5e3e984d129f242ead803a393a0376972434a4fd3732065ebdb7962fd4b08719

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d23611706b56da571712099a7feabe2_JaffaCakes118.exe
Size

2.9MB
MD5

0d23611706b56da571712099a7feabe2
SHA1

02b50c0e7c3ed4258cea1258c5bf9e035c14ee59
SHA256

5e3e984d129f242ead803a393a0376972434a4fd3732065ebdb7962fd4b08719
SHA512

78c191897a83a8cd0a9254d3fc5b2df61fbeab847ac40c044b504631e3c6a929095a64d349081e4c50514fca723ad3c03fd6ae1769f3a944dc1f36b9dceefda0
SSDEEP

49152:iOgyc8rcJRy4T8elRVaMiBdo9sn7n5euiWndluRTAEvXPlqVsUIeFIQG:iNyYjgXB6927nKnlZXWdFIQG

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\Config\\csrss.exe"	YOURBO~1.EXE

Executes dropped EXE 2 IoCs

pid	Process
2760	YOURBO~1.EXE
2692	CCSETU~1.EXE

Loads dropped DLL 13 IoCs

pid	Process
2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2760	YOURBO~1.EXE
2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe
2692	CCSETU~1.EXE
2692	CCSETU~1.EXE
2692	CCSETU~1.EXE
2692	CCSETU~1.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\MSWINSCK.OCX	YOURBO~1.EXE

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002c000000018671-4.dat	upx
behavioral1/memory/2760-9-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/2760-29-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Config\csrss.exe	YOURBO~1.EXE
File created	C:\WINDOWS\Config\csrss.exe	YOURBO~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YOURBO~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CCSETU~1.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000186a9-30.dat	nsis_installer_1
behavioral1/files/0x00060000000186a9-30.dat	nsis_installer_2

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	YOURBO~1.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0 (SP6)"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	YOURBO~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	YOURBO~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	YOURBO~1.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	CCSETU~1.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	YOURBO~1.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2760	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31
PID 2640 wrote to memory of 2692	2640	0d23611706b56da571712099a7feabe2_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\0d23611706b56da571712099a7feabe2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d23611706b56da571712099a7feabe2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YOURBO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YOURBO~1.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CCSETU~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CCSETU~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\ioFileY.ini

Filesize
907B

MD5
4aa4e9e6b39d7e3687d7edad109fe4bb

SHA1
46a712d29d880c7d1c2e5d011223e29df690cfe3

SHA256
a3c8b1a1f244d17b482ba87403355f0701afec2841c60a1289d7f24cc25731f2

SHA512
a75b79df89ef26bf12dbc935cfb978630a466090fa696388149089cd97aa7ebf505439af09fbdfa4bf413d596a5d5bb847a86492eb3ed8b87e479aa5384220d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\ioFileY.ini

Filesize
998B

MD5
f3cd975bcf1d59f8a1a904407fdd23ee

SHA1
27221e578f1b567d14a54274944b7e43a3db2bc0

SHA256
bc6744e2a47eb3f2bbcd4846837af03c4e86efcbe7e7766a3400b71cb37609cc

SHA512
7e4e5ee6473422ce3872d7a509153b374585f6109986ee6aa58d103c222a0b9410a2f59f1e858fc1e076f823a5f0028f2bce1ac44176219f2c5a1c5216e3f91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\ioFileY.ini

Filesize
998B

MD5
3d97e02a7d10e04fba96d111ae7bac21

SHA1
fb1708d8e6e77153dbfcb25fcb7072a79fcfbd38

SHA256
66481483190760f925057a9141cf17e54f604b2cb753e1f35e0536d457a615c1

SHA512
5517d7740d4130fbbd9a43a022aebdfb7400a8f604090ad083bc327e0c626f2a0199efcd8b856b64017ec89c3af6a256b6cd6b91b93a3077c3cf7f41fc592496

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\ioSpecial.ini

Filesize
696B

MD5
118a8c6b67dc0d77cbda533221ddb5a2

SHA1
11c4a42470aca4f7cb1caefe23b347d142cdea05

SHA256
792f6fe8686c7186059782983b16caaf94abf2badfe01bb3b9055b771d9b4e62

SHA512
a9333324c2fe1d19f26859497b47ab655f3f3ce4d44074c6db2a9323fda72014d1f72d4918d78f54a230b15a5d6d942bd0d34bc08cf104daaf897556ef7b9559

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CCSETU~1.EXE

Filesize
2.8MB

MD5
24a0dd9ffd9ead72861cb8b6aa52f3a6

SHA1
01fd7f8ae11fb035f76187dc6974c3fed5191224

SHA256
854b39d1960eef409ebc812a52a7f640d53c653426f9e54af73adfbfbfa2f46a

SHA512
64d8638eab14235c0f88ef6a92c009f45162b6b7e9605cb4e20e3a176182030fb0cb6429383383024cac94ed72614f161b0b02741bca9fc8148aca0ac894ecab

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\YOURBO~1.EXE

Filesize
138KB

MD5
0827f7abf77b7b796a93d3db831282f4

SHA1
b405ba9eeda05d929c5caba92976374bd30a21ee

SHA256
d96295ccdaf3588caaa5b8d6d14c9f271ec8256a323a6be1adfeae0a87bb724a

SHA512
efde484ba27cd9ef078484b612c8dd0e6fb58f3132da2f2e3a076826a6b4786b12ea361e4fd83f19a881b3ca1d772c3f3be46be9cdab1b646c156917aa9f8783

Download Submit
\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
\Users\Admin\AppData\Local\Temp\nsz61E1.tmp\LangDLL.dll

Filesize
5KB

MD5
8c909780802ac2097ea4132e6375acd2

SHA1
b35fbda0725d7c66281d5c340b53eb5d54922583

SHA256
c66b568cd675806a499273e3e8aeda350425aac17fc24342ed54e477417cdc0f

SHA512
e94a37c586e55de8b61b427c14a385dcc57f3602d3dace90ad4663609da14a922cb78f76a58ed211549e987ba6f130cf2581eb48bcad2c9c25c6dc93a7ff6d08

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit
memory/2640-36-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/2640-6-0x00000000001A0000-0x00000000001AF000-memory.dmp

Filesize
60KB

Download
memory/2760-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2760-14-0x0000000000020000-0x000000000002F000-memory.dmp

Filesize
60KB

Download
memory/2760-15-0x0000000000020000-0x000000000002F000-memory.dmp

Filesize
60KB

Download
memory/2760-16-0x0000000000020000-0x000000000002F000-memory.dmp

Filesize
60KB

Download
memory/2760-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads