bc54c023051826946addecb5d79d6d803ef9954284acb58f340344765ee232bc

Analysis

max time kernel
119s
max time network
144s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Size

2.3MB
MD5

0e33b00d35c755562043fe7fe9b7ae77
SHA1

a90f1b32e7680df523287a8a6394b66ff274497b
SHA256

bc54c023051826946addecb5d79d6d803ef9954284acb58f340344765ee232bc
SHA512

260e7b5ec24020bd5346494994093aef95442beb131dd1d71736022e17f055bce078b3406e5ec5cb244b8b4d26d6fe8e83ffb171e9082efb9774fed0a042d707
SSDEEP

24576:06lzh36fbL0ySYK63k4yO6AbzppgJLo01dvXjyolmkHCAi1WcrtpIqj7mEeKu2xQ:9AO6TN6ZLbdzlmaCAcjIO7I2QnjiY

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0003000000003e6e-333.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1872	Toolbar_Phpnuke.exe

Loads dropped DLL 18 IoCs

pid	Process
2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
2116	regsvr32.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe
1872	Toolbar_Phpnuke.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1"	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	Toolbar_Phpnuke.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000003e6e-333.dat	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\dealply.xul	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\images\dealplyIcon32.png	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\DealPlyIE.dll	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\DealPly.crx	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome.manifest	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\install.rdf	Toolbar_Phpnuke.exe
File opened for modification	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\uninst.exe	Toolbar_Phpnuke.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar_Phpnuke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016d20-261.dat	nsis_installer_1
behavioral1/files/0x0008000000016d20-261.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065dc0655b43cbd41af6eef66feecc54c000000000200000000001066000000010000200000002a618b718bc03d1652fa9a187807f449fa942d6a33832a3f59cbedd7886ddfe0000000000e8000000002000020000000a652ec5fdb2cc9de04c8d8228c11e1c96499d82917a1d58f8f53cbf4b2ab42f520000000bcad3359891962cd43e2a789765e2c9659db3c69d81c2efd7887c678e066044c400000002b698ac67719870ee54a14c2c30dbbd42e3a395789390a9fe8d10cc14574bcd51280b9560dbd089619a35839bc62bdc541d18d616b8e23ecabc937f5278c32cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107979a95715db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065dc0655b43cbd41af6eef66feecc54c00000000020000000000106600000001000020000000b483218c323fdfecd297e2fac4b5becbd0a5e5a6e36b1c27e4d0788902104ea8000000000e800000000200002000000082acbdf3837ad1d0841421884c86614767280861c64a4bc5382d0c0353dd9e3890000000acc2cf00ca24a140a30a7e847c15b535045a3929ed9a3e40dd80c07ea6633062be5d5b8ef38d2774bb95a3ff736da13120ce201b6dcce6017b43609679e5bebc1d4ddd95627976bf66a9b665cc9e21fc9467c39dc267ab8ecc9386f630931ad1109429811a35fb4f10c9f8bb7f78b29c5812c9674825ca820d4438056743c9ee93d1f3e3c5468ae0fc2be08bca469ce34000000050af25933aec105d2bcdc8849f017b1e741c2b841efb35c89b68fc43fdc9ee41c4ce0e335c57a11db2872a0da4a4868aea51305a117963c72044adfa00d64889	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D20D0B81-814A-11EF-913A-D61F2295B977} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434096250"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly"	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32	Toolbar_Phpnuke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll"	Toolbar_Phpnuke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment"	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
768	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
768	iexplore.exe
768	iexplore.exe
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE
2396	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 768	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	30
PID 2800 wrote to memory of 768	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	30
PID 2800 wrote to memory of 768	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	30
PID 2800 wrote to memory of 768	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	30
PID 2800 wrote to memory of 1872	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	31
PID 2800 wrote to memory of 1872	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	31
PID 2800 wrote to memory of 1872	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	31
PID 2800 wrote to memory of 1872	2800	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	31
PID 768 wrote to memory of 2396	768	iexplore.exe	32
PID 768 wrote to memory of 2396	768	iexplore.exe	32
PID 768 wrote to memory of 2396	768	iexplore.exe	32
PID 768 wrote to memory of 2396	768	iexplore.exe	32
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33
PID 1872 wrote to memory of 2116	1872	Toolbar_Phpnuke.exe	33

