165e6b5a529a2a7be03d5b4f81623687e903cd1e8f3460579344511089d4b666

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Size

2.1MB
MD5

0542cb3043d9c1028ad7be3833c2ef70
SHA1

a43eb526228612051a711f3eaac0788e7fb2a847
SHA256

165e6b5a529a2a7be03d5b4f81623687e903cd1e8f3460579344511089d4b666
SHA512

969247b7e8fb29d35710c49a4f984e3e56aec97bf0c2cc1a657e9e5aae8b822dd845f222fbd19e85e4691eb87770f5a822fefafc73dc11cb6789856cc692aa7c
SSDEEP

49152:HsUUiXXiCcYM+RKnycr0/ghhYW2CEvyie+qQup+:HtXiCVRL+HR2j6+

Score

9^/10

adware discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2520 netsh.exe
2532 netsh.exe

pid	process
2520	netsh.exe
2532	netsh.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dll	acprotect
behavioral1/memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmp	acprotect
behavioral1/memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmp	acprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe

Executes dropped EXE 17 IoCs

Processes:

SoftwareDetector.exesqlite3.exestorageedit.exeUpdater.exeupdater.exeupdater.exeupdater.exeupdater.exeSoftwareDetector.exeSoftwareDetector.exeFrameworkEngine.exepwdg.exeproc.exeupdater.exeupdater.exeupdater.exeupdater.exe

pid	process
2036	SoftwareDetector.exe
1204	sqlite3.exe
2476	storageedit.exe
764	Updater.exe
1184	updater.exe
908	updater.exe
2924	updater.exe
280	updater.exe
944	SoftwareDetector.exe
1824	SoftwareDetector.exe
3068	FrameworkEngine.exe
2496	pwdg.exe
2872	proc.exe
2492	updater.exe
2440	updater.exe
2388	updater.exe
2876	updater.exe

Loads dropped DLL 37 IoCs

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.execscript.exeupdater.exeupdater.execscript.exeregsvr32.exeregsvr32.exeregsvr32.exepwdg.exeupdater.exeupdater.exe

pid	process
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2276	cscript.exe
2276	cscript.exe
2276	cscript.exe
2276	cscript.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
1184	updater.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2924	updater.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2728	cscript.exe
3028	regsvr32.exe
1676	regsvr32.exe
2164	regsvr32.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2496	pwdg.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2492	updater.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2440	updater.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll"	regsvr32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dll	upx
behavioral1/memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmp	upx
behavioral1/memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Browser Protect	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Browser Protect-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Browser Protect\\repair.js\" \"Browser Protect-repairJob\""	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO"	regsvr32.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SoftwareDetector.exeSoftwareDetector.exeSoftwareDetector.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe

Drops file in Program Files directory 64 IoCs

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exeupdater.execscript.exe

description	ioc	process
File created	C:\Program Files (x86)\Bench\Proxy\pwdg.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\AppFramework\jquery.min.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\middle-left.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-bottom.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Proxy\cl.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\notification.html	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-right.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\middle-right.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\message_target.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\messaging.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-right.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-right.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_browseraction.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_common.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\lang.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\userscript_engine.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\context_menu.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-middle.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\CanvasFramework\webrequest.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\console.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-middle.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\icons\icon100.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\global.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\utils.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\options.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\browser_button.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\notifications.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\tail-left.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\icons\icon128.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\Browser Protect\framework\framework.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\i18n.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\xhr.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\userscript_client.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\framework_api.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\top-left.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Browser Protect\extension_info.json	cscript.exe
File created	C:\Program Files (x86)\Browser Protect\extension_info.json	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\CanvasFramework\canvasscript_engine.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\json2.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\storage.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Updater\updater.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\background.html	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\icons\icon48.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Proxy\proc.exe	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\CanvasFramework\registry.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\timer.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\FrameworkBHO.dll	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_content.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\CanvasFramework\md5.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\io.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\legacy.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\ui_base.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\Browser Protect\framework\invoke_async.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\context_menu_item_handler.html	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework-ui\theme\bubble\bottom-left.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\icons\icon32.png	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\AppFramework\appAPI_bg.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\backgroundscript_engine.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
File created	C:\Program Files (x86)\Browser Protect\framework\browser.js	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

