fabookie | 4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe
Size

6.0MB
MD5

dd64aefb283080eb01bb9a69ec3f6427
SHA1

0b72f179f63ad9c54e699ce8dcfe4b3c54c0b4a7
SHA256

4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d
SHA512

f06f19e744c1db5e2310363e3f3fc155bb88338333ead94b0665ff8a71d6e8f4f4cd352b544b62a4617bec2439cd56e84ff2b5a821dc8e0106e75a23a2cbd4c6
SSDEEP

98304:JZUnEVxb/iIIH1YTTbGmRsRDOtOezpvkuGwkMgNAshyNNGBvOWzeMvOYDnuYJZN:JDSISq3bGmRsRD0zO91O4yNNGw2OEnzN

Score

10^/10

fabookie gcleaner nullmixer onlylogger privateloader redline socelars 05v1user 2 aspackv2 discovery dropper execution infostealer loader spyware stealer

Malware Config

Extracted

Family

nullmixer

http://hornygl.xyz/

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

socelars

http://www.assassinsx.com/

Extracted

Family

redline

Botnet

05v1user

88.99.35.59:63020

Attributes

auth_value
938f80985c12fe8ee069f692c27f40eb

Extracted

Family

gcleaner

web-stat.biz

privatevolume.bi

Extracted

Family

redline

Botnet

193.203.203.82:23108

Attributes

auth_value
52b37b8702d697840527fac8a6ac247d

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019399-100.dat	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/2708-232-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2708-230-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2708-229-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2708-226-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2708-224-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2704-515-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193ec-105.dat	family_socelars

Detected Nirsoft tools 4 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0005000000019399-100.dat	Nirsoft
behavioral1/files/0x000500000001962a-198.dat	Nirsoft
behavioral1/files/0x000600000001962a-267.dat	Nirsoft
behavioral1/memory/1560-268-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/files/0x0005000000019399-100.dat	WebBrowserPassView
behavioral1/files/0x000600000001962a-267.dat	WebBrowserPassView
behavioral1/memory/1560-268-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

OnlyLogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/1408-252-0x0000000000400000-0x0000000000585000-memory.dmp	family_onlylogger
behavioral1/memory/1408-276-0x0000000000400000-0x0000000000585000-memory.dmp	family_onlylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
85	1156	rundll32.exe
94	1156	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1844	powershell.exe
1868	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001941a-69.dat	aspack_v212_v242
behavioral1/files/0x0005000000019417-70.dat	aspack_v212_v242
behavioral1/files/0x0005000000019441-77.dat	aspack_v212_v242