C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://pf.toggle.com/s/3/2/32235-93100-hitman-pro.exe
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:768 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe
  "C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe" /DEFAULTSEARCH /DEFAULTSTART /S /CHANNEL=dptgl /TOOLBAR
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\DealPly\DealPlyIE.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df2fe502b4d03c9f398aa716371b518

SHA1
01510e9c681b88544282744625733f17e40e058a

SHA256
f01827dcc78af9cb052a13c8231359daafeed98361eb794717102f10c1f1cab0

SHA512
ec6311f06c763c755e615c6480559abbf98a69cef526fc839a17c698ba88e61f359ca91f01046846ded0faddd01401149d69886e55728d3459f1ed46063a9963

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce1b120add49bf14e8631c921009487

SHA1
6cd2bd9246bb9b8878f443f580561bd7dd3f7a8f

SHA256
d070cf811ea152de81649f9ce786a1bc4cc9b2be386d214cb3ce8fbfdcc0f8eb

SHA512
fe268c6dad5178fb0aa16d1396cf4940215bd6c954fb6e6fddf544f0d9684e5be14ba2172fe224d6dcefc20a3786ed228972a624b238357ac5a78810d0459feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc4dc45f1b8088693c358a0a1b7f66e

SHA1
373a6f755491c5ad53799e084c20ff9e1a44dd70

SHA256
d632a402232b7b5f960e056061d8718ef863f849e51e65544741511d791d4eb8

SHA512
7227e450a4a02c094f4297affcb7da264252cb57db2aa61c26e381648803e98b6b23e844ab82b9114ea90b56f6bb232570f0b5e918ab4bfb47abaf62d2db5b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40a59b4e188ce9cb27d7ec59d536cbfc

SHA1
4b40d55e28b3ed7a6b6573a8f9dccfdf7c42b38c

SHA256
add238ee11dc9c76148ddd693e9bdbd5b4baaf8d85d044f0c85211316743b4b6

SHA512
5cb5e305f10cb531c5068b95e06679b71bd0dacfc868183ab67bafb45797b4a2115215a46cf8482018251ca923715637d7378e91fb884aa4f39d362231ecf490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
247903ef13c289cc0692dbf43f62510d

SHA1
db4f085334262bc147c59625f2802696aa6cfc63

SHA256
c2d7d8097f6f43ef50822ffc22f25254878e3984e28cd7fa096dddb0617ba096

SHA512
b4728bbaa0c45770c4d408b4b5ea345f1e5b02d5c62831214df506e0c484b2969ed6154a875a8b24327b3dcea4cc8b720a24dba161f2d238094b4e61a9218228

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cf2e1f9ce37759f00dba26d5d4d5eb5

SHA1
d93dc28b66bc56246c270b701ce3ce03d79d264e

SHA256
8c13c49a6e6208326e534dce2d0c7ab5e8fe6ac68e8b5c244fd7b6e3d7a75310

SHA512
565faf38353cebdbc07b46c5414cd9e8b81a39a7ffd453fbc9b12cea1ddc80362171f2bc0b4dcb1086f881b7e54628d1a143b3996ead9b8676b0c126cf4e5ed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6abaa76265075207d7538e1e53f67cf0

SHA1
9a6a4bf776e62e76675721050c1273e615d613c1

SHA256
6b42632a4437683475c0a9287c2aef47815438c5b1ecd0cd4e3df6462b4b5bc2

SHA512
0c3922e0527ea9df9537b2c92511a10c93dc09128ce37d4b95798f333de48a444436de6d7172d212028155b1a916c077417363a924d3de12a5ed9b6a98895f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69b8224c0af57515d0e4791228624717

SHA1
62caadb988972f8ce4e151962af55192c4d12cee

SHA256
46025c84fe5069a32537ac79eddee4f38a77e686e4726a3817123852f6f2e3cf

SHA512
42bd349e10832699e2c9cb2bab6a2bae204c57cb75afea50a3f0f3f837213c3ce2bc7fb1a1c0bed7c9b3e301a2fe689c3f2cfde026e72668df0960dd2969a8b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de2a664fa7433dc6e2423fcfb6266ccc

