pony | 165839ddc5f1001f133c504b5a8594b40c6f0fb59c66b458de0f3839a30b3c72

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/10/2024, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
Size

808KB
MD5

636d2c354fa9439f7e72dfec9c116654
SHA1

9db6c53f049f90eea9a8e3bf2cea95ffd663c25d
SHA256

165839ddc5f1001f133c504b5a8594b40c6f0fb59c66b458de0f3839a30b3c72
SHA512

7bf1755f1013541cd1392147813ddec98fb34ea948b182b13b985b514318ebafcfe34bf6b711b79514a7a3da3a74a4b9dfdf75d7ebb1650c300ec6b4e0cf0036
SSDEEP

12288:Q8tAkq7VWdT2z8q3cn+DC+UpuGCxK4Oe1rXjBHo9XIQt1uPwPUB7MdkWPDruhQx4:Q8t7qgC8mc+DRGaTjBUXIwuPB8Dr

Score

10^/10

pony credential_access discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\76a54caa\\X"	Explorer.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	M6Blrcg8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fnnop.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
1964	cmd.exe

Executes dropped EXE 14 IoCs

pid	Process
3064	M6Blrcg8.exe
2196	fnnop.exe
2844	2buw.exe
2864	2buw.exe
1632	2buw.exe
876	3buw.exe
328	4buw.exe
332	csrss.exe
1596	X
880	3buw.exe
1844	3buw.exe
2764	5buw.exe
2724	4AC6.tmp
2584	6buw.exe

Loads dropped DLL 18 IoCs

pid	Process
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
3064	M6Blrcg8.exe
3064	M6Blrcg8.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
328	4buw.exe
328	4buw.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
876	3buw.exe
876	3buw.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240
Destination IP	31.193.3.240

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /M"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /F"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /N"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /e"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /J"	M6Blrcg8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /x"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /b"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /V"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /Z"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /c"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /q"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /G"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /s"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /X"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /C"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /i"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /I"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /A"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /d"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /B"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /W"	fnnop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\533.exe = "C:\\Program Files (x86)\\LP\\A504\\533.exe"	3buw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /t"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /n"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /a"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /k"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /y"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /Y"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /w"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /h"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /f"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /R"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /O"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /U"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /T"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /u"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /g"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /S"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /r"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /H"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /j"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /Q"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /z"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /p"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /D"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /m"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /K"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /E"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /o"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /P"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /J"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /l"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /v"	fnnop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\fnnop = "C:\\Users\\Admin\\fnnop.exe /L"	fnnop.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2buw.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2buw.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2872	tasklist.exe
2288	tasklist.exe
2132	tasklist.exe
1588	tasklist.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2864	2844	2buw.exe	36
PID 2844 set thread context of 1632	2844	2buw.exe	37
PID 328 set thread context of 3020	328	4buw.exe	49

