gh0strat | 9c359252c8c43fd884f3aa2577793b81bcd8222648351defee5fb0ee2418d6ef

Analysis

max time kernel
148s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe
Size

192KB
MD5

58b7158bdc6c028189fba27a6225cf8b
SHA1

6ff9427fd114a9614bd68f8653a3d1d235de47cd
SHA256

9c359252c8c43fd884f3aa2577793b81bcd8222648351defee5fb0ee2418d6ef
SHA512

a56eb7dc03edde71a1fb3f0dcae5142241d809bcbfc0fb221afc524bf988cb4861374d0065913b69bcbca7b2969043de96e75aa422f2fe4f266ef12211f92fb1
SSDEEP

3072:yibxUKA2LrBRTS2nO/bbeSnMPZHjgr8SXkK1AhnTGqD9SXLPVqYl:vbOK3Re/bb1MxH6zXkK+V9AbPVn

Score

10^/10

gh0strat bootkit defense_evasion discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000600000001a489-616.dat	family_gh0strat
behavioral1/memory/2280-624-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2316-652-0x0000000000400000-0x0000000000430938-memory.dmp	family_gh0strat
behavioral1/memory/2280-1162-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe D:\\VolumeXX"	mshta.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mshta.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2396	attrib.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2396	attrib.exe	58
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2396	attrib.exe	58

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1576	attrib.exe
2136	attrib.exe
1428	attrib.exe

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2776	inlA095.tmp
2932	lieCF03.tmp
568	kilEA51.tmp
1596	19920306.exe
1340	920306.exe
2316	ftlhwvhmgr

Loads dropped DLL 13 IoCs

pid	Process
2356	cmd.exe
2356	cmd.exe
2616	cmd.exe
2616	cmd.exe
2600	cmd.exe
2600	cmd.exe
568	kilEA51.tmp
568	kilEA51.tmp
568	kilEA51.tmp
1340	920306.exe
1340	920306.exe
2280	svchost.exe
2476	rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	D:\VolumeXX\desktop.ini	mshta.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rpdcwbclpg	svchost.exe
File created	C:\Windows\SysWOW64\rxqvfefidb	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2932-77-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\920306.exe	kilEA51.tmp
File created	\??\c:\program files\ftlhwvhmgr	920306.exe
File opened for modification	\??\c:\program files\ftlhwvhmgr	920306.exe
File created	C:\Program Files\temp01\XX.exe	kilEA51.tmp
File opened for modification	C:\Program Files\temp01\XX.exe	kilEA51.tmp
File opened for modification	C:\Program Files (x86)\WinRAR\Formats\Date\E%SESSIONNAME%\kqhcb.cc3	ftlhwvhmgr
File opened for modification	C:\Program Files (x86)\TheWorld 3\TheWorld.ini	rundll32.exe
File created	C:\Program Files\Common Files\19920306.exe	kilEA51.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lieCF03.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kilEA51.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	920306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftlhwvhmgr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlA095.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2144	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001ab47e514f50ba4a94a6b14cbbb74a2900000000020000000000106600000001000020000000955b6c031c4265d93f94a0167bc67a3fa983c80b29343260f5d53bf42e41dc4e000000000e80000000020000200000006ee14e667a806f81764e9b14f6bbb9e49a902670862d91f3f87d1213a6408954900000003d73a4f546717e0e2b045e7555d8d94baa6966f1a02cd5c4ffdc612e9a47aaa025099f5cc6f94886df1861431d5216aefefc464e98e55873ef133257d3550a7994cd8834f5f0fad46b2ec5196ee775599296db0e7d80e4a7224528d02d51ba9601d7ddc889c8b3142f321de7b6f2db70095103b54964882013a473367cdc140356f0b3098842f2752558e7d71dfa376840000000e4f6862c3b6f6630bc75dfd4c4e3cd7eef453b73f0c949dd940b0c1c12c5ece862a44f3e61b07970cc922d3b670633ad34387e07461e1e21fd43e68b3cfdcbf3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0322F451-FB4E-11EF-ADEF-C2ED954A0B9C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0618fda5a8fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001ab47e514f50ba4a94a6b14cbbb74a2900000000020000000000106600000001000020000000a20f12f864a6a03e0203d1b70ddff4e28bcba802620691a05d6a5f395299651e000000000e8000000002000020000000089cac90a9b4e5c3e44085bf543a8452b197d88b396db4409a671d8b56d7906a20000000ded9c5f4957946edd5560a15a527786578727e83b5ab7a9a3a74509a3a3c318f4000000038441cc7bd107f9b3c31f182ecb237fe4d3a7591cf77a3af4109943e4fd8c55c7cdeb46fbcdbde64c4a61b289bca91b5bcc5c60c86b8a674737430b7153a6f94	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "447511663"	iexplore.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\IsShortCut	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)\command\ = "mshta.exe C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\NTUSER~1.HTA"	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)\command	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F92DA15-A229-A4D5-B5CE-5280C8B89C19}\shell\open(&H)	mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2144	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2776	inlA095.tmp
568	kilEA51.tmp
2316	ftlhwvhmgr
2280	svchost.exe
2280	svchost.exe
2776	inlA095.tmp

