Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
0542cb3043d9c1028ad7be3833c2ef70
-
SHA1
a43eb526228612051a711f3eaac0788e7fb2a847
-
SHA256
165e6b5a529a2a7be03d5b4f81623687e903cd1e8f3460579344511089d4b666
-
SHA512
969247b7e8fb29d35710c49a4f984e3e56aec97bf0c2cc1a657e9e5aae8b822dd845f222fbd19e85e4691eb87770f5a822fefafc73dc11cb6789856cc692aa7c
-
SSDEEP
49152:HsUUiXXiCcYM+RKnycr0/ghhYW2CEvyie+qQup+:HtXiCVRL+HR2j6+
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2520 netsh.exe 2532 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dll acprotect behavioral1/memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmp acprotect behavioral1/memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmp acprotect -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDetector.exe -
Executes dropped EXE 17 IoCs
Processes:
SoftwareDetector.exesqlite3.exestorageedit.exeUpdater.exeupdater.exeupdater.exeupdater.exeupdater.exeSoftwareDetector.exeSoftwareDetector.exeFrameworkEngine.exepwdg.exeproc.exeupdater.exeupdater.exeupdater.exeupdater.exepid process 2036 SoftwareDetector.exe 1204 sqlite3.exe 2476 storageedit.exe 764 Updater.exe 1184 updater.exe 908 updater.exe 2924 updater.exe 280 updater.exe 944 SoftwareDetector.exe 1824 SoftwareDetector.exe 3068 FrameworkEngine.exe 2496 pwdg.exe 2872 proc.exe 2492 updater.exe 2440 updater.exe 2388 updater.exe 2876 updater.exe -
Loads dropped DLL 37 IoCs
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.execscript.exeupdater.exeupdater.execscript.exeregsvr32.exeregsvr32.exeregsvr32.exepwdg.exeupdater.exeupdater.exepid process 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2276 cscript.exe 2276 cscript.exe 2276 cscript.exe 2276 cscript.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 1184 updater.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2924 updater.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2728 cscript.exe 3028 regsvr32.exe 1676 regsvr32.exe 2164 regsvr32.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2496 pwdg.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2492 updater.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2440 updater.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll" regsvr32.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dll upx behavioral1/memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmp upx behavioral1/memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Browser Protect 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Browser Protect-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Browser Protect\\repair.js\" \"Browser Protect-repairJob\"" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exeregsvr32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO" regsvr32.exe -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SoftwareDetector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SoftwareDetector.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exeupdater.execscript.exedescription ioc process File created C:\Program Files (x86)\Bench\Proxy\pwdg.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\AppFramework\jquery.min.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\middle-left.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-bottom.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Bench\Proxy\cl.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\notification.html 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-right.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\middle-right.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\message_target.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\messaging.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-right.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-right.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_browseraction.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_common.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\lang.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\userscript_engine.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\context_menu.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-middle.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\CanvasFramework\webrequest.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\console.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-middle.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\icons\icon100.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\global.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\utils.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\options.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\browser_button.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\notifications.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-left.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\icons\icon128.