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2864-46-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2864-43-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2864-41-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2864-49-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2864-48-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2864-51-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1632-61-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1632-59-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1632-56-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1632-54-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1632-62-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/1632-63-0x0000000000400000-0x0000000000427000-memory.dmp	upx
behavioral1/memory/876-119-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/880-137-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/876-139-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\A504\533.exe	3buw.exe
File opened for modification	C:\Program Files (x86)\LP\A504\533.exe	3buw.exe
File opened for modification	C:\Program Files (x86)\LP\A504\4AC6.tmp	3buw.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4AC6.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M6Blrcg8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fnnop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4buw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d9070000000002000000000010660000000100002000000092e68b824ff94e1e28ac7e3f19552a66e9e0daa0d69102755241780ee8c3d719000000000e800000000200002000000073385f2d463443633e6b9e796486b7788c31e446718993d257afae7daf437ee720000000dd833681341d5f5c9ac7bb0bc7e0d2b239ffb4f5c3a7c6251b9ae3f43f6bb77b40000000ecd667611e6a8e6ddbd98aa343aad0a06e910f97723dc9c9e5ea111d8d36c6846aac49bb1b028fe9beddef1698675c4cd38f6f8f23d22b51a9bb5626adac79ac	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a72f001523db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000f821a803b53be69839b7f7b4c1e0429a13913fd64f2e10a59c6825415b0debfa000000000e800000000200002000000023dd070fde9b01f5ed4705b8b1b4c4554b221170e065fb0a37f4f14d31c3fb0390000000b36945e8c52da9e04a3d7e6cfb6398f740e614cc945199df58b999d82ec5fc7814ff205f37c364751ac70127821b1e5a27394f772b1b15a988eefffaf8099a6689b61c1fddb6d9d831dae2ee9cf6e694a6771c48396d76d7002acf854677b2a6577f1f492e3c195cb0f4a31a1ce4e21ff95fc8bc80fa1f79e860785cafe4540483605cfd0bf7ddb7c28de00e50662c2e400000006cb17515c9d54f3db5d634e47a9f081372bc172e5c5861a01f6bdf445189bb542b19c637329dc76cad93e21615e60e82acac620da006e4b26ebd00a5559bbf2c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435606937"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{29E7EB71-8F08-11EF-A7A5-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\registry\machine\Software\Classes\Interface\{235c4c80-8fc0-76ee-1fd9-9ebfccab44c7}	4buw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{235c4c80-8fc0-76ee-1fd9-9ebfccab44c7}\u = "188"	4buw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{235c4c80-8fc0-76ee-1fd9-9ebfccab44c7}\cid = "579684412886912025"	4buw.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	M6Blrcg8.exe
3064	M6Blrcg8.exe
2864	2buw.exe
1632	2buw.exe
2196	fnnop.exe
1632	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2196	fnnop.exe
876	3buw.exe
876	3buw.exe
876	3buw.exe
876	3buw.exe
876	3buw.exe
876	3buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe
328	4buw.exe
328	4buw.exe
328	4buw.exe
328	4buw.exe
1596	X
2196	fnnop.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2864	2buw.exe
2196	fnnop.exe
2196	fnnop.exe
2864	2buw.exe
2864	2buw.exe
2864	2buw.exe
2196	fnnop.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	explorer.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeDebugPrivilege	328	4buw.exe
Token: SeDebugPrivilege	328	4buw.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeShutdownPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeDebugPrivilege	2132	tasklist.exe
Token: SeDebugPrivilege	1588	tasklist.exe
Token: SeShutdownPrivilege	2432	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2440	iexplore.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
3064	M6Blrcg8.exe
2196	fnnop.exe
2844	2buw.exe
2764	5buw.exe
2440	iexplore.exe
2440	iexplore.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE
2584	6buw.exe
1376	IEXPLORE.EXE
1376	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
332	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3064	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	30
PID 2160 wrote to memory of 3064	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	30
PID 2160 wrote to memory of 3064	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	30
PID 2160 wrote to memory of 3064	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	30
PID 3064 wrote to memory of 2196	3064	M6Blrcg8.exe	31
PID 3064 wrote to memory of 2196	3064	M6Blrcg8.exe	31
PID 3064 wrote to memory of 2196	3064	M6Blrcg8.exe	31
PID 3064 wrote to memory of 2196	3064	M6Blrcg8.exe	31
PID 3064 wrote to memory of 2816	3064	M6Blrcg8.exe	32
PID 3064 wrote to memory of 2816	3064	M6Blrcg8.exe	32
PID 3064 wrote to memory of 2816	3064	M6Blrcg8.exe	32
PID 3064 wrote to memory of 2816	3064	M6Blrcg8.exe	32
PID 2816 wrote to memory of 2872	2816	cmd.exe	34
PID 2816 wrote to memory of 2872	2816	cmd.exe	34
PID 2816 wrote to memory of 2872	2816	cmd.exe	34
PID 2816 wrote to memory of 2872	2816	cmd.exe	34
PID 2160 wrote to memory of 2844	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	35
PID 2160 wrote to memory of 2844	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	35
PID 2160 wrote to memory of 2844	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	35
PID 2160 wrote to memory of 2844	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	35
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 2864	2844	2buw.exe	36
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2844 wrote to memory of 1632	2844	2buw.exe	37
PID 2160 wrote to memory of 876	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	39
PID 2160 wrote to memory of 876	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	39
PID 2160 wrote to memory of 876	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	39
PID 2160 wrote to memory of 876	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	39
PID 2160 wrote to memory of 328	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	42
PID 2160 wrote to memory of 328	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	42
PID 2160 wrote to memory of 328	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	42
PID 2160 wrote to memory of 328	2160	636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe	42
PID 328 wrote to memory of 1200	328	4buw.exe	21
PID 328 wrote to memory of 332	328	4buw.exe	2
PID 328 wrote to memory of 1596	328	4buw.exe	43
PID 328 wrote to memory of 1596	328	4buw.exe	43
PID 328 wrote to memory of 1596	328	4buw.exe	43
PID 328 wrote to memory of 1596	328	4buw.exe	43
PID 1596 wrote to memory of 1200	1596	X	21
PID 876 wrote to memory of 880	876	3buw.exe	44
PID 876 wrote to memory of 880	876	3buw.exe	44
PID 876 wrote to memory of 880	876	3buw.exe	44
PID 876 wrote to memory of 880	876	3buw.exe	44
PID 332 wrote to memory of 1756	332	csrss.exe	45
PID 332 wrote to memory of 2932	332	csrss.exe	47
PID 876 wrote to memory of 1844	876	3buw.exe	48
PID 876 wrote to memory of 1844	876	3buw.exe	48
PID 876 wrote to memory of 1844	876	3buw.exe	48
PID 876 wrote to memory of 1844	876	3buw.exe	48
PID 328 wrote to memory of 3020	328	4buw.exe	49
PID 328 wrote to memory of 3020	328	4buw.exe	49
PID 328 wrote to memory of 3020	328	4buw.exe	49