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe
Token: SeRestorePrivilege	2316	ftlhwvhmgr
Token: SeBackupPrivilege	2316	ftlhwvhmgr
Token: SeBackupPrivilege	2316	ftlhwvhmgr
Token: SeRestorePrivilege	2316	ftlhwvhmgr
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeSecurityPrivilege	2280	svchost.exe
Token: SeBackupPrivilege	2280	svchost.exe
Token: SeRestorePrivilege	2280	svchost.exe
Token: SeIncBasePriorityPrivilege	2776	inlA095.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2372	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2372	iexplore.exe
2372	iexplore.exe
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2356	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	30
PID 3044 wrote to memory of 2356	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	30
PID 3044 wrote to memory of 2356	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	30
PID 3044 wrote to memory of 2356	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	30
PID 3044 wrote to memory of 1128	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	32
PID 3044 wrote to memory of 1128	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	32
PID 3044 wrote to memory of 1128	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	32
PID 3044 wrote to memory of 1128	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	32
PID 3044 wrote to memory of 2916	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	34
PID 3044 wrote to memory of 2916	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	34
PID 3044 wrote to memory of 2916	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	34
PID 3044 wrote to memory of 2916	3044	JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe	34
PID 1128 wrote to memory of 2732	1128	cmd.exe	36
PID 1128 wrote to memory of 2732	1128	cmd.exe	36
PID 1128 wrote to memory of 2732	1128	cmd.exe	36
PID 1128 wrote to memory of 2732	1128	cmd.exe	36
PID 2356 wrote to memory of 2776	2356	cmd.exe	37
PID 2356 wrote to memory of 2776	2356	cmd.exe	37
PID 2356 wrote to memory of 2776	2356	cmd.exe	37
PID 2356 wrote to memory of 2776	2356	cmd.exe	37
PID 2776 wrote to memory of 2616	2776	inlA095.tmp	40
PID 2776 wrote to memory of 2616	2776	inlA095.tmp	40
PID 2776 wrote to memory of 2616	2776	inlA095.tmp	40
PID 2776 wrote to memory of 2616	2776	inlA095.tmp	40
PID 2776 wrote to memory of 2372	2776	inlA095.tmp	42
PID 2776 wrote to memory of 2372	2776	inlA095.tmp	42
PID 2776 wrote to memory of 2372	2776	inlA095.tmp	42
PID 2776 wrote to memory of 2372	2776	inlA095.tmp	42
PID 2372 wrote to memory of 1044	2372	iexplore.exe	43
PID 2372 wrote to memory of 1044	2372	iexplore.exe	43
PID 2372 wrote to memory of 1044	2372	iexplore.exe	43
PID 2372 wrote to memory of 1044	2372	iexplore.exe	43
PID 2616 wrote to memory of 2932	2616	cmd.exe	44
PID 2616 wrote to memory of 2932	2616	cmd.exe	44
PID 2616 wrote to memory of 2932	2616	cmd.exe	44
PID 2616 wrote to memory of 2932	2616	cmd.exe	44
PID 2932 wrote to memory of 2968	2932	lieCF03.tmp	45
PID 2932 wrote to memory of 2968	2932	lieCF03.tmp	45
PID 2932 wrote to memory of 2968	2932	lieCF03.tmp	45
PID 2932 wrote to memory of 2968	2932	lieCF03.tmp	45
PID 2968 wrote to memory of 2144	2968	cmd.exe	47
PID 2968 wrote to memory of 2144	2968	cmd.exe	47
PID 2968 wrote to memory of 2144	2968	cmd.exe	47
PID 2968 wrote to memory of 2144	2968	cmd.exe	47
PID 2776 wrote to memory of 2600	2776	inlA095.tmp	49
PID 2776 wrote to memory of 2600	2776	inlA095.tmp	49
PID 2776 wrote to memory of 2600	2776	inlA095.tmp	49
PID 2776 wrote to memory of 2600	2776	inlA095.tmp	49
PID 2600 wrote to memory of 568	2600	cmd.exe	51
PID 2600 wrote to memory of 568	2600	cmd.exe	51
PID 2600 wrote to memory of 568	2600	cmd.exe	51
PID 2600 wrote to memory of 568	2600	cmd.exe	51
PID 568 wrote to memory of 1596	568	kilEA51.tmp	52
PID 568 wrote to memory of 1596	568	kilEA51.tmp	52
PID 568 wrote to memory of 1596	568	kilEA51.tmp	52
PID 568 wrote to memory of 1596	568	kilEA51.tmp	52
PID 568 wrote to memory of 1340	568	kilEA51.tmp	54
PID 568 wrote to memory of 1340	568	kilEA51.tmp	54
PID 568 wrote to memory of 1340	568	kilEA51.tmp	54
PID 568 wrote to memory of 1340	568	kilEA51.tmp	54
PID 1340 wrote to memory of 2316	1340	920306.exe	55
PID 1340 wrote to memory of 2316	1340	920306.exe	55
PID 1340 wrote to memory of 2316	1340	920306.exe	55
PID 1340 wrote to memory of 2316	1340	920306.exe	55