updater.exeUpdater.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\bench-S-1-5-21-2248906074-2862704502-246302768-1000.job	updater.exe
File created	C:\Windows\Tasks\bench-sys.job	Updater.exe
File created	C:\Windows\Tasks\bench-S-1-5-21-2248906074-2862704502-246302768-1000.job	updater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Browser Protect\uninstall.exe	nsis_installer_1
\Users\Admin\AppData\Local\Browser Protect\uninstall.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exeFrameworkEngine.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppPath = "C:\\Program Files (x86)\\Browser Protect\\"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppName = "FrameworkEngine.exe"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER\iexplore.exe = "1"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{DE4DD492-A84F-44C7-9E0A-627F75FB077B} = "Browser Protect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}	FrameworkEngine.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\Policy = "3"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppName = "FrameworkEngine.exe"	FrameworkEngine.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\Policy = "3"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\AppPath = "C:\\Program Files (x86)\\Browser Protect\\"	FrameworkEngine.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{DE4DD492-A84F-44C7-9E0A-627F75FB077B} = "Browser Protect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

FrameworkEngine.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ = "IKangoToolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\0\win32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkEngine.exe"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Browser Protect"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ = "IKangoEngine"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\TypeLib\ = "{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib\ = "{8895BD83-6818-429F-A43D-B52C8EA427C7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Browser Protect\\FrameworkEngine.exe"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\TypeLib	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}\ = "IKangoEngine"	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Version	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ACAD016E-438C-4950-BEBF-1484FDF48291}	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\ = "Browser Protect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\0\win32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5BD10F8C-03AB-4295-ADDD-FE9E0C4963EF}\1.0\0\win32	FrameworkEngine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Browser Protect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\InprocServer32\ = "C:\\Program Files (x86)\\Browser Protect\\FrameworkBHO64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Programmable	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ACB80168-4368-49B4-8509-538445F4C391}\Version\ = "1.0"	FrameworkEngine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ = "IKangoBHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE20D457-A861-447F-B689-D07FB7FB397B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{38E7331D-8350-4ECF-8498-4C53E81DEAB0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\TypeLib\ = "{8895BD83-6818-429F-A43D-B52C8EA427C7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8895BD83-6818-429F-A43D-B52C8EA427C7}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE4DD492-A84F-44C7-9E0A-627F75FB077B}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0}\ = "Browser Protect BHO"	regsvr32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exepwdg.exeproc.exe

pid	process
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2496	pwdg.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2872	proc.exe
2496	pwdg.exe
2496	pwdg.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

pwdg.exe

description	pid	process
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe
Token: SeDebugPrivilege	2496	pwdg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pwdg.exe

pid process

2496 pwdg.exe
2496 pwdg.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pwdg.exe

pid process

2496 pwdg.exe
2496 pwdg.exe

pid	process
2496	pwdg.exe
2496	pwdg.exe

pid	process
2496	pwdg.exe
2496	pwdg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.execscript.exenet.exeupdater.exeupdater.execscript.exe