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3buw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3buw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies WinLogon for persistence
PID:1200
- C:\Users\Admin\AppData\Local\Temp\636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\M6Blrcg8.exe
    C:\Users\Admin\M6Blrcg8.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\fnnop.exe
      "C:\Users\Admin\fnnop.exe"
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del M6Blrcg8.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
- - C:\Users\Admin\2buw.exe
    C:\Users\Admin\2buw.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\2buw.exe
      "C:\Users\Admin\2buw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2864
  - - C:\Users\Admin\2buw.exe
      "C:\Users\Admin\2buw.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:1632
- - C:\Users\Admin\3buw.exe
    C:\Users\Admin\3buw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:876
  - - C:\Users\Admin\3buw.exe
      C:\Users\Admin\3buw.exe startC:\Users\Admin\AppData\Roaming\4C7DC\733A5.exe%C:\Users\Admin\AppData\Roaming\4C7DC
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:880
  - - C:\Users\Admin\3buw.exe
      C:\Users\Admin\3buw.exe startC:\Program Files (x86)\DC921\lvvm.exe%C:\Program Files (x86)\DC921
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1844
  - - C:\Program Files (x86)\LP\A504\4AC6.tmp
      "C:\Program Files (x86)\LP\A504\4AC6.tmp"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2724
- - C:\Users\Admin\4buw.exe
    C:\Users\Admin\4buw.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:328
  - - C:\Users\Admin\AppData\Local\76a54caa\X
      *0*bc*f7f48c19*31.193.3.240:53
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3020
- - C:\Users\Admin\5buw.exe
    C:\Users\Admin\5buw.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2764
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://ginomp3.net
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2440
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 5buw.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
- - C:\Users\Admin\6buw.exe
    C:\Users\Admin\6buw.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del 6buw.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2392
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 636d2c354fa9439f7e72dfec9c116654_JaffaCakes118.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1964
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1588

