f2b60e46ba57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e73a0c798738950f05dc17d1d5231a25

SHA1
88aa601ac69ff4c62049e28cf02a5c1e0986bca1

SHA256
bcc48e78b178c34f2b93b11e6cc209b932543a0c19b43fdfb6e7b8036e23c13e

SHA512
4d9c88800b912c838c6ac8dde154e02bf51e536477d9ea66dd6d564b7278ce7dd57bef63dc6d3c852bf245b43c621aee75ed395563d25681aea6c6e2f7bb66e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec759df752c1cab0c9e28c89e1aa8a5e

SHA1
13091120d6a17f428e5ccc708883654be4db6a8f

SHA256
120539a4fdcbce464df589b4dd9730d010fbbfcc7b6793e6228a4aa9eae7dff4

SHA512
b06fdda58fadbf879085d6ef2e5845567d6d34c4400287c4c2e080d9eb7a1bf5e00c4a746e32ed5f98550b54c22f5e12514d35f78139536ae1f3c630e817d3b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cd44c33352e118bfbb95f265105a6e2

SHA1
c430b53263d28529038183d41ff3a726d9170364

SHA256
7b31ded1c555de5ecd6ee55d6c4851aba6abb369b74105aac94031a4e5788699

SHA512
8c7fc7aa776f6aeff9d3e294477a445b72744af2cb287e65c073320d1b7ec17f53f0eab252c83f15e36f54eca699898c73dad3a0e39effae38327a7d3cb758aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03db5124db654c8d5453b087552df1a5

SHA1
e7d042d4de96c2f5092d4f042c8b5de80f8742ea

SHA256
3454aab4e8d109786793fb939cf0f0f92d5fc8efabda89b9663525bc38751225

SHA512
20a22f49862a5c223417636f65a8fcb9201414a169124009a364641d64f10ab0c0a270c088f70ca23c90899ce52e0252e2789381560f493db41955bb97dccf5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfa653a6f0118fc45c6a18f71076f78e

SHA1
293ba2f50fedbd736f8c29d431c30f6e084bd30f

SHA256
5be699d75afc4e54991dcbdc53dc5714d83f35f3b286cf1657fe4fb25a1cb821

SHA512
e0b1c8bca7009fb2aca11e428138ef2615c975759991121cc126adb2fee326d20a547c0f2a9070233893966bdc3e0a37b10885cce0c2bcfcd305407de35c563f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3352a4cc0d93a30fb618bcb11aa5fab

SHA1
932961740f2f02d111bb662e1465d7025c7bebbc

SHA256
5b3486b5ec3f165d1296a9e5bf59d0d2721833d1f6c3677e5566d1bb45456ec8

SHA512
5b58c6aff26238bcb4b504488d5cf72c3b359eabcc9137adb5b459bb4eac6ec9c59160c6b620621eada6f65fa935a9af3ed2fe9ef975a9f98d0eaf0d1294ca93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80e93dd1a8e614bc2ba26d7a5bf95c46

SHA1
1ef9511dcac15f191731fe48d9ba37d5661d3229

SHA256
c0966ec287f56b6907cfc2b2a0908dfee9484d87bc7916a6e7188d10f12e0d46

SHA512
5a0834a4b23fb956532816e88e6263878ce8fdd9a3f512f7baa57e0a24d7786ea561816a0264cf8135406379e39c79215f2c7ad581bc6a1eca3159f31c4f827f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11d3dc7a7c4c8d45ef83ca80d78254e6

SHA1
baa1a47c2bbb8eb512c29cc2acb67ca445dcc392

SHA256
88c5e79ae2e89d6b9b271549448c197b052277873e67a02f9bb69326d4d0212d

SHA512
9dac7f1361592943fc207fa6d7c065202fd2ddbb986c245446c8ffb6d08d4d8d3d04268264c02060db7d9f1ade0bd7611565ca9ebe97c6409eb78bcc2648f4d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c658bce6b85144784e0baaf25044a92b

SHA1
13f18dcef02df9148ddc8ab3c8efecf7df77e82e

SHA256
00cc11b3ab9c9a0f5ca2aa2b219e136fc848ebaf8647abe3ca1c149494dd4dbe

SHA512
94bcaa6b16c97456ed013e4c6e4340728268304a3e6eb64176f622794920b9795cf052de5e3cf0fb84b33cc8eecc4da8b1ddccb24ce7559c34dba65bce191039

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08b1eec1104e2d20c7d96f82972e99f3