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2136	attrib.exe
1428	attrib.exe
1576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_58b7158bdc6c028189fba27a6225cf8b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\inlA095.tmp
    C:\Users\Admin\AppData\Local\Temp\inlA095.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\lieCF03.tmp
        
        C:\Users\Admin\AppData\Local\Temp\lieCF03.tmp
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 88.99.00.00
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2144
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta"
        7⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Drops desktop.ini file(s)
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER~1.DAT,MainLoad
        8⤵
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2476
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://tc.92mh.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\kilEA51.tmp
        
        C:\Users\Admin\AppData\Local\Temp\kilEA51.tmp
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:568
      - C:\Program Files\Common Files\19920306.exe
        
        "C:\Program Files\Common Files\19920306.exe"
        6⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Program Files\Common Files\920306.exe
        
        "C:\Program Files\Common Files\920306.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        \??\c:\program files\ftlhwvhmgr
        
        "C:\Program Files\Common Files\920306.exe" a -sc:\program files\common files\920306.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlA095.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\attrib.exe
attrib +s +h "D:\RECYCLERMD4"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:1576

C:\Windows\system32\attrib.exe
attrib +s +h "D:\VolumeXX\desktop.ini"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:2136

C:\Windows\system32\attrib.exe
attrib +s +h "D:\VolumeXX"
1⤵
- Process spawned unexpected child process
- Sets file to hidden
- Views/modifies file attributes
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ftlhwvhmgr

Filesize
24.2MB

MD5
deced6e44f9bd926a05b8edc3455aa2c

SHA1
628abf6a81a0136f14a6039b0c458f8041b987d4

SHA256
1f11f63a4609abfa0926c4652a9ac1aa6da80dd5c6bc7e8db74905fefdde3825

SHA512
d506b68c79a053bb88d2ecad56b93031cd3c0efa7c89123110a177a0c3c0c36965a9902528cba05f5374e5c82a089d34f2bc83719b7d993a7af218974e5a2ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1a986277dc9fc43bf8f959d62cbdb53

SHA1
e594d130f1a9a3aa7c94a9acc53e6cd3edada8fe

SHA256
dae7ca080f0945e3a48a6c19c56c53c4e8369c1227a8dcd06b49945cc4b2335f

SHA512
5554baa24ecef007e793c076a4508fccbe8e0c6a9992107a048df0b1283957a111f7a40a1d62466c8a105cf56ca47f71c4aba6dbad8b5174cb4c829c846a259c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e0f4a5e16e40a7f05bde706a0b1fa1d

SHA1
ff5a5fa5345c1fa30825da66938c8075ff2db364

SHA256
368cdf8b57c561673476d82731571c6df2010dbfd4a5462b66d48a03cd2c3252

SHA512
b6de2d1d7c1f7ecca59a523523d844d4edcedc21bf5cca56c42dcab4643774724eb5f6c38835e08a075af6950b7f61b84b0043c9ec37da14e1ebc7525adf9ada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0725c57581c385b570acd387298f360

SHA1
152e8ef4b52f2a002a15d23d69efab2bb6475009

SHA256
923168da2d282ba5b4a2669bb926531f6c7fb9087b0ec2e958f25f47883e3c91

SHA512
8a243ac397ef743e7c12e41bbc37b292087543fdec53c294585eb0f718775d66bcb00a4cc2a5842128a3cc1b0f522bf60a376c3a24490cb11a1c45b1a5236e2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
727f2fe20a0b64c9b3a9dc6c93511db0

SHA1
d8758298213915f5142578de1844ed3c656151a1

SHA256
d053a9f955517bcca069a85d196a4989670d3c5adb1b2d14bd86d1fa3581e10c

SHA512
8120dff3a303b112eec3b9742ad6d61033416836b7d6ec7cb5d5c0c200bbb521988587a639f0736b107750cd9bf021eba433ad37bcfea31fb386005c462e0a15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
252e17f66746674a14aaec05d9a3e008

SHA1
4cc0c0529b9a34779fb520303a5d35a5bf6b047c

SHA256
752dd3f0260a866459f5bc5111d0ddbb6bde9c5dcbcf3d2c420e525c2029342e

SHA512
b7c1cfc4f27bfefce351a47682dbbfdbb63be9145204051327a37f325fca1d212958693c68c3f4b674085498e3a3f50376ba2968598842f6afc3bd4ce45524ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
170eab2ce1310cdc185f2633b007fb90

SHA1
bcecbadcd34b36fce2e41d639a581ec99e911b92

SHA256
a30db2f58eb0505024236cbf1e18390327303e1c47eddaa43ea7dbb907d3a343

SHA512
51f336ce1d1d25fac9a85b644820f627ef8b1a76c2609b4403912b45e449b6c930707b4ae3bdace8930e167048eb9bc7f2badb555ed616dc80e3354f0d6becf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4583a1495e785f48ba056dfb130e21ca

SHA1
c222a5b410186440687c9f56658421fc94c768ab

SHA256
46df5bc84fb2d03d3574bc5c2781df5c10fa10b80836e9d1ad1e5198c4f01778

SHA512
257197c721232ba817f618ef2383d1b9994d7b2081e05d167a154ac6a7e695b1fd8a12ec8768be4756b45c00f9481aca101cbf6f36526c5904b3b22ce997809f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
134ca1697e3220b95d90afd29b1bff6f

SHA1
1398bbc88ed8d1b70e0cba7d1c8e6ed77b05df56

SHA256
5ad89b3c815ee21864c360b927da11015a45bfd032af6548e7c3fb7ac8d5e863

SHA512
347a599298fb13731ac9cb93addcffb17ba32a1f5165955e99179d74df3582e69703281512a6c6acb4260f5cc9e0d966565df0207f72177bdb715290a72d801f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aee8ba263573d00ef4cab50d38d8209b