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1756

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f9860f0e5a2575a205996d9b2e6c0c37

SHA1
03fd8e519b00f7637364776e56dcefe48ea8f6e9

SHA256
9cd3a1ed9cf513a4739720894908e2c5036ce712fdc271010160de45b2505d30

SHA512
e1eb47f2f7daf1444ec0e0fe72809e4137095b1a18b51b47b78a422e8f97893f1b33bc37d028fd733038ad5be6cb416a34cb048afab7a25ee14bac1ac8dfdccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
122e4e14d0e6a243b0a43a73cbe6620a

SHA1
cd39c1d55a51b222ff01d6b051928291557d9662

SHA256
8c32fe3097a1bee59f040a386bfb3b6c29fa827429851a835b89ff80e7be6431

SHA512
9f5a5765b4088eb3fdc663b558f06edc8c049a52c742a49cc2c203401789e1f9c938e78acd4d678f85203d34afe412886a214948a008d7ea72094f6d8c6875a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc5e6795adeec52fb99f461b38e9dd5f

SHA1
d18ddaf88c7d354c40472921434b4aff68828d5b

SHA256
9da5d06608734784313f864adf894afe5e2ba48dbebff65cc459472be966ee5f

SHA512
59d55d25e1267f54ff5f5590e40eaa94a2ca846f05358b879986f8a5037dc3edb303d25ec7c74f836aaecf13b776aab0c28208a2fef57115a6cfc86a88ff6091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc5d0b2702e959fd7788891901fa43c3

SHA1
1a68164f445d070e955b68c26583f5f0f8c7f2c4

SHA256
9a17f3b3c75327ae323212e2b0a861899a15657c93c5084aa27bfb6378436027

SHA512
e466508ab674624636c1d15258ce6d762484f4ea6cfa606a6b32dc6f06375ccec36ac132aa1ceaa125c38043f9f547d3c96e9d2117008ce57c0b90b6ef2d547b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32841e5798aedc7cb722e2bd0cea5812

SHA1
d8646bbc20e70ad37f6f61ba73dfc7eda961540d

SHA256
2a61224dfe46b2409153f54a522950b1cda4f56d629d59ff4038761fdb18828b

SHA512
8190918bdd41afa5eb910bff17506ceef133111f7a12df37a1445a89a33f81edc54363cf58689e7837e2a3d2b592f2778ff0b0f1debbf33f3674c3f316ac8eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a177066c46739d7363de52a1ce4ff70f

SHA1
dc712ceb2621bc0c49aa75fe6a4b4047ed857d94

SHA256
f001d820543f99c35354738d82148e9f6b7c3b719e4e5b0738e388ccd2c19bde

SHA512
59139a600cbe831a851fb2bd39b4dc388193ccfa12240bab6ce63c83cf6800b2de94c66622496cb9483fbc8b1c2681e0fcb68d00ec69f1e15130c3a1f80337b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ade097b8bd79938e002d64c249540f1

SHA1
539404e1e82915e42f9ae12a5621f19db1ce355d

SHA256
e23830d54ff74e4cac66b6cb60ae940e44d32df7a6181f88a3f6c0b0571b6c13

SHA512
2dbbfa836ceb59bc61a9e30f8057b8d0a61ca10fccdd3c12222b7d5cbbc1c316f38b457fd3a85ee0e7287b058af33b4f96bd453a8044b9206ea2bba8c6cdde02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3951549409a94cd8dfa8342e6867ceb

SHA1
8e5b9cf42d3d2d12b3a2e38d781ae031e227f186

SHA256
25046a485e17a9a136383ced847593e24582999210797a11beb82f5df65c9eaa

SHA512
2daa606e2a6cf1189702328dbfecad74a53e122974d13836b70e85e3bef97a86bc89b5d288b409fde1853b452d5ea999d37a3ea0335ca77aef3a8cb4ad8c8f00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d53dc989ba8cafabf150dac80cdd525