SHA1
2be7ed72586f3e52b86e3bfcfa97b6dd92561a5a

SHA256
affc298a6ab4e44d0ab06f3bef0422a7103a7a088b9239bb51e0c20ba51819bb

SHA512
20ebd34771ed8e7392b6bd55a0c07c70d745fabe81b85f5b324e656240adfd528c868f12d70a7bf7556787bfdd878d65a6633021276e7b9e16bff4ec0670c16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa2b52accccd5205c7095ec27de1cc1b

SHA1
b546919d45ca10be210b49925ea0180471b5c9b6

SHA256
60f36f4ee205ea62802f865f14b8d631966cf235cef7dc7523897baacbfff39a

SHA512
fc129df88e5eafcaea64df5c6290fee1c76bba97fd255b7e8d2386f104c3bf3b4634048f2edf186b2da3e9bcc27cf1fecc163839e808b88ad1f91f13fe1fbf57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ca3ca9aa1f9d63e15426e536ef37dda

SHA1
7e5c822d6bd15b53e15027fd3b86a7f9cca5100a

SHA256
a8a2869552edc09ad97e285e556cb6f0af1cba7912f4087666a1ca3cf990cf34

SHA512
bb957715f38f4bd56892cf3072f8f14a6c661fc20fcafbf33fd3560b937a26cfdc5ab57318c27688ba9e3c9e19989a34fb7924c5b1ce4401fafdddf399cb4ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75cf933630a5601e1e926440ef7ac20f

SHA1
9150361dc864e568b716c048f90c4d7d79f5b811

SHA256
e537da8bf9b0c87f77df410ca4b468e8d8db20ebc8794d6b683890b8d87a26a6

SHA512
ede966df4305a1ee05fc3f464f0e37792ffbfd06193d1a065daf01f38ed1a3cdb0ce44ee3cee6e8cb3425986d7da20329248da4398ffb08667514bae7799a313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23277dcb76515d859e27cb5484a03d21

SHA1
f75c84f225ec7778a6eb17a5cc36a405bdfaf01d

SHA256
24948692a99717f03f39a8b100a5059df7571fc80e5ab06d25633572e48419f2

SHA512
41c806d12d0cc87cf11ef6ba181875b3e5869504e8aacbc66ccb16b22ce73bac5b05a5a0601e171b832538b0efacfb04c505e7c9c99868f0a655fe7ef3ca302d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d07533b07a82ecd003c5213b660f23fb

SHA1
3e9bb728ebb5c59945ac701eab38341afe8cac83

SHA256
2166d891e05a2ec2fa9cd3690918ad05a51c3aa0168e6daabd2875535c32a990

SHA512
62b1385233b45b59d723c9b063b76d890cced327929fe2a86c25ce5e345e592a728c5d53ceee441f63fdd98dea6c62bcb1900ba8a253cb29f4dfeef4b8a109eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf333c4116d582a91f16fcc8468aebd5

SHA1
2003dc3d502ed627bfc4c4bc7db6b95c81f6b4bd

SHA256
d6efa5c038018d9e4472a952195635059a8335d49222fad928931a576d35d4cc

SHA512
4736de9d9ad25ffdab179ca81e7f6f3493173029ee10d0f59e59b6eb95ce8ab6a44891c1183bff0b245ff74d48b375cc3770f1c01c22cc93ad3e3b3a744cefdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
531672bf7503218d421e45c1a061271c

SHA1
1c9475ef9939b964537dc9eb0325727434ab75af

SHA256
197b90baac58816c989affe1e40c380cfce0e60618a26540913b89d67788e1dd

SHA512
3dd9cd335a13b4badabd982b4e590a7a4d12ced2fc443e7f0e43124274f3d301a754583dd6479fc643bdc0da9eedaf87df654be76731a307971a8e6b7c8c978f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
cf0a9422d64201fcbaaa965e54fbf5ad

SHA1
a335735507f44eabcc3c2a4f20a07daa37ab4ddc

SHA256
15df72d6f7fb049f0aa9404df5e79a1658493e9a2547240b75363ca2535c182f

SHA512
2037195ebee54bd5ab2d9f4d8c6c5ffa3ab99b647109a7514bd24b27ba76f2ae485a112c6e188c74ffafb0dd4507647bdd2adec68486a513b095a96090526cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DBBA52D1-7887-11EF-976E-62CAC36041A9}.dat