Executes dropped EXE 28 IoCs

pid	Process
2336	setup_installer.exe
2884	setup_install.exe
1736	61de976cb6fa4_Wed08802a200.exe
2852	61de976eb920b_Wed08ba1d6ac.exe
1672	61de97688abea_Wed08c4462e24.exe
1952	61de976975c21_Wed0822b6847.exe
2400	61de97b264446_Wed08a2ba1462b.exe
1512	61de97674ddca_Wed0880311af5e2.exe
1408	61de97b5aba21_Wed085151cd67c.exe
856	61de976932bf3_Wed08a22ddfdaa.exe
3024	61de9770b0458_Wed082ee61f.exe
1156	61de976bb4dc6_Wed08184306ce.exe
2952	61de9771b7a26_Wed08c0835ea59.exe
2532	61de97b7d138f_Wed08265125ec1f.exe
696	61de976fc064f_Wed08ab67d1.exe
1928	61de97b264446_Wed08a2ba1462b.tmp
1948	61de976932bf3_Wed08a22ddfdaa.exe
1440	61de976d080bb_Wed0867369d933.exe
1708	61de97b264446_Wed08a2ba1462b.exe
1588	61de97b264446_Wed08a2ba1462b.tmp
2576	11111.exe
2708	61de9771b7a26_Wed08c0835ea59.exe
1560	11111.exe
3016	61de976d080bb_Wed0867369d933.exe
1228	61de976d080bb_Wed0867369d933.exe
2760	61de976d080bb_Wed0867369d933.exe
2704	61de976d080bb_Wed0867369d933.exe
2544	f78a19c.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe
2336	setup_installer.exe
2336	setup_installer.exe
2336	setup_installer.exe
2336	setup_installer.exe
2336	setup_installer.exe
2336	setup_installer.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2884	setup_install.exe
2444	cmd.exe
2100	cmd.exe
1740	cmd.exe
1740	cmd.exe
1664	cmd.exe
1664	cmd.exe
2852	61de976eb920b_Wed08ba1d6ac.exe
2852	61de976eb920b_Wed08ba1d6ac.exe
1736	61de976cb6fa4_Wed08802a200.exe
1736	61de976cb6fa4_Wed08802a200.exe
1952	61de976975c21_Wed0822b6847.exe
1952	61de976975c21_Wed0822b6847.exe
1888	cmd.exe
1636	cmd.exe
2400	61de97b264446_Wed08a2ba1462b.exe
1896	cmd.exe
2400	61de97b264446_Wed08a2ba1462b.exe
1896	cmd.exe
1512	61de97674ddca_Wed0880311af5e2.exe
1512	61de97674ddca_Wed0880311af5e2.exe
2748	cmd.exe
1408	61de97b5aba21_Wed085151cd67c.exe
1408	61de97b5aba21_Wed085151cd67c.exe
2656	cmd.exe
2656	cmd.exe
2044	cmd.exe
2044	cmd.exe
1244	cmd.exe
1244	cmd.exe
856	61de976932bf3_Wed08a22ddfdaa.exe
856	61de976932bf3_Wed08a22ddfdaa.exe
2748	cmd.exe
3024	61de9770b0458_Wed082ee61f.exe
3024	61de9770b0458_Wed082ee61f.exe
1156	61de976bb4dc6_Wed08184306ce.exe
1156	61de976bb4dc6_Wed08184306ce.exe
2952	61de9771b7a26_Wed08c0835ea59.exe
2952	61de9771b7a26_Wed08c0835ea59.exe
2292	cmd.exe
320	cmd.exe
2532	61de97b7d138f_Wed08265125ec1f.exe
2532	61de97b7d138f_Wed08265125ec1f.exe
856	61de976932bf3_Wed08a22ddfdaa.exe
2400	61de97b264446_Wed08a2ba1462b.exe
584	cmd.exe
1928	61de97b264446_Wed08a2ba1462b.tmp
1928	61de97b264446_Wed08a2ba1462b.tmp
1928	61de97b264446_Wed08a2ba1462b.tmp
1948	61de976932bf3_Wed08a22ddfdaa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

flow	ioc
13	iplogger.org
47	bitbucket.org
97	iplogger.org
110	iplogger.org
50	iplogger.org
76	iplogger.org
82	iplogger.org
78	iplogger.org
100	iplogger.org
29	iplogger.org
39	iplogger.org
45	iplogger.org
46	bitbucket.org
14	iplogger.org
71	iplogger.org
88	iplogger.org
107	iplogger.org
86	iplogger.org
96	iplogger.org
105	iplogger.org
17	iplogger.org
34	iplogger.org
35	iplogger.org
58	iplogger.org
68	pastebin.com
74	iplogger.org
80	iplogger.org
104	iplogger.org
95	iplogger.org
11	iplogger.org
67	pastebin.com
90	iplogger.org
102	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2708	2952	61de9771b7a26_Wed08c0835ea59.exe	77
PID 1440 set thread context of 2704	1440	61de976d080bb_Wed0867369d933.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2256	1156	WerFault.exe
2168	2884	WerFault.exe	32
2536	2852	WerFault.exe	55
2904	1408	WerFault.exe	58
2332	2544	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b264446_Wed08a2ba1462b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b5aba21_Wed085151cd67c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b264446_Wed08a2ba1462b.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b7d138f_Wed08265125ec1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976bb4dc6_Wed08184306ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b264446_Wed08a2ba1462b.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976975c21_Wed0822b6847.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976932bf3_Wed08a22ddfdaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97b264446_Wed08a2ba1462b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de9770b0458_Wed082ee61f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976d080bb_Wed0867369d933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976d080bb_Wed0867369d933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976cb6fa4_Wed08802a200.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976932bf3_Wed08a22ddfdaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f78a19c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de97674ddca_Wed0880311af5e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de976eb920b_Wed08ba1d6ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de9771b7a26_Wed08c0835ea59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61de9771b7a26_Wed08c0835ea59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2020	taskkill.exe
2608	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	61de97688abea_Wed08c4462e24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	61de976d080bb_Wed0867369d933.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	61de976d080bb_Wed0867369d933.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	61de97688abea_Wed08c4462e24.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	61de97688abea_Wed08c4462e24.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	61de97688abea_Wed08c4462e24.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	61de97688abea_Wed08c4462e24.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	61de97688abea_Wed08c4462e24.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1868	powershell.exe
1844	powershell.exe
1440	61de976d080bb_Wed0867369d933.exe
2804	powershell.exe
1560	11111.exe
1560	11111.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe
1440	61de976d080bb_Wed0867369d933.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	61de97b264446_Wed08a2ba1462b.tmp