SHA1
60b3d84c430626276f0ff24b30be329b7300c2bb

SHA256
19735b2ef97f440b14486d132ed7a7269420099d00af1609c533a58c605c6ca2

SHA512
a96fecb8f4327f30d9e7ccf6874a54ae3e39a903e7e1ef9e6e83b8e0a7b9db109150c3b919cd484f3b4ba95678cc3542e1d4da5b7d25fc70eb194bd948d71c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4beb4ccc4889af072c50f90de22b0c50

SHA1
b1fa9511da77daac2e6abfa0cae0bbfce052114e

SHA256
99f7127d9633ac31fd8dc907be5c19d218f3733dc92c542276d094d145047bbe

SHA512
3064493126b65b2ca22cf8948e75907fb8232dbc9b28eebfbbcd830f088a9ba980c4ac88a2aaa1379050eb6ff9de99bebdb4c890b564b71c6d45648320625f2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dbe95a9d42bd4231c870ad5ffcaae644

SHA1
be78aa5b1344d3733df1c2f2c0c26fd906b4001d

SHA256
0492e6edc45bc4620967e4d68f206d5847e9caeb247ff93e20f72ed165f8a6ce

SHA512
33b484beea20cea1ba9e99658d04ab257dcdc8d9a604b672746911c631e85cc226a5bd4c86ae2eb0ac48b89160d7105e063f69554544a83577acbf1d6b7eb705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21dbaf1e3d2ef7a6f87bf573a6b1f9d8

SHA1
ab0737d5b512263a4377e56eb557685298a005f0

SHA256
cfbd85eb464e73742d5ec7db10f8a5eea194287e9689f97a057f10b832481c0d

SHA512
1d446a121fc99d19ccfe6f9267bd351fea1ed5eb8f2e75a945918a039258d76763e1b56d20b819dd668d9112e09c2d40e6254b0619e97d4bf5b63320a29d2ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3847f5ceb1aadf4cd0c9170ee4331df

SHA1
16e70fa1342b8b7ecbb62c23edd292b8f8ca7e48

SHA256
626f74b8bb845c579d09881f99f13ff23aeb741626dedbd53f1a31f2a076816c

SHA512
b92e8233833f449a196cec54eddf00a3ee18f39fc0f8fbd2bb6c165e140099fde15c48c3499190216f15a3b8998ae90aabd744c9a7e00241992eb1fcc4efa1e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2fe816ec5d337c743d74afbb9dc77bc

SHA1
e0e619d2df7a5d25915ed100a3b15164f6e5f733

SHA256
84b9dac491e57cf988186954b08ae7c432e30ad87f8d91736d8aea26474ce280

SHA512
009e2454744220927a916eae17b715b1e6168eb58148e26a4d28862c48ed6a88efbd238b817cb687af473ea882feace771b78eb88097e2dc019cc34efd6af301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac7efd88371a4b1d78ffa7acb6376b57

SHA1
349d335045069140dc53e5166ffaf4acce727bb4

SHA256
d9abb69fab61e5eebcb6350b2b168317bd7e2b79a6bcb453fc73d05bda5f516e

SHA512
eddff7907a49715904afc229687dc45e5b3b3681c0d3c3644ec26da26278af053f6a4006a3c30533c23b65abae3886c3e61ba636c89492fef99a0b5d61c74184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
364fd12ba0f582511291fe5d2cf21739

SHA1
a89f125c386c8898b66fe15f8c1b6e10ddd0ccfa

SHA256
5a15d9cee98187b07a09447e298ef21422b23de0e12874d86fc26c24c9e4555f

SHA512
8dc5081a98fa2889994b49487710351527adeff9f1a6cea0c92efdf15f7180ef2e7573e1cfd6619d31b782e5b701254031d290fd5194e98d1236740a8422ff06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2533536feb41a534af5134152e2a0cf2

SHA1
b916fbffd24f422ade4bfcb4a7197951653cc38e

SHA256
8f765ffced244a22a7bbd7d02d7bfea5f3ac4904939f47cee4466f0347ee0327

SHA512
deb85099d513ab5759c58615d4711cfa87b2ef300dde47eb21840873472a681b887ed40a7b9b9084ef87e1987f94758d76c82b3ccf3b68bc9670760f86170d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
934e61e239ab2d3a14ae985dd72b8140