description	pid	process	target process
PID 2972 wrote to memory of 2276	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2276	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2276	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2276	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2276 wrote to memory of 2036	2276	cscript.exe	SoftwareDetector.exe
PID 2276 wrote to memory of 2036	2276	cscript.exe	SoftwareDetector.exe
PID 2276 wrote to memory of 2036	2276	cscript.exe	SoftwareDetector.exe
PID 2276 wrote to memory of 2036	2276	cscript.exe	SoftwareDetector.exe
PID 2276 wrote to memory of 1204	2276	cscript.exe	sqlite3.exe
PID 2276 wrote to memory of 1204	2276	cscript.exe	sqlite3.exe
PID 2276 wrote to memory of 1204	2276	cscript.exe	sqlite3.exe
PID 2276 wrote to memory of 1204	2276	cscript.exe	sqlite3.exe
PID 2276 wrote to memory of 2476	2276	cscript.exe	storageedit.exe
PID 2276 wrote to memory of 2476	2276	cscript.exe	storageedit.exe
PID 2276 wrote to memory of 2476	2276	cscript.exe	storageedit.exe
PID 2276 wrote to memory of 2476	2276	cscript.exe	storageedit.exe
PID 2972 wrote to memory of 2764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	net.exe
PID 2972 wrote to memory of 2764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	net.exe
PID 2972 wrote to memory of 2764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	net.exe
PID 2972 wrote to memory of 2764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	net.exe
PID 2764 wrote to memory of 480	2764	net.exe	net1.exe
PID 2764 wrote to memory of 480	2764	net.exe	net1.exe
PID 2764 wrote to memory of 480	2764	net.exe	net1.exe
PID 2764 wrote to memory of 480	2764	net.exe	net1.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 764	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	Updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 1184	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 1184 wrote to memory of 908	1184	updater.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2972 wrote to memory of 2924	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2924 wrote to memory of 280	2924	updater.exe	updater.exe
PID 2972 wrote to memory of 2996	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2996	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2996	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2972 wrote to memory of 2996	2972	0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe	cscript.exe
PID 2996 wrote to memory of 944	2996	cscript.exe	SoftwareDetector.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{38A83375-83F7-4E94-9948-8953D81D77B0} = "1"	cscript.exe

C:\Users\Admin\AppData\Local\Temp\0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0542cb3043d9c1028ad7be3833c2ef70_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "migrate.js" /iversion=20141023 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /firefox-dir="C:\Users\Admin\AppData\Local\Browser Protect\firefox" /ie-dir="C:\Program Files (x86)\Browser Protect" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
PID:2036

C:\Users\Admin\AppData\Local\Browser Protect\sqlite3.exe
"C:\Users\Admin\AppData\Local\Browser Protect\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u7g6zvo6.Admin\framework-22e1f16e-fd89-a78b-437f-b702591b1382.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"
3⤵
- Executes dropped EXE
PID:1204

C:\Users\Admin\AppData\Local\Browser Protect\storageedit.exe
storageedit.exe ie {38A83375-83F7-4E94-9948-8953D81D77B0} get _GPL_zoneid
3⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\net.exe
net.exe start schedule
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start schedule
3⤵
PID:480

C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:764

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:908

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmp"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:280

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "main_installer.js" install /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie
2⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
PID:944

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\Browser Protect\firefox\" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie
2⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" //Nologo "installer.js" install ie "C:\Program Files (x86)\Browser Protect\" /product-name="Browser Protect" /installation-time="1714309826" /pid="2020" /zone="622206" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="38992" /updateip="54.225.95.126" /version="1.0" /straoi="" /enable-extensions /close-firefox /close-ie
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System policy modification
PID:2728

C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exe
SoftwareDetector.exe
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
PID:1824

C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe
"C:\Program Files (x86)\Browser Protect\FrameworkEngine.exe" /RegServer
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Protect\FrameworkBHO.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll"
3⤵
- Loads dropped DLL
PID:1676

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2164

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\Browser Protect\RequestHelper.dll"
3⤵
PID:888

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"
2⤵
- Modifies Windows Firewall
PID:2520

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localip=127.0.0.1 remoteip=127.0.0.1 localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
2⤵
- Modifies Windows Firewall
PID:2532

C:\Program Files (x86)\Bench\Proxy\pwdg.exe
"C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496

C:\Program Files (x86)\Bench\Proxy\proc.exe
"C:\Program Files (x86)\Bench\Proxy\proc.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2388

C:\Program Files (x86)\Bench\Updater\updater.exe
"C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Browser Protect\info.xml"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440

C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
"C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Browser Protect\info.xml"
3⤵
- Executes dropped EXE
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bench\Proxy\icon.ico
Filesize
31KB