Filesize
5KB

MD5
5c11ed1778cf44228784de56da11e924

SHA1
b386d3b9626510aea3f7e9d4771fccef212dd2a4

SHA256
81fe6ad6394b437806f4b417a4b8aa9202349be600e6ae36ee251ec73e0c054a

SHA512
cea72403b1c1918d14ba9a17b84623282a1ff3dfa575d9ea8db27f332283d031e7d3beed74f77787c3c285d21dce6c2c02d32ba6d8c08d7ed7ea176c6f47875f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DBBCB431-7887-11EF-976E-62CAC36041A9}.dat

Filesize
4KB

MD5
f240833f24575cf2f022220d736d771d

SHA1
d82b03f5d812d8047768ba1c85068e0bfe297df9

SHA256
80be190187ee156b45d84221ac8bfc65d0ecfcf14a87d1dc89e2b01ff86f79e1

SHA512
933f34270d759735e1741adf2ecf1f8349adb121136507e976205d9ffb30e844ce977dd8b85947256dae58631a73ab1bd6c062e45b927b975a004273af2c006a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
1KB

MD5
244e7124499e28d65c97329f2e98f2f7

SHA1
135f58f3436f6e1328d32c1608626252a4d6f0af

SHA256
1664297a99469e4ae76c6ab0bfd41944a42a092f30592b8018049decee439a2e

SHA512
273cd9228a02dff64baa739f9ba796b37c6ac324f9ee2ff9a284e684bf89f07ada19154a98b091ef7933b73fc2d889af6683f281e015e4c41e880d6b6245da0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
3KB

MD5
36847b3678b09a6bf1e4c630156eae4d

SHA1
867d70239418c9db32331f9a4439a4570e3fece5

SHA256
6258eab6a8247a651ed0ee973f7c8a9082047337c98c4524b71ccaabb73e8dbb

SHA512
1ed69f26d98386a36ac640b931598c310f7b6fdd45b450d4b05b2eb49e8cded3ecad11c0e018ebd740d17c92481f335013052fa6efde8cdefb91f4201899b4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\C88681CBA60CE9321C6FD2FD8DC97555992FA1A3[1].png

Filesize
1KB

MD5
10be1fc63993fd01005c34be73678406

SHA1
c88681cba60ce9321c6fd2fd8dc97555992fa1a3

SHA256
3ce43ec89d890b85133c3a0f68c666b4ff9afb9fdf6d146c642e1d3dcc1cc06b

SHA512
bf59e780d832982e2c4dc3cec8164214c07f23335b2200605e52ade3002c78f5f19aa716bd8d00946e4ba801a18032350eff04f9aca74f826f9d8f583d40682d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA544.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA5C4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EKY7DUII.txt

Filesize
90B

MD5
c974c1ca1bf49f55ec6b9a6979bfa102

SHA1
805865e91a75bf2ddfac1e73c067e01c30588527

SHA256
98106fbce3dfbeab5f948e30fd574c45fbd556e9d2df90a4670815b04f6a3eb0

SHA512
c7eca86f112075e082b01ee658c73ef6c171ea84e8ba27f7060155c7c56ac6d0b6f3b69d620faef2c0e35c0c7baf979c0233ea6b941d9be34082c34182d8c14d

Download Submit
\Users\Admin\AppData\Roaming\2Cheat Loader ADM.exe

Filesize
1.9MB

MD5
6d87dd41eba03ff1b2b0657ca61b2d83

SHA1
91370c530aa5c1eed47ed50c462232941ea302d9

SHA256
368420f2900be2d8900a57069dd2842fbf24b4dd28f6c2892209ad0ea2ac3891

SHA512
9b9126a6418f5424fd25f9c99190d270e511494b872f81eb9097d7a3a0af93b9b44037e115af30c469b8f3c8ee7da091291e072ab2b4397982a82b5b05bdcefc

Download Submit
\Users\Admin\AppData\Roaming\2cheat.exe

Filesize
23KB

MD5
55193f6f89f52a9388db40b0eaad58f1

SHA1
3ed413946bb837851bb0df4156ff9cdefa6a7c25

SHA256
1ab2856e37ac24ce6168914964b4d6dcbd5a71a1eda3ba5c4568e3839d4037ed

SHA512
d7159e7aba20e2ecf99a2f0d92819dc62450bbc2207714594bf5d8d59754a5a3da1072c0e6ed5415134ede2f534ce5b4cafc9028c4589f514a0b44be66c5a07a

Download Submit
memory/2144-30-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/3040-31-0x00000000000E0000-0x00000000002D6000-memory.dmp

Filesize
2.0MB

Download