SHA1
5994f777aaabfb440bf8258308f88e0d3a4d6b0e

SHA256
5fa701fdd5973a07c86ab7d6f2b4fcf102bbdba5236d900f5b3fe68df46a228c

SHA512
19db78089b9b6e584f9942e26434b78c4d79ec4992ef8ecfb54663d3b67f9ff6118932c36cf0c46a2cebdf7a5790071115afdb3ad831bae084da3055e647f1f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2502884ab02c4de98e54fe80af910c12

SHA1
1688111d78bea916939878f8a9b0e37427cfa078

SHA256
c5df87d20e9e5c6bae0868bb09c46322b10d5ec865f4277bb54c261694b4a890

SHA512
365a024120169b91c23480124fc127cf2c3d2983543826cb51415c19651b7ded09defbb3c8db9f40809e35506b9fe5e426628f80b2490199853237bfc704ccbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d022440527a5579125e0cbce23db98a

SHA1
7ba06b3c6e958767f81f19c94997ea01ab342538

SHA256
15dd8d88b9c58a780837ac7e9e5d6df94be4b8148941b27f6b43c3650e08b279

SHA512
00897b1ef3f0b09d4bb7de5e0e4b1ad3882c55c1061182a454702a6a0aff277479b79a6216c805433bf1227208e6a419c57e9fec11294eb86c93f6283ade2738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c33da0d8cac8842664a930f68041d427

SHA1
0ee79bbe9c8d2f99c8d60177c45566a0374b6701

SHA256
1aa0b39c3814d1de0cf26379177254bbd3d13a4c0ea57085ce500303aeb234eb

SHA512
af40363c831fed4201cc1804048cf023ac3769f0771fd266e75cdc2b83ec6637f79bb4484e2f8fb830a1dacaa71c6f34e1a2938d65629af11776e7427fac4d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1ac3da57e7fdbafbe616712509eeed52

SHA1
95c2205f1157467ef9c7342331c2c0c592ac00ee

SHA256
30f7e2aed8c23a34f570dbcd9ed2bf65094305e2afba6cae115b4bc26de83df2

SHA512
d96c82e0d2f96d657cf489d797c1f8b68962f1a4d9cadb9162cd71089e8f0684724ec09896feaefef438148b559adc6b426049c2a184174b1a1bbdb36e43873a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFA88.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFBA8.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
3d87940a861a18f21a4fd54f13df0a02

SHA1
5ddba3ff8d37a41e27f6f6f67738070e2ee59d89

SHA256
c6e605ef6e5de05780af40a6e102b06166c2b5a8fa7df162ee2ec7390de6d375

SHA512
f3a9949a7453a4d35ee3c75fb3c411ec4f12a4205d324f8c03bb8c9906c54f792db810083094884e81e9ce88d8f18c7d31129a356ff160b6f34d495bbdfc82cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
5f4500b9d1468c30305233078da08060

SHA1
182a636bbc6214ad5a85894d1b23e3e78c76ac7d

SHA256
d7ddc4e3a3d803e169429f1ac08ec8e76e5646dabb053af2a4b7c65b253ee6a3

SHA512
bfdda6f8d0a692bd56ccd8b7bf4035e562d4cfc8d9a1a3daa9e76374a212cf3ebd5e6efc32878e84dba2e7f1ae018d470aafeb1b650e94ab0fd3530def27bb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_lk_file.bat

Filesize
45B

MD5
dd042f218aa6f27480b663f67d10b0e1

SHA1
9b14b9cb006f0722a6d7b1fd9d05ec449f3b7265

SHA256
5289a902afee6d431c366055dfe27a39e3b5ecf3c496c3379f61ee4a818949cf

SHA512
2ca636aee1b3ddf178a5dfeee0e997ee38cc7912ad19542639ff64a96bbaf9efa5f822ae8e1efc0b689689855c846419dc656ba34c74f8e32191274f9f9b320d