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Bench\Updater\products.xml updater.exe File created C:\Program Files (x86)\Browser Protect\framework\framework.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\i18n.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\xhr.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\userscript_client.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\framework_api.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-left.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Browser Protect\extension_info.json cscript.exe File created C:\Program Files (x86)\Browser Protect\extension_info.json 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\CanvasFramework\canvasscript_engine.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\json2.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\storage.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Bench\Updater\updater.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\background.html 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\icons\icon48.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Bench\Proxy\proc.exe 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\CanvasFramework\registry.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\timer.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\FrameworkBHO.dll 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_content.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\CanvasFramework\md5.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\io.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\legacy.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\ui_base.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Bench\Updater\products.xml updater.exe File created C:\Program Files (x86)\Browser Protect\framework\invoke_async.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\context_menu_item_handler.html 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-left.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\icons\icon32.png 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_bg.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\backgroundscript_engine.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe File created C:\Program Files (x86)\Browser Protect\framework\browser.js 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
updater.exeUpdater.exeupdater.exedescription ioc process File opened for modification C:\Windows\Tasks\bench-S-1-5-21-2248906074-2862704502-246302768-1000.job updater.exe File created C:\Windows\Tasks\bench-sys.job Updater.exe File created C:\Windows\Tasks\bench-S-1-5-21-2248906074-2862704502-246302768-1000.job updater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Browser Protect\uninstall.exe nsis_installer_1 \Users\Admin\AppData\Local\Browser Protect\uninstall.exe nsis_installer_2 -
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exeFrameworkEngine.exeregsvr32.exeregsvr32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppPath = "C:\\Program Files (x86)\\Browser Protect\\" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF} FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppName = "FrameworkEngine.exe" FrameworkEngine.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{DE4DD492-A84F-44C7-9E0A-627F75FB077B} = "Browser Protect" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF} FrameworkEngine.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\Policy = "3" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppName = "FrameworkEngine.exe" FrameworkEngine.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\Policy = "3" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppPath = "C:\\Program Files (x86)\\Browser Protect\\" FrameworkEngine.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000" 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{DE4DD492-A84F-44C7-9E0A-627F75FB077B} = "Browser Protect" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
FrameworkEngine.exeregsvr32.exeregsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ = "IKangoToolbar" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkEngine.exe" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Browser Protect" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ = "IKangoEngine" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\TypeLib\ = "{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib\ = "{8895BD83-6818-429F-A43D-B52C8EA427C7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Browser Protect\\FrameworkEngine.exe" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\TypeLib FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ = "IKangoEngine" FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Version FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291} FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\ = "Browser Protect" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\0\win32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\0\win32 FrameworkEngine.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Browser Protect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Programmable FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Version\ = "1.0" FrameworkEngine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ = "IKangoBHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib\ = "{8895BD83-6818-429F-A43D-B52C8EA427C7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO" regsvr32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exepwdg.exeproc.exepid process 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2496 pwdg.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2872 proc.exe 2496 pwdg.exe 2496 pwdg.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
pwdg.exedescription pid process Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe Token: SeDebugPrivilege 2496 pwdg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pwdg.exepid process 2496 pwdg.exe 2496 pwdg.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pwdg.exepid process 2496 pwdg.exe 2496 pwdg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.execscript.exenet.exeupdater.exeupdater.execscript.exedescription pid process target process PID 2972 wrote to memory of 2276 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2276 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2276 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2276 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2276 wrote to memory of 2036 2276 cscript.exe SoftwareDetector.exe PID 2276 wrote to memory of 2036 2276 cscript.exe SoftwareDetector.exe PID 2276 wrote to memory of 2036 2276 cscript.exe SoftwareDetector.exe PID 2276 wrote to memory of 2036 2276 cscript.exe SoftwareDetector.exe PID 2276 wrote to memory of 1204 2276 cscript.exe sqlite3.exe PID 2276 wrote to memory of 1204 2276 cscript.exe sqlite3.exe PID 2276 wrote to memory of 1204 2276 cscript.exe sqlite3.exe PID 2276 wrote to memory of 1204 2276 cscript.exe sqlite3.exe PID 2276 wrote to memory of 2476 2276 cscript.exe storageedit.exe PID 2276 wrote to memory of 2476 2276 cscript.exe storageedit.exe PID 2276 wrote to memory of 2476 2276 cscript.exe storageedit.exe PID 2276 wrote to memory of 2476 2276 cscript.exe storageedit.exe PID 2972 wrote to memory of 2764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe net.exe PID 2972 wrote to memory of 2764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe net.exe PID 2972 wrote to memory of 2764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe net.exe PID 2972 wrote to memory of 2764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe net.exe PID 2764 wrote to memory of 480 2764 net.exe net1.exe PID 2764 wrote to memory of 480 2764 net.exe net1.exe PID 2764 wrote to memory of 480 2764 net.exe net1.exe PID 2764 wrote to memory of 480 2764 net.exe net1.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 764 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe Updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 1184 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 1184 wrote to memory of 908 1184 updater.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2972 wrote to memory of 2924 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2924 wrote to memory of 280 2924 updater.exe updater.exe PID 2972 wrote to memory of 2996 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2996 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2996 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2972 wrote to memory of 2996 2972 0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe cscript.exe PID 2996 wrote to memory of 944 2996 cscript.exe SoftwareDetector.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0} = "1" cscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /firefox-dir="C:\Users\Admin\AppData\Local\Browser Protect\firefox" /ie-dir="C:\Program Files (x86)\Browser Protect" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
-
C:\Users\Admin\AppData\Local\Browser Protect\sqlite3.exe"C:\Users\Admin\AppData\Local\Browser Protect\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.Admin\framework-22e1f16e-fd89-a78b-437f-b702591b1382.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Browser Protect\storageedit.exestorageedit.exe ie {38A83375-83F7-4E94-9948-8953D81D77B0} get _GPL_zoneid3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet.exe start schedule2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule3⤵
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask2⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmp"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\Browser Protect\firefox\" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\Browser Protect\" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exeSoftwareDetector.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