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeCreateTokenPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeAssignPrimaryTokenPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeLockMemoryPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeIncreaseQuotaPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeMachineAccountPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeTcbPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeSecurityPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeTakeOwnershipPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeLoadDriverPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeSystemProfilePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeSystemtimePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeProfSingleProcessPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeIncBasePriorityPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeCreatePagefilePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeCreatePermanentPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeBackupPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeRestorePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeShutdownPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeDebugPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeAuditPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeSystemEnvironmentPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeChangeNotifyPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeRemoteShutdownPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeUndockPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeSyncAgentPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeEnableDelegationPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeManageVolumePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeImpersonatePrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeCreateGlobalPrivilege	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: 31	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: 32	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: 33	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: 34	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: 35	2532	61de97b7d138f_Wed08265125ec1f.exe
Token: SeDebugPrivilege	2952	61de9771b7a26_Wed08c0835ea59.exe
Token: SeDebugPrivilege	1440	61de976d080bb_Wed0867369d933.exe
Token: SeDebugPrivilege	1672	61de97688abea_Wed08c4462e24.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	3024	61de9770b0458_Wed082ee61f.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
856	61de976932bf3_Wed08a22ddfdaa.exe
856	61de976932bf3_Wed08a22ddfdaa.exe
1948	61de976932bf3_Wed08a22ddfdaa.exe
1948	61de976932bf3_Wed08a22ddfdaa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2300 wrote to memory of 2336	2300	JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe	31
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2336 wrote to memory of 2884	2336	setup_installer.exe	32
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 2068	2884	setup_install.exe	34
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1220	2884	setup_install.exe	35
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 1636	2884	setup_install.exe	36
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2444	2884	setup_install.exe	37
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 2044	2884	setup_install.exe	38
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 1740	2884	setup_install.exe	39
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2656	2884	setup_install.exe	40
PID 2884 wrote to memory of 2100	2884	setup_install.exe	41

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4eb9b936c2fb7fade00cbd6ea3209d2dc378ba39cbaf5a74bf6b9c5aebda452d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS029377F6\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      System Location Discovery: System Language Discovery
      PID:2068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1220
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de97674ddca_Wed0880311af5e2.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97674ddca_Wed0880311af5e2.exe
        
        61de97674ddca_Wed0880311af5e2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1512
      - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" .\JeEf.M
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\JeEf.M
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:332
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\JeEf.M
        8⤵
        
        PID:772
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\JeEf.M
        9⤵
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\f78a19c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f78a19c.exe"
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 656
        11⤵
        Program crash
        
        PID:2332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de97688abea_Wed08c4462e24.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97688abea_Wed08c4462e24.exe
        
        61de97688abea_Wed08c4462e24.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976932bf3_Wed08a22ddfdaa.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976932bf3_Wed08a22ddfdaa.exe
        
        61de976932bf3_Wed08a22ddfdaa.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:856
      - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976932bf3_Wed08a22ddfdaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976932bf3_Wed08a22ddfdaa.exe" -u
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976975c21_Wed0822b6847.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976975c21_Wed0822b6847.exe
        
        61de976975c21_Wed0822b6847.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "61de976975c21_Wed0822b6847.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976975c21_Wed0822b6847.exe" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "61de976975c21_Wed0822b6847.exe" /f
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976bb4dc6_Wed08184306ce.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976bb4dc6_Wed08184306ce.exe
        
        61de976bb4dc6_Wed08184306ce.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1156
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 272
        6⤵
        Program crash
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976cb6fa4_Wed08802a200.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976cb6fa4_Wed08802a200.exe
        
        61de976cb6fa4_Wed08802a200.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976d080bb_Wed0867369d933.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:584
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976d080bb_Wed0867369d933.exe
        
        61de976d080bb_Wed0867369d933.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        
        C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        6⤵
        Executes dropped EXE
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        
        C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        6⤵
        Executes dropped EXE
        
        PID:1228
      - C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        
        C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        6⤵
        Executes dropped EXE
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        
        C:\Users\Admin\AppData\Local\Temp\61de976d080bb_Wed0867369d933.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976eb920b_Wed08ba1d6ac.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976eb920b_Wed08ba1d6ac.exe
        