SHA1
9330674f338c23d8bda76f9b376f7072bcef55fc

SHA256
c65f3d050f9e7c49b13510888491c86ae4ec52b9f2e84aba7e29da403a697c62

SHA512
c0ed650334fdac7ff15ad3e6e2ae02cd6fe1e1a695d20f404a1f039ae51016bfbb3c612621fd764378130a8b64d4e19b18835d0cd9ce18f2d55916524b6567c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd1a065957eaa5e8218d8dab86470979

SHA1
5ef712ac5fb7858eeecc43d367277075184f7370

SHA256
d90b978a99270d767c8596cc2bf1e62d90a1e77b111d2d60919daa9005821360

SHA512
75ae68eb4d287dae06fde992b003d6573333a5ef55d28489607578dfa5e9a2e1257e52bb48a28964d47348ac8540b54c44c13374be04b04ec47064c1066c3b46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
833a4a3d655184b69099bc3d8a106fe7

SHA1
6e474fecd7be8eee75ac837387e8c4bc01acf6be

SHA256
a759beb4105b0997dedb48b3b44aeafb731039f0ac6f9b65caf5692a56a8a9ff

SHA512
07e9f8207bd06c9f1073037481767cc70be4d65bcda30dd58995d492dd42f90749c46a3c90028983ae8d339a63dc8817bbbeacdb25b1f89053c0a63b5ad3a12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d98e9ac0dab17fddbd127eaa62336942

SHA1
59daefcd56b86141207bd4a4f255f77464eb43c6

SHA256
932e84e8f98cd31d99321117e7bfa193b5d231373e48e7c46370dac532b4e904

SHA512
9639f9af024938e7a12a39fcaed141c6e80c69bd555ada29747fdfb8a863b51414059c70a11a0ad172686768c8c864e02000412643d23a2e50a46237592bdcb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
709daaaad118052920fd035eb695f139

SHA1
4e3002237d9fc47df73e01b00291e00aba4c00f2

SHA256
d7323ab03ee71d1004c0bc303430d766e80c5f5cd1353fd018c59c5af4dc5640

SHA512
ee9b4c6791bc07b3b36fad752b136e5e62beb629f507b6286d7a08b446766518a0e5d657de935d105fe203a99a7b4f83515101fe4577e6c3c5adf240305b53dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e45193b6330a03cb7c34fee833098256

SHA1
c3a3021c04761c63810ddb5a9cc52324886169f1

SHA256
e56f2308fce766f79f4d809fbfacb05b6cc024928f5c4fe7527491623160fed1

SHA512
79b0da0a22c9d9911691d565d0ca78e09cbf59cd71dc654a798e0cfb7d5b4a5f7219d6c99a8f26eedd6c42ba7a9a233071b90cd88167de493ca26819aabf36b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a217e29efe7066d11d8c8cde26f282d

SHA1
b57cc02ac28b7de781c83ab46a6c0bc7f163d3d4

SHA256
62fa4e154b7b3b6a57a43f73c1d73998154d247f34cb79825f18af78359ba42c

SHA512
54f2b51cd90b5ee4b8849e6d2d44815ef5f2019ebbb0681cdb6cd55a7ac001daeb71407adba9602de9f9c0dc0bddc739027c9a9f123ffc87503daff663af8ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69b4938c630c4bde07460cc72e1800fe

SHA1
54f4288b55e610098fea3d918f083bfd0c57f3bf

SHA256
6911da03318654f8792d34d042e65988e2b9e6aedde02c759cbd4b812a321c07

SHA512
3e1623b99e7668bd8555edc7002fc3c7f5a8954968b930079129fa6ae7326c8cf94aef5cb0b6a40e7780adffce28587b2b20525e87775acbe54d05a71e1cf31a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2369e74e140debd7af04e7bb6b33a76

SHA1
b01e6a027281b4f57bcd2cd65beb10b257e7d008

SHA256
87a60771e6994969b7f8dbd49c8c6348aa383ee9038435500936c877ad0d1d24

SHA512
f39d4956a388a4cc9b3959d8abc5443161d8bdd575a32119ca429fa7c5159f10639232c573d656d64dc0ed8e051f6bea8f08ab4881e5face8baf7732ce7fb19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dedf35c2b129602aedd7e93310a0cd2f

SHA1
71b472aea9c88cd4793a6401ce14230583a9c664

SHA256
74acedfa5f7d8e70c3a00cc67fbca254ee12d840818f0ef1fbe1173f9304dd6e

SHA512
6622c8a5f9785968ba095452f04b8946ab9237d1516736842c268e714158411c7480361268116661f8f83bd11e1b4d622df56b5d73581d548e1c3b19ae0867ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63de5983c65b4acdcaa0a4299d8cc519

SHA1
51a843a80359e3ce9391401bf242722fd35eac14

SHA256
0fbd0f104f436a514bc367ad1d7c44d47a003092a11e9d4d35650c95c5971afb

SHA512
5f060debd29309f243c4e64e3aa6660e70ee9ea60485411916ff5b2b7baefa616e80a61c81d77b903f1fcdde9fcc04fa5ec6afc713098df380d08baed6520c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
458acb5cd8425e2a93c92915d6cb1a0f

SHA1
1f1af40bb1bf16197f0a8f20e974d975cbd7603c

SHA256
a827badc3864daa33e878badb53381f65c04ce9f7cdb74f977f16bc325c2a76b

SHA512
af68af109b1c5ecffadd64b2cc706a2db229942a1d0f7016529e0c1f9df2ccb1c7f35db9b847fb5482d4acc6ed754bcf7215591dda9175d527adaefe551ae1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
88d8eea320adb573bbc3b2cd8996045c

SHA1
823edb23704a90f29803bdd7d3d27587f8b85467

SHA256
17a5c0d612a2b98f1ac1d4bf1713e57abecbb744a655e49edf79225eb9bdf1e7

SHA512
b625768b2debe7d1930d9e6bf321cb98ead1cb1ab61c45ee489a9d5302fd80153c408875a7d33cf3ffcc12a2b485d3140a7a611b8791e1fe0cdf785cba123d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC92C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9BB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\4C7DC\C921.C7D

Filesize
600B

MD5
2a7fa1827ed1e57063e9e9b30979a66d

SHA1
0452cdf62ba50ed203b604f2bc572f1e96f5d481

SHA256
2aca4ba657d7fbbd627cc33ddb38c11172036bb444afb580a830e7df41c90c68

SHA512
55aa21f2618c224012923377ef50cd7e6f95c4af9ccbbb73ccfefa121f514ee8fe28dc46f648fd08fb5a1cd4a606f368df0787ce551b9b90f5f76c54a73aee33

Download Submit
C:\Users\Admin\AppData\Roaming\4C7DC\C921.C7D

Filesize
996B

MD5
4760221afbfd35a3c1dc88baadf9b12c

SHA1
07210b73e84fb99128b404ca306dfd645017ca86

SHA256
a495b5e3e7829f3c6c819329e149d3ed0d1abb897743866de99eb140ad93902f

SHA512
6b518eff9ca98cba677a96d12f49e890ea7a6760f0caaafa3991d310effd77756fdfc242af802482a99ae601044bc73c1cd476a27b15c1f0035336cf6416fa15