MD5
5ceb296dbbbb61b52153f98b0992d6b2

SHA1
6fadd4b999568901e2092a4cc2b3816093568a65

SHA256
a7420a3654e49d3d8fc6e4e1af666922b7077bb7f265ed71f90c55dc296f605e

SHA512
bab2742642ebfdc6d474f4d44d43877b5d42cf64c76da18908d328046faf6807fe9e1433aebc0c34574814e1a033c636cffffc1f7f0a72eaeb397f7339e4cc1c

Download Submit
C:\Program Files (x86)\Bench\Proxy\proc.exe
Filesize
477KB

MD5
a694180da7c9a463b28db094ef503aa7

SHA1
d8b55ac242954b6cd1e6ee4e6231fcd8e9a57523

SHA256
0eca9f6ca021bff7365a2bcf0f55d0b710abe9d9066ae5c5e0d1f5e046e38363

SHA512
6dc7d79f6a6b3a14fc07962b49b0515b61ea1cbc93e6d4a2b592841c0accd880e0cb9ee090f51d22355b7dd42fe1dd59054c74a0813bdf8429b2e39651af3479

Download Submit
C:\Program Files (x86)\Browser Protect\FrameworkBHO.dll
Filesize
395KB

MD5
e89ff1836a81686332c6b5e400a34339

SHA1
70022a22bc9c49b0ebf85cabae514a57df1fd262

SHA256
c2819b02b85c6e86e5f697bb2c61b9aeba402611cfce0ce412d20dc010bc6406

SHA512
8d282776bcc64112a87ed7151d512291f677ef8e760d44a2be55c0f70e6df45815d0e9768261fab60bce9245e66146f3b5c2a66c666cb16e0194131baecb5493

Download Submit
C:\Program Files (x86)\Browser Protect\FrameworkBHO64.dll
Filesize
479KB

MD5
62b8c4336666b6d4baf82ec2046e4142

SHA1
54b9a4336cf8dd657a9e095da3efe69ba5f1a470

SHA256
3c89a02c4e6abcf2ff2f2ffec14c3433ca808187f70ae3ca178223d7808a96a3

SHA512
7ac3c84e6433464ecad7a86a17c73eaa91d2e0768774b167985009c30a4712ab33635dd3a9c02c7c4e4c0e7d806c665f1c4409d48d3606103802859c8695e4c7

Download Submit
C:\Program Files (x86)\Browser Protect\extension_info.json
Filesize
1KB

MD5
e835bdc056cff6dbe4d93c7f4df142e8

SHA1
ad411693d3fba77c59264c607a987a0d381d10dc

SHA256
c9bcb7ae0a76f10735286a6bdaf312658383659b33342ef4508045d3f33196c9

SHA512
8d4f7bdd0b1d5372436e9a5e3838055d5a51e512f1a895577be21f8c6aba51771e72bf4987fbd5d6a4dbac9f3d4254d1c022a4246456cea41da936d5afc504c3

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\SoftwareDetector.exe
Filesize
120KB

MD5
791a36c814a825fdfe596e5e7eea27b7

SHA1
10ac78b8899a727bb3bdf924312a940b8ba0bac1

SHA256
0186d765b4dc4132c243b20214c6fb1de49e645fc1b5acddbe954d6e5682f84f

SHA512
bd13f3c19905b5a6062614267f20d054141926c3c6837e1583de6b821f310de7d48da79164a8c3c9ccb8a3a46e76292554faca4a2384cfe0a045c597a9ea3a86

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\common.js
Filesize
14KB

MD5
811f747d02138864aaca1ebe3f35c64c

SHA1
f1eb90f7f7420f644b1e8a3c14aeeca03c88052c

SHA256
9b1da8c2dd4dd1cc9b08d92f598e12cd5a1a62898908293840f6a48d03a8eadb

SHA512
75d5b2e9834dc5f32499fa63d50c16959462d4f992ed568617ead21d162d48f31efc7e023f12712b8ac24b6928d2b4088f5b6fb94949ce3d40b944c74c00244f

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\firefox\extension_info.json
Filesize
1KB