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_rlh_tmp.bat

Filesize
70B

MD5
edea5cd5060d69b6c558fea75e330a67

SHA1
929e7c5ca8c300a98ac6833d0e8fa912ca9fa5dd

SHA256
1ed1bc8bfd84479497b2c1e3d0ca1df56eb2f3d82a68862e8b50eead06889b39

SHA512
adbe14c811b915972709530049bb6934eacead6c5d19243ecea07abdd6c93aeede3fcae99f6419fb7ca1b2394dcef19e642be36f22c572de01b069dac2b4aa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\NTUSER_LOG.hta

Filesize
7KB

MD5
d533fbcf6eec4c957935d4e81fbfcb56

SHA1
2fabf149662dadb7236766fa111e33990baa5def

SHA256
441f1948e33f12dd65b3f69dfdf34cfe3a3ab8c0cfbb32aa5502704386e5cdd4

SHA512
10f105a4c40dcac0a28f3f547850f9237a0f69158990dccaa198b3fd8d84b6f6c26c7c9e8ba353d813b80eaf98b8f620bb0e79bcbcdedde8b8c06906ba6f791b

Download Submit
\??\c:\program files (x86)\winrar\formats\date\e%sessionname%\kqhcb.cc3

Filesize
19.1MB

MD5
5dd69b567a20adab596e558b10b85211

SHA1
d20041a97d78919c85ba27201da4dbd6d4ec7591

SHA256
1d926a39815e50c2b4fe90d40ed6fe47a6f77080e8118cd4be30050e3b4300fc

SHA512
0f8673c7ed63861e0b98f1d4a2418a7eef6e80414ff3a237a096b0d4cd9e3a7a31264813d1e525eb24255555a42f4b85d217d48665b7ff76fd1a056a13f44d94

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\Program Files\Common Files\19920306.exe

Filesize
24.1MB

MD5
118b854ed9c12f933eea3e7f3543a5bc

SHA1
5f98f1c30d3f4365300619005a25982a08b7287d

SHA256
31648e1312d55e3b6562a26115b9200779540870bb3845aec23ce82ee4d1607d

SHA512
c6abebce808c05c7f4abe44b11ccd4937793ab62434f85829c325dc4a34d7b827520269dbcf4ff162f129336a6734a486ed9c86174a26de1b5f81a8b348e14d9

Download Submit
\Program Files\Common Files\920306.exe

Filesize
24.2MB

MD5
e8fc6455d8e7d3db90dfcad4fae094c7

SHA1
a5ac7f51e05ef1588fcea2bb3b8c34f5c0deda0e

SHA256
0981d04d3303ea05e4030087b715c66662b3b1bdd89147fd2031cc788e609c51

SHA512
f5c2043bab27b195252fdb323517b206c15eb0adb441e6053bd6ed57e532cd3f3fcdb938ef85dd7229c3d1c62c467aab74f2aa4aa7b41e3ccec68a21689a46ec

Download Submit
memory/568-110-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/568-620-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/568-594-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/568-598-0x0000000000230000-0x0000000000261000-memory.dmp

Filesize
196KB

Download
memory/568-622-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1340-601-0x0000000000400000-0x0000000000430938-memory.dmp

Filesize
194KB

Download
memory/1340-611-0x0000000000400000-0x0000000000430938-memory.dmp

Filesize
194KB

Download
memory/2280-624-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2280-1162-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2280-658-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2316-652-0x0000000000400000-0x0000000000430938-memory.dmp

Filesize
194KB

Download
memory/2316-613-0x0000000000400000-0x0000000000430938-memory.dmp

Filesize
194KB

Download
memory/2356-38-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2356-673-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-663-0x000000006A6C0000-0x000000006A6CC000-memory.dmp

Filesize
48KB

Download
memory/2600-109-0x00000000001E0000-0x0000000000231000-memory.dmp

Filesize
324KB

Download
memory/2600-106-0x00000000001E0000-0x0000000000231000-memory.dmp

Filesize
324KB

Download
memory/2616-75-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2776-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-61-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2776-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-41-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2776-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-77-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3044-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-31-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3044-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3044-8-0x0000000003780000-0x0000000003790000-memory.dmp

Filesize
64KB

Download
memory/3044-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download