Download Submit
C:\Users\Admin\AppData\Roaming\4C7DC\C921.C7D

Filesize
1KB

MD5
d8252ad18bd8b6b4f670995ff9da0f35

SHA1
8fb760dcb64d31408074f40f431bc67ebbdb93b5

SHA256
de598fa8597fc84e132690869d40e584ee62f50d75746793893019933874aa78

SHA512
30a6c3d74e906649b64254556607d9e320fb9a844c8324b25701cdb8a2f0e96658e0652a87bec7303602b18de1968cfa6709fabc58d0152cb2fcb05f2b2e667e

Download Submit
C:\Users\Admin\fnnop.exe

Filesize
260KB

MD5
1acf5a4493dc72ca42ea7121829b30bf

SHA1
ee35f533dd044f6e032fdd5acfd3196bb7baca46

SHA256
75e5a3546112231b511f5c68b4b21e3db7fbcd0d4d4aa678c56aeb991eed2f43

SHA512
4ea19d9f6fc5d2db3efc735c7d6152edd1d88f814258af1b588b97412f25f7e4ded7b207d212149e463348703fe9b8db9ce69f05eb1f7a6217f2579a361031ef

Download Submit
C:\Windows\system32\consrv.dll

Filesize
29KB

MD5
76f2ad6212981964aeea83926e5ffdd7

SHA1
8f016ab22ce1338507218f713166c5c169eee65e

SHA256
0b2de0f2219abcf8c5bd580b5b46777eb41290bf5d4b4225b4fd65e56cd99e08

SHA512
e650275cf11752d12c89aa189270627e54b7b5f55b6f9261aa4e25eafc073374ae9bbae2a380338a81ee07c4aaa0ee3608a45c118fccae1c382f99554b26a91f

Download Submit
\Program Files (x86)\LP\A504\4AC6.tmp

Filesize
105KB

MD5
de2d445daccc5b2b829bb8cd9c88d325

SHA1
d07fa1955d4079231b2c58daa8180218e92b5ccb

SHA256
13605126362023caaf25164f6537c68dd10b3fc2f8752d30976748add42cb8c0

SHA512
8457b1d87a152c21046908f46d9e0629832be0d684d2ca82e0f4921cb09e39e40c51f5025b3585cb57c33a95dfaa8ceb7ed8b263aaa28a1621447ba447ce4bdb

Download Submit
\Users\Admin\2buw.exe

Filesize
116KB

MD5
bd1a291f9ec6babc57a9a10ef3eeccd8

SHA1
f892c892c66438d1b2fbc2970eb316b71b5b1d17

SHA256
53e7bded82420a720eebe31186fd312770ee2660d9b7484f326756febe0d475b

SHA512
db87931c856ef69601270015dfb45ca82743831e8ebd64776d243c3feb3c48252558c43045d66a7b5097ddb8990a4839f469cb0ebcd3488a14261f87f1c292e1

Download Submit
\Users\Admin\3buw.exe

Filesize
275KB

MD5
9386d0870fc5654e6389249229cdf317

SHA1
0861e5e251519a76e053329ab6730bffeb4f8542

SHA256
83936516b54343d4223e3402485c0a4057a7a5157430ee0c9cbd010355d54a9d

SHA512
d6b32dd869d90f4d2f385e7369cb8750cf2ae273047b98d1f45e747abf50bffd4a1e74ab2a283ef64341ce4c0de6191c4682b9932e3b5438d2d0637d960703d0

Download Submit
\Users\Admin\4buw.exe

Filesize
270KB

MD5
bf356e67d69baf8a9338b01e5a013428

SHA1
9f0065e7a53864782a579972dc8f4fc5b951aa99

SHA256
28f3337df7dd25a754c5d9c6f6634795b120a06f4e11f82d060cc083a57e9fed

SHA512
dd972b8b8869a6251e08e3218c58e25f9354064d7c7d7b1815f8b09a3b3eadfbb8d3736a83e5646874f94669f0bc68e219720ee4fd4289ecaf13951bb02c88d9