MD5
f753aca5677524444aaeee6cc07d0968

SHA1
787630e52d6dbe92dfaf9d6776808673abc2d018

SHA256
c47292f3273fb54140a00ec40a0b181fd5a7dd8989caf51396ef6e2e1e41ef1a

SHA512
d1e1ec2d1b790da5e08a6f563f03eed66cc582291fbdeadc69a9f885f6a779ec2c3a036384f9f4307ecc7e66c44657d1c3cc976480cd226ff10629392e3dbb21

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\firefox_installer.js
Filesize
6KB

MD5
4d5042f6859b9dd8a1e7fdcd11fe0619

SHA1
7b9bf80954693cb94c1b83f1bd593ae88b7a7a07

SHA256
b866ec4a886d8b8448cb648a397518a1b428119cd5ee4ad88ac6c3dc5f1e17f5

SHA512
84936a3cec375ad2028a11301b17e860096d24d2e448d50810a945e18c4a12b685564aec57663c35e02b3f4b2e3b0a1e51fb69d048b71e1383b9e0eb0e36bd22

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\ie_installer.js
Filesize
4KB

MD5
da5749989706af1e79ab27166492c7e3

SHA1
d9589dd40c0aea68d3a6fb3767d3ff05ae0a925d

SHA256
d987ed4d0b55903993a59165b96557e79ca27054e80b0160f21c4d714ebf11b8

SHA512
1abc3331a9343b9507c6d5b5609cba063011ef3e5bca19003185c43cd3da592ba43a727a6c47c9aa5e1fc9e9f0c618b48cd7ba9e174381ef037e19faee8dad2e

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\installer.js
Filesize
799B

MD5
1d2e2b33ed23d2687ac7551613e3ce10

SHA1
738fdf284c336d88f8fc178371aa073a75ac4f0f

SHA256
e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f

SHA512
af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\main_installer.js
Filesize
1KB

MD5
4ca1909eb243f179f48935c8106fdbc9

SHA1
cbc20846bb8b96fcf3b3bbb9d80709c8024a8366

SHA256
7acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232

SHA512
66cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\migrate.js
Filesize
4KB

MD5
7c936cb5190fc3ad0b581a562875e9a4

SHA1
ec727ee61e1598bafaf0085817151cc3a9d741c4

SHA256
9770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167

SHA512
987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341

Download Submit
C:\Users\Admin\AppData\Local\Browser Protect\projectInstaller.js
Filesize
2KB

MD5
2d4d6d3c8aea670a0742f1dbfb2928d2

SHA1
f6e3fa626bd3d65e439f534ea215e477ae33f66c

SHA256
02ca4af05e5620f2bc7bd253cf002259dbf3908a8dabb941496c35b790444967

SHA512
130969c86ecdd1dd9fa7bf88c15a526262992d93c40207e334f4774163789e3605851477480f15012b04dc678b4daa299104d63a495017a947af709fd2cb34cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy10E5.tmp
Filesize
323B

MD5
1cba3d2b2ba9f98df085d3990f07b5e6

SHA1
8c697a51b469e81c13b47141892c737ee7bed449

SHA256
c9861cc55693ab957350696bb6293f5bfafe34f763911a50ceb1add410298485

SHA512
f303e1382388f1a4daad33363b7814d3b2c45fc38c7487e17d5be7e6b2520eff2ffb5b19fa933a89d8342ad38dbdfdbd8cac355ae78ae7af559f357e3a05bbad

Download Submit
\Program Files (x86)\Bench\Proxy\pwdg.exe
Filesize
121KB

MD5
18792d4133445af44bd08f505f14efab

SHA1
60f3c4726f5ba1078c9800e588494f9e5519c45e

SHA256
91345675a1b433a065f798daa2cdf88e0a8eb57166e7a12ab295b98246f8dc63

SHA512
e5af45e2bb2039ec8813985b8e8eda138a7c546fda46054fb554b0d366eb52eb89180052d97f15956a88698d634c298b50a5442633375e668756f3a10912474c

Download Submit
\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
Filesize
382KB