        61de976eb920b_Wed08ba1d6ac.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2852
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1460
        6⤵
        Program crash
        
        PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de976fc064f_Wed08ab67d1.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976fc064f_Wed08ab67d1.exe
        
        61de976fc064f_Wed08ab67d1.exe
        5⤵
        Executes dropped EXE
        
        PID:696
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 696 -s 480
        6⤵
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de9770b0458_Wed082ee61f.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1244
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9770b0458_Wed082ee61f.exe
        
        61de9770b0458_Wed082ee61f.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de9771b7a26_Wed08c0835ea59.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2748
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9771b7a26_Wed08c0835ea59.exe
        
        61de9771b7a26_Wed08c0835ea59.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9771b7a26_Wed08c0835ea59.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9771b7a26_Wed08c0835ea59.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de97b264446_Wed08a2ba1462b.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe
        
        61de97b264446_Wed08a2ba1462b.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\is-1ODM1.tmp\61de97b264446_Wed08a2ba1462b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1ODM1.tmp\61de97b264446_Wed08a2ba1462b.tmp" /SL5="$7015A,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe" /SILENT
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\is-CQK13.tmp\61de97b264446_Wed08a2ba1462b.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CQK13.tmp\61de97b264446_Wed08a2ba1462b.tmp" /SL5="$40186,140765,56832,C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe" /SILENT
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de97b5aba21_Wed085151cd67c.exe /mixtwo
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b5aba21_Wed085151cd67c.exe
        
        61de97b5aba21_Wed085151cd67c.exe /mixtwo
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1408
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 484
        6⤵
        Program crash
        
        PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 61de97b7d138f_Wed08265125ec1f.exe
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b7d138f_Wed08265125ec1f.exe
        
        61de97b7d138f_Wed08265125ec1f.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 480
      4⤵
      Program crash
      PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97688abea_Wed08c4462e24.exe

Filesize
8KB

MD5
8cb3f6ba5e7b3b4d71162a0846baaebd

SHA1
19543ffebd39ca3ed9296bfa127d04d4b00e422b

SHA256
a25bd95aeb2115ef24d3545fc11150200f567027c0673daf0bbeede99a651b4a

SHA512
451e5f10d4d9faccc03f529b89cd674a64f2157b0c58792165290ac65f590b03d4fc04820e48cd07431168e11c31c2090d3d68264b95277ad3c3f3df765967e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976932bf3_Wed08a22ddfdaa.exe

Filesize
312KB

MD5
e2c982d6178375365eb7977c873b3a63

SHA1
f86b9f418a01fdb93018d10ad289f79cfa8a72ae

SHA256
d4b90392cc143ffe8cc6ec13a76f46280ebd1568c4426c5f7779abdc8f1804f6

SHA512
83c25a01288cc35d2c99cc3176b3bf3b10d940141093f7a160a843a8e330315066c4751a423df2147f6f2def01332dbcfe539b469a74de4c2605d74ed9c39f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976975c21_Wed0822b6847.exe

Filesize
364KB

MD5
98eda337c336dd1417f9660dcf63b2bf

SHA1
81618885b387d28133aaa1c98ded4c0570f4c56c

SHA256
2f11291c6d30277f01d1cd69ee33b807c90f9d6e9df579fe82651d52856ede37

SHA512
4d73a988b819b8728fb02f06365655246ff76704f460dc7732305bfc3e93c3c34179163c05a39869a15fb1564695b215ccdb826364ea0809d60ac12259432a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976bb4dc6_Wed08184306ce.exe

Filesize
311KB

MD5
a9fb80476f6d6c1cc890efcf9cadad66

SHA1
01121b7efed911a191bca496b9d87aa7a97608c7

SHA256
6541daf47c981aa3acecc5e58c1259a41ad7ce3773bc99a8c386458057bab02c

SHA512
031bbe595be2a5f800e9656458e731b3419d390b25c1b712b9afb9d5277a550a7ccd7efa5262aa0ff3e8361141001488d9897d9c4cae3b2a7a9cfac92cc21952

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976d080bb_Wed0867369d933.exe