-
C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe"C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe" /RegServer3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Browser Protect\FrameworkBHO.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll"3⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll"4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Program Files (x86)\Browser Protect\RequestHelper.dll"3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"2⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Bench\Proxy\pwdg.exe"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Bench\Proxy\proc.exe"C:\Program Files (x86)\Bench\Proxy\proc.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Program Files (x86)\Bench\Updater\updater.exe"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Browser Protect\info.xml"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Browser Protect\info.xml"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bench\Proxy\icon.icoFilesize
31KB
MD55ceb296dbbbb61b52153f98b0992d6b2
SHA16fadd4b999568901e2092a4cc2b3816093568a65
SHA256a7420a3654e49d3d8fc6e4e1af666922b7077bb7f265ed71f90c55dc296f605e
SHA512bab2742642ebfdc6d474f4d44d43877b5d42cf64c76da18908d328046faf6807fe9e1433aebc0c34574814e1a033c636cffffc1f7f0a72eaeb397f7339e4cc1c
-
C:\Program Files (x86)\Bench\Proxy\proc.exeFilesize
477KB
MD5a694180da7c9a463b28db094ef503aa7
SHA1d8b55ac242954b6cd1e6ee4e6231fcd8e9a57523
SHA2560eca9f6ca021bff7365a2bcf0f55d0b710abe9d9066ae5c5e0d1f5e046e38363
SHA5126dc7d79f6a6b3a14fc07962b49b0515b61ea1cbc93e6d4a2b592841c0accd880e0cb9ee090f51d22355b7dd42fe1dd59054c74a0813bdf8429b2e39651af3479
-
C:\Program Files (x86)\Browser Protect\FrameworkBHO.dllFilesize
395KB
MD5e89ff1836a81686332c6b5e400a34339
SHA170022a22bc9c49b0ebf85cabae514a57df1fd262
SHA256c2819b02b85c6e86e5f697bb2c61b9aeba402611cfce0ce412d20dc010bc6406
SHA5128d282776bcc64112a87ed7151d512291f677ef8e760d44a2be55c0f70e6df45815d0e9768261fab60bce9245e66146f3b5c2a66c666cb16e0194131baecb5493
-
C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dllFilesize
479KB
MD562b8c4336666b6d4baf82ec2046e4142
SHA154b9a4336cf8dd657a9e095da3efe69ba5f1a470
SHA2563c89a02c4e6abcf2ff2f2ffec14c3433ca808187f70ae3ca178223d7808a96a3
SHA5127ac3c84e6433464ecad7a86a17c73eaa91d2e0768774b167985009c30a4712ab33635dd3a9c02c7c4e4c0e7d806c665f1c4409d48d3606103802859c8695e4c7
-
C:\Program Files (x86)\Browser Protect\extension_info.jsonFilesize
1KB
MD5e835bdc056cff6dbe4d93c7f4df142e8
SHA1ad411693d3fba77c59264c607a987a0d381d10dc
SHA256c9bcb7ae0a76f10735286a6bdaf312658383659b33342ef4508045d3f33196c9
SHA5128d4f7bdd0b1d5372436e9a5e3838055d5a51e512f1a895577be21f8c6aba51771e72bf4987fbd5d6a4dbac9f3d4254d1c022a4246456cea41da936d5afc504c3
-
C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exeFilesize
120KB
MD5791a36c814a825fdfe596e5e7eea27b7
SHA110ac78b8899a727bb3bdf924312a940b8ba0bac1
SHA2560186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f
SHA512bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86
-
C:\Users\Admin\AppData\Local\Browser Protect\common.jsFilesize
14KB
MD5811f747d02138864aaca1ebe3f35c64c
SHA1f1eb90f7f7420f644b1e8a3c14aeeca03c88052c
SHA2569b1da8c2dd4dd1cc9b08d92f598e12cd5a1a62898908293840f6a48d03a8eadb
SHA51275d5b2e9834dc5f32499fa63d50c16959462d4f992ed568617ead21d162d48f31efc7e023f12712b8ac24b6928d2b4088f5b6fb94949ce3d40b944c74c00244f
-
C:\Users\Admin\AppData\Local\Browser Protect\firefox\extension_info.jsonFilesize
1KB
MD5f753aca5677524444aaeee6cc07d0968
SHA1787630e52d6dbe92dfaf9d6776808673abc2d018
SHA256c47292f3273fb54140a00ec40a0b181fd5a7dd8989caf51396ef6e2e1e41ef1a
SHA512d1e1ec2d1b790da5e08a6f563f03eed66cc582291fbdeadc69a9f885f6a779ec2c3a036384f9f4307ecc7e66c44657d1c3cc976480cd226ff10629392e3dbb21
-
C:\Users\Admin\AppData\Local\Browser Protect\firefox_installer.jsFilesize
6KB
MD54d5042f6859b9dd8a1e7fdcd11fe0619
SHA17b9bf80954693cb94c1b83f1bd593ae88b7a7a07
SHA256b866ec4a886d8b8448cb648a397518a1b428119cd5ee4ad88ac6c3dc5f1e17f5
SHA51284936a3cec375ad2028a11301b17e860096d24d2e448d50810a945e18c4a12b685564aec57663c35e02b3f4b2e3b0a1e51fb69d048b71e1383b9e0eb0e36bd22
-
C:\Users\Admin\AppData\Local\Browser Protect\ie_installer.jsFilesize
4KB
MD5da5749989706af1e79ab27166492c7e3
SHA1d9589dd40c0aea68d3a6fb3767d3ff05ae0a925d
SHA256d987ed4d0b55903993a59165b96557e79ca27054e80b0160f21c4d714ebf11b8
SHA5121abc3331a9343b9507c6d5b5609cba063011ef3e5bca19003185c43cd3da592ba43a727a6c47c9aa5e1fc9e9f0c618b48cd7ba9e174381ef037e19faee8dad2e
-
C:\Users\Admin\AppData\Local\Browser Protect\installer.jsFilesize
799B
MD51d2e2b33ed23d2687ac7551613e3ce10
SHA1738fdf284c336d88f8fc178371aa073a75ac4f0f
SHA256e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f