MD5
729975e07ead4a4b14d020c2bb446833

SHA1
a377d56bba939d9d59a51ebf2dbebe9a83ddf592

SHA256
df0722816ac196ca7b93bcfd66f2d6d1c42157735ca8c451cb09bebc27cf1c5e

SHA512
a9aac9f9894afb0052466222913f1165090db85849f0d5830d43d264d3f3d6c5c5e2c4251c92ad0eb4b5e5deb75cab8c078b5eb26ed85a5be04113cbbf717d03

Download Submit
\Program Files (x86)\Bench\Updater\updater.exe
Filesize
65KB

MD5
27862bc4eb31d1e68b866a9f32c87fd4

SHA1
0e367886bb0a2964c9ad5990fdb598ab31d3239c

SHA256
8444ccf83e977eebb3a8372f5d4795a965feb5ff2b4b5dfc26f4c527539b139f

SHA512
e17fd66383ede094bb437e119882bfb4906fcf3a49d9892366346d1c32f66bac5344985815a1c33f71aa8aecfbdd796cc68e2237ac2e1288139b03711b9c65ce

Download Submit
\Program Files (x86)\Browser Protect\FrameworkEngine.exe
Filesize
287KB

MD5
c1d223cde6b66b5fa3f7d412e3f89f08

SHA1
bc09964e78af600a0a154fd8e1df1b681bd9d74a

SHA256
e21a4de01eb1c7375ac17117d4413831700b5648312cb3dc1ab9af2f3b733ba0

SHA512
08b440ee272503002a13b97ff67420c797cf96c642f97012659db8ea349beee3cd0f1ad3e2dbf842d4cfef7fa381020b60f389e42b0c7c5e3cc10368bba65e22

Download Submit
\Users\Admin\AppData\Local\Browser Protect\sqlite3.exe
Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
\Users\Admin\AppData\Local\Browser Protect\storageedit.exe
Filesize
75KB

MD5
161f9defe2b6718d7773d964f5c6dfd2

SHA1
969dfcda9ec0c5c2b084f9900445836422cb36fd

SHA256
578de2953c01d158c93d02a8f59933af8678be0b727b8228566c4d494b00f7a2

SHA512
98813302ac4e8c80a755f4702a8547f526ee29d6ca294d89fd248f83fa8efb134ed40b3099f0b092eac9cfb9f9d6cc3e83b4108bb7961526576520b5cf39a656

Download Submit
\Users\Admin\AppData\Local\Browser Protect\uninstall.exe
Filesize
200KB

MD5
4fc88ab57b4fcf88a597b4a4fdd57826

SHA1
d2519ac875570f9e06b8fa99c18526a2d2b6f840

SHA256
b98d1ed86b18de42d844a80f5e4c009dd3730ac0ee2a3073198afbea489613f4

SHA512
c3bc2f293a1dd67a7112c5b1523404bdc70a4a27acf1eb393ad76d6f8c6b9c6825ae3ecaee6c3452eec4fd8d7253d33f01152c377e7edc66d608512f28e7498e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\md5dll.dll
Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsDownloadCv.dll
Filesize
91KB

MD5
f8015cfe53598e99ae8c45527b544a61

SHA1
0b808cababb0fdb0ec4ebac25d433af82db9e9a4

SHA256
d5075a3547cc098065253dced11b018d732644e071eff174787ca27942b73139

SHA512
e1ba9a90896d00fd12ce9b76d36ecc2da5e14a0c81d58d9890ab777f0b3e90d355ac086052252876a92ac0df3a6ef9ab97fa9618ce63c4296daa7b8777be2cd4

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB29.tmp\nsProcess2.dll
Filesize
35KB

MD5
6e96ea8b0dfdb326c0852a5b64d920a6

SHA1
5ea182cb6ae5c104ca064fa8464df8ed1904eaa7

SHA256
b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a

SHA512
02d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f

Download Submit
memory/1204-181-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2972-15-0x00000000002F0000-0x00000000002F9000-memory.dmp

Filesize
36KB

Download
memory/2972-13-0x00000000002F0000-0x00000000002F9000-memory.dmp

Filesize
36KB

Download