Filesize
1.6MB

MD5
8e8f9ec2380e6bec8eddde2ed5640119

SHA1
05ba1959ac3c31d46b5707c2a98ec379e58ac0ec

SHA256
723e373934071cace27bebd6c8a8e3d72d96f84bf27e39b726cb28d731628ec5

SHA512
4aedcc14aeb3822b4c65055ff92f136713340809d2d9febca2e24583b8a9f20801eb954918bbf2952f06da31eef9757827a1725df2af1b69883ac9c93c69767b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976eb920b_Wed08ba1d6ac.exe

Filesize
116KB

MD5
243e257ab5a5db0e1b249bdc2abc4cfb

SHA1
24fa6eee12729ab616b9d90dee2ea07d52d3e890

SHA256
3382b220421a7f7afa30d6936da856741c278167b1e67db70a1b5be4894d8f80

SHA512
a2e37412b5fa1db2a97298d9b0368214d8f0d6a0f190bf73ef63f0a6c11d25ade16376355f5059c94a9eba544201100c7089cb952ee37456aeca21d618561ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976fc064f_Wed08ab67d1.exe

Filesize
2.0MB

MD5
29fa0d00300d275c04b2d0cc3b969c57

SHA1
329b7fbe6ba9ceca9507af8adec6771799c2e841

SHA256
28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa

SHA512
4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9770b0458_Wed082ee61f.exe

Filesize
757KB

MD5
b9df5d3b6bd01a094aedade0e863f505

SHA1
a594649d49f2fd727aec64dff6a6dc3f8bcb6cdf

SHA256
34fd9f0ab92fbe49aea7ae994c41de246033e46f435ad817f2fa9ad6ff6267d8

SHA512
6c0baf1aa021f9f024146e11028ba1603c2f3b7e975a6a5e682545ab5e22b1e4580ed873fb975e500295225fc52b7b16dedabe6fa457769160d2618013e15186

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de9771b7a26_Wed08c0835ea59.exe

Filesize
527KB

MD5
3e52b9d96ebb916e79769c0ed601bb06

SHA1
f12d72f429e4f6126efe3aab708d057e761bd53c

SHA256
114613b6e775967d70c998abbf651018a21acbd9ea84dd0f7582ead6a9f07289

SHA512
ab981251eb64fd4616d8c3278df3cdcebe93f86cc9382adb4967869b83a3f7e3315449e2f3c7edba33b55f15ead7d0a78d39f9a7bc48901904e6ac3c5e4b9f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b264446_Wed08a2ba1462b.exe

Filesize
381KB

MD5
996061fe21353bf63874579cc6c090cc

SHA1
eeaf5d66e0ff5e9ddad02653c5bf6af5275e47e9

SHA256
b9dad89b3de1d7f9a4b73a5d107c74f716a6e2e89d653c48ab47108b37ad699a

SHA512
042ea077acfc0dff8684a5eb304af15177c4e6f54c774471b8091669b1ab16833894ca7a52917f8a6bbeacbb6532db521cea61d70ac4c5c992cb4896083d6c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b5aba21_Wed085151cd67c.exe

Filesize
417KB

MD5
e8e0de01043b54d6ce2de2c3752dc3fc

SHA1
b6c6ff9860dbe3b2ad20d097a3cb9c650e405a7d

SHA256
63df07d507d5b3b5ec8d6d3612be4961ac580fee626225ed5d96b2e2aa42b7be

SHA512
eee15bc75ea631b061a9be06ab64e8962aa360a00c1e8e86dc29db151f26568ba07a6de1b1919a184e70ca3e199109f330e7a72e3622b9292809cebdcc7cb75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97b7d138f_Wed08265125ec1f.exe

Filesize
1.4MB

MD5
00be17b3ea546cf8979f85a96984ec67

SHA1
d9b65a136298371e7f03e36450e80ce17be73822

SHA256
313bbb16f06392209ad4aeb7752dd74a44bfd0424e69265e8f7f91b07ffa937c

SHA512
8131b6bcbfb1febdc9b9c4b3dd5395ea45d57184c869e091da1618b2b7f9445f9c06b451433c58a5a2711a3ce10fe4246a405d18fdeefb2f4a319c496b0a0794

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS029377F6\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFCE5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50C0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f78a19c.exe

Filesize
11KB

MD5
620bda3df817bff8deb38758d1dc668c

SHA1
9933523941851b42047f2b7a1324eb8daa8fb1ff

SHA256
b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3

SHA512
bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-09GU2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-09GU2.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CQK13.tmp\61de97b264446_Wed08a2ba1462b.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NMN4APZX43JAFVUPT6XU.temp