SHA512af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393
-
C:\Users\Admin\AppData\Local\Browser Protect\main_installer.jsFilesize
1KB
MD54ca1909eb243f179f48935c8106fdbc9
SHA1cbc20846bb8b96fcf3b3bbb9d80709c8024a8366
SHA2567acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232
SHA51266cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8
-
C:\Users\Admin\AppData\Local\Browser Protect\migrate.jsFilesize
4KB
MD57c936cb5190fc3ad0b581a562875e9a4
SHA1ec727ee61e1598bafaf0085817151cc3a9d741c4
SHA2569770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167
SHA512987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341
-
C:\Users\Admin\AppData\Local\Browser Protect\projectInstaller.jsFilesize
2KB
MD52d4d6d3c8aea670a0742f1dbfb2928d2
SHA1f6e3fa626bd3d65e439f534ea215e477ae33f66c
SHA25602ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967
SHA512130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc
-
C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmpFilesize
323B
MD51cba3d2b2ba9f98df085d3990f07b5e6
SHA18c697a51b469e81c13b47141892c737ee7bed449
SHA256c9861cc55693ab957350696bb6293f5bfafe34f763911a50ceb1add410298485
SHA512f303e1382388f1a4daad33363b7814d3b2c45fc38c7487e17d5be7e6b2520eff2ffb5b19fa933a89d8342ad38dbdfdbd8cac355ae78ae7af559f357e3a05bbad
-
\Program Files (x86)\Bench\Proxy\pwdg.exeFilesize
121KB
MD518792d4133445af44bd08f505f14efab
SHA160f3c4726f5ba1078c9800e588494f9e5519c45e
SHA25691345675a1b433a065f798daa2cdf88e0a8eb57166e7a12ab295b98246f8dc63
SHA512e5af45e2bb2039ec8813985b8e8eda138a7c546fda46054fb554b0d366eb52eb89180052d97f15956a88698d634c298b50a5442633375e668756f3a10912474c
-
\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exeFilesize
382KB
MD5729975e07ead4a4b14d020c2bb446833
SHA1a377d56bba939d9d59a51ebf2dbebe9a83ddf592
SHA256df0722816ac196ca7b93bcfd66f2d6d1c42157735ca8c451cb09bebc27cf1c5e
SHA512a9aac9f9894afb0052466222913f1165090db85849f0d5830d43d264d3f3d6c5c5e2c4251c92ad0eb4b5e5deb75cab8c078b5eb26ed85a5be04113cbbf717d03
-
\Program Files (x86)\Bench\Updater\updater.exeFilesize
65KB
MD527862bc4eb31d1e68b866a9f32c87fd4
SHA10e367886bb0a2964c9ad5990fdb598ab31d3239c
SHA2568444ccf83e977eebb3a8372f5d4795a965feb5ff2b4b5dfc26f4c527539b139f
SHA512e17fd66383ede094bb437e119882bfb4906fcf3a49d9892366346d1c32f66bac5344985815a1c33f71aa8aecfbdd796cc68e2237ac2e1288139b03711b9c65ce
-
\Program Files (x86)\Browser Protect\FrameworkEngine.exeFilesize
287KB
MD5c1d223cde6b66b5fa3f7d412e3f89f08
SHA1bc09964e78af600a0a154fd8e1df1b681bd9d74a
SHA256e21a4de01eb1c7375ac17117d4413831700b5648312cb3dc1ab9af2f3b733ba0
SHA51208b440ee272503002a13b97ff67420c797cf96c642f97012659db8ea349beee3cd0f1ad3e2dbf842d4cfef7fa381020b60f389e42b0c7c5e3cc10368bba65e22
-
\Users\Admin\AppData\Local\Browser Protect\sqlite3.exeFilesize
481KB
MD582771129b12517cf5c6e2244d14e8360
SHA14e2a55e517f0e1324d3e8840e7db41f3883e4a01
SHA2563441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc
SHA512862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46
-
\Users\Admin\AppData\Local\Browser Protect\storageedit.exeFilesize
75KB
MD5161f9defe2b6718d7773d964f5c6dfd2
SHA1969dfcda9ec0c5c2b084f9900445836422cb36fd
SHA256578de2953c01d158c93d02a8f59933af8678be0b727b8228566c4d494b00f7a2
SHA51298813302ac4e8c80a755f4702a8547f526ee29d6ca294d89fd248f83fa8efb134ed40b3099f0b092eac9cfb9f9d6cc3e83b4108bb7961526576520b5cf39a656
-
\Users\Admin\AppData\Local\Browser Protect\uninstall.exeFilesize
200KB
MD54fc88ab57b4fcf88a597b4a4fdd57826
SHA1d2519ac875570f9e06b8fa99c18526a2d2b6f840
SHA256b98d1ed86b18de42d844a80f5e4c009dd3730ac0ee2a3073198afbea489613f4
SHA512c3bc2f293a1dd67a7112c5b1523404bdc70a4a27acf1eb393ad76d6f8c6b9c6825ae3ecaee6c3452eec4fd8d7253d33f01152c377e7edc66d608512f28e7498e
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\System.dllFilesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dllFilesize
6KB
MD50745ff646f5af1f1cdd784c06f40fce9
SHA1bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA5128d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsDownloadCv.dllFilesize
91KB
MD5f8015cfe53598e99ae8c45527b544a61
SHA10b808cababb0fdb0ec4ebac25d433af82db9e9a4
SHA256d5075a3547cc098065253dced11b018d732644e071eff174787ca27942b73139
SHA512e1ba9a90896d00fd12ce9b76d36ecc2da5e14a0c81d58d9890ab777f0b3e90d355ac086052252876a92ac0df3a6ef9ab97fa9618ce63c4296daa7b8777be2cd4
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsExec.dllFilesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsProcess.dllFilesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsProcess2.dllFilesize
35KB
MD56e96ea8b0dfdb326c0852a5b64d920a6
SHA15ea182cb6ae5c104ca064fa8464df8ed1904eaa7
SHA256b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a
SHA51202d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f
-
memory/1204-181-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmpFilesize
36KB
-
memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmpFilesize
36KB