Download Submit
\Users\Admin\5buw.exe

Filesize
28KB

MD5
adc0dc58d647bd292f13ae0f271b03de

SHA1
a4faacc4093a12ba91cc8c3af8febf8f75998f3d

SHA256
cfdc20a03a9fd4292135eeffff1f2587727cfb0366a373f818e6bdf7c88153be

SHA512
b40910fd7985fb0dde2f5dd36be88184199443be41ef48262c873ae4177fc961e350a7002c7a707a6eaa9847056699beaf6fd5faa0dbf354115dc2c3664dd552

Download Submit
\Users\Admin\6buw.exe

Filesize
60KB

MD5
9fcc39f6fbe56574d466cee9cc2b8d50

SHA1
e598ca18cb21ea62efb3a6b6bdb4c10e48fe6617

SHA256
248f8d1fc62061eb3f12234142e102e04d58f7069fe13263cd81db4055225297

SHA512
c415b0dc4e19b91999d908d4c260778dc4e7d75476f4f3a1d315355298dd903c2d0505d60e4fed27da9c845b252fcd59f00b83d6848a1bd0a8a539520ef5f55b

Download Submit
\Users\Admin\AppData\Local\76a54caa\X

Filesize
38KB

MD5
72de2dadaf875e2fd7614e100419033c

SHA1
5f17c5330e91a42daa9ff24c4aa602bd1a72bf6e

SHA256
c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381

SHA512
e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3

Download Submit
\Users\Admin\M6Blrcg8.exe

Filesize
260KB

MD5
4fe76d5388b2c5184c01ae8c8a779f7a

SHA1
4cd9f87e14c754a5b146c2ad85a4b151ba42350c

SHA256
045455be09c8458c69e7752f0b86579109c389174c1715d1340aeb014f79a4f2

SHA512
2d92bfdb4b09efb941681431f143c07618d39481d292c17bab8ae13809962dbe3582747637205eecaec05d3408630feadb69b86fd8f3a8a30f6fe2511f45635f

Download Submit
\systemroot\assembly\tmp\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}

Filesize
2KB

MD5
db95cb48b6ce49fb267576e43fe01cb0

SHA1
3c1903ad3f0ab8379bbb5b25b49a8798c44e787f

SHA256
5427d8a7584ab9c90140dad9582ba88e5f8b6838fd8a425c8a747410402c47b8

SHA512
a8376add59565abf38a58d93794495117e6c2cd8a4e499f954030e4bfb40c7e74eb1a019ef09b12c91dbb4f724bfc0ef4254bc1e29f8b1cb90ae1628bd91bdc8

Download Submit
memory/328-297-0x0000000030670000-0x00000000306C5000-memory.dmp

Filesize
340KB

Download
memory/328-122-0x0000000030670000-0x00000000306C5000-memory.dmp

Filesize
340KB

Download
memory/332-99-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/876-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/876-119-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/880-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1200-141-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/1200-142-0x0000000002E50000-0x0000000002E5B000-memory.dmp

Filesize
44KB

Download
memory/1200-106-0x0000000002E40000-0x0000000002E4B000-memory.dmp

Filesize
44KB

Download
memory/1200-110-0x0000000002E40000-0x0000000002E4B000-memory.dmp

Filesize
44KB

Download
memory/1200-114-0x0000000002E40000-0x0000000002E4B000-memory.dmp

Filesize
44KB

Download
memory/1200-115-0x0000000002E50000-0x0000000002E5B000-memory.dmp

Filesize
44KB

Download
memory/1200-88-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1200-92-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1200-84-0x0000000002E20000-0x0000000002E26000-memory.dmp

Filesize
24KB

Download
memory/1632-63-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-62-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-52-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-56-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-59-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1632-61-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2864-51-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-48-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-49-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-39-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-41-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-43-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2864-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-46-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3064-28-0x0000000003760000-0x000000000421A000-memory.dmp

Filesize
10.7MB

Download