Filesize
7KB

MD5
bf35594cd4cfb98d613dfaaa362f277c

SHA1
5e8d7bcc967a52bb268094b9edb915bf8c916252

SHA256
e0daf2fa7b96258ac08375a59555bc2411b96f040fe551e2e30ec34c5540b7ea

SHA512
c4b14da69e1be751e6297794b62a1ee8ff36b486634da499054c0531068aee3ce7b081227276931d56dfbef74150b195df1b25351ac1ae9757eb0575c0688e1c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\61de97674ddca_Wed0880311af5e2.exe

Filesize
2.0MB

MD5
b17c27ce1b413fbcf5bedc16fd822d3f

SHA1
dcfaf9401aff2353285b47506cb42e3563059359

SHA256
cf937b910bcc349c6534ae3563c7c9512cd8819f847494efb2a3025bccff9f14

SHA512
c4f91cbef79961c8cf7bf83e7f7bf53b40d0339e4b170c20da1c671f673fc1f35067dcd0e35d6a979f76873a98d2100c967ea48aee3afc03d4184ab2a043e0da

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\61de976cb6fa4_Wed08802a200.exe

Filesize
136KB

MD5
14d0d4049bb131fb31dcb7b3736661e7

SHA1
927d885f395bc5ae04e442b9a56a6bd3908d1447

SHA256
427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5

SHA512
bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS029377F6\setup_install.exe

Filesize
2.1MB

MD5
49aa22a74be9906940779cf37450ecd5

SHA1
257cb5d6c49acaa3161d6e24be21410f6f7c538b

SHA256
a99951ec6d87a441c397fdabce3557c437873aef61eee35f4b459281e6bf5ac3

SHA512
1e612fd9e54d60acafb93cdfdf48c871efcbd737b606e9a350b8333a162ab5f746170c7361eabaf7024569eeefc4379ddb41e49021bb22635f9a371dd78f3bca

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
5.9MB

MD5
fc3d693298f610faa5869d6740ec9b23

SHA1
2c4b72aa5678789b3b96a335aa239c1c37872125

SHA256
2d596cc06b63ba36208914b48a365c0609f7c4d0c73b7cf1afd42edcbbfca56f

SHA512
284a2c54d27845347af999ce5409bcd4060f2bd2b6c2a6cb1e702578cb29f6bbc45099b42e72d05c40d74feb8eab9d986a08c53e6ca0399245188718b8e594bc

Download Submit
memory/332-260-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/332-182-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/332-256-0x000000002D8B0000-0x000000002D963000-memory.dmp

Filesize
716KB

Download
memory/332-271-0x0000000002920000-0x0000000003920000-memory.dmp

Filesize
16.0MB

Download
memory/332-257-0x0000000000460000-0x00000000004FF000-memory.dmp

Filesize
636KB

Download
memory/1156-183-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1244-143-0x00000000029A0000-0x0000000002B74000-memory.dmp

Filesize
1.8MB

Download
memory/1408-252-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1408-276-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1440-168-0x00000000000D0000-0x0000000000270000-memory.dmp

Filesize
1.6MB

Download
memory/1440-493-0x0000000004EC0000-0x0000000004F18000-memory.dmp

Filesize
352KB

Download
memory/1560-268-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1588-270-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1672-129-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/1708-269-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1708-166-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1928-164-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1952-275-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2400-165-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-138-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2544-606-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/2704-515-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-224-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-222-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-220-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-232-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-230-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-229-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-226-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2884-246-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2884-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-237-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2884-236-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-235-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2884-234-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2884-233-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2884-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2884-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-248-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-247-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-244-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2884-241-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2884-240-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2884-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2884-238-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2884-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2884-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2884-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2952-150-0x00000000012D0000-0x000000000135A000-memory.dmp

Filesize
552KB

Download
memory/3024-251-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3024-149-0x0000000076AB0000-0x0000000076B5C000-memory.dmp

Filesize
688KB

Download
memory/3024-148-0x0000000074F90000-0x0000000074FD7000-memory.dmp

Filesize
284KB

Download
memory/3024-254-0x0000000074F90000-0x0000000074FD7000-memory.dmp

Filesize
284KB

Download
memory/3024-255-0x0000000076AB0000-0x0000000076B5C000-memory.dmp

Filesize
688KB

Download
memory/3024-146-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3024-339-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/3024-147-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3024-145-0x0000000000EB0000-0x0000000001084000-memory.dmp

Filesize
1.8MB

Download
memory/3024-551-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3024-144-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3024-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download