SHA1
6de2ceb4158fdfb479241c5436b9395c3d804e33

SHA256
392c218d791e2be4fe4ac1c3ca8a5b55d52fbef22ad553a8fb6f30f29db42c61

SHA512
996d39ed7efda28e3850d8c23f6d4cb76730b7dc2536bc997b9cfee8daa447ff42bff2b5aa53d4d9f12aa376909779cee6c167f5103af06a3f2f31665fc510a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e122a974406b4e1fe45e9115d375277a

SHA1
7204842bd3a4582b26d1803e3d6b7ff65e5de836

SHA256
524e69022183c665924137fcb7b6633442e21610f836ffbb676191aa128e88a3

SHA512
dcf9505e5e6af643a2bc966f18f5153749b71939b7df7b340e3b817959d7aaeb35d972d66da2766b3d4080c61e04186c2468128319a5735e6b9b6e5c25f4a147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ca73b40931bd20fc21dcd6a4b1cab80

SHA1
0a50485b258724ee081c2bab0a8445790050f776

SHA256
1c12452d7528f5864ec3e7c7ed6575f3f486d50c9a6bf6c9c84e83c54f8d75e1

SHA512
e3045799f6c357eec44016dd5d36c47e17cc62ad453a2400a2f845f612cde04ece9d6b0e40ac245349283bd5b6d46b00201e3ba15e10fbc75035264b4f8911b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
052e39a269441d6a8242dbb8a396d9e9

SHA1
c57ecd2fa26a34565b6e77dd0eddead78b703298

SHA256
c178f27cf4464945810ba8e7eefc6b88f3a5ce7bb98377e6ca5e844509955474

SHA512
ab8e45d5ecda146566d500a3dc12d93299b8637e63cd07e26e19c4abf6dae7de5125379a59ab93b83bee9c9be2eb787ee7769418c057212ff7682d08327f7921

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e147791f28a3fd3da2577702fdc468f4

SHA1
54399cfb5cf5926670625a5a609118daab48bd04

SHA256
99af7073e249709e6b85e7c22e07848d18cf0c0036a9f09f1226eda5f7fb935f

SHA512
8173e71e939147445bd4ab6746344dcb242d1c67bb8c3d8ee5ed15fe451c1517d0e6927c40205e7fa7b05113b1555eefcab41a932b09a45fbbe165631270f3a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18e5f259f1593214f8fa5f88fefd4092

SHA1
65ee0693402e3a0c4785a99bf2cc4e1d08846764

SHA256
c5851790deaff6cba76ee6176bd07fa70e5448d6d190f2fe633d4bbe0990a2f1

SHA512
351d20e4b1fae31d210093380a6d63a88412cd78d1ae148cfea952b5d5a38eea1704deeef96c16b46c104216e1a4936c69d9ee63499ee08d03aaabb014974021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c70747a0063ef0630e3e240c49e6cf36

SHA1
c0bf67acc29f50f8d894192a1246c28dce91598f

SHA256
fe362e6581b105798e2336247fe0f62aff457b6bc1c6993a70fc4b4161ab8f96

SHA512
5093f93989926c546641f8dde77f1d6f9053a21d866a10a9666adc59b1ca46ccdb9a9b53b8afd97fe107c8c0241b38b079047fc806fea7e8962b4631e6e4e9f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c61d0be22a8eadad39e8cd3d55f90e6d

SHA1
bb26906ac308d947b7b46344d533455b2b85c4e1

SHA256
2d2880c6c0a0aff78631b779121decde69644eec04620447540a433210ae2970

SHA512
97d9f3ca315d2ebb53aed1d3396c8f3dad43f180123851b4ceb1ca5fe5d64d150cb0023d1cd5ec7650eeec65d672db81d505f611a83edd5beba58b330788d8d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e084b509058359f290f945a62e66d0b5

SHA1
af1708f1790b5b320d6bd9a4aa84aebea7ab618f

SHA256
f88ea20e3ebeff1294ec13648a6dd8b96e7623f8c3708628d2d239863eda5448

SHA512
2d1c7d2abd36f62d13c881d7f6812c37475b05f8769d55345c2b5eaa65de63355c081888351b99c8714b96068749b9fd9464f63779de971c16e3ca89c8f14c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFD0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD06F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\ioSpecial.ini

Filesize
1KB

MD5
bf84c7bba211cb12bf94b7d4c9754ee4

SHA1
75c00d5acb913455d99a44b4a33eff66048649b9

SHA256
d3774c7fd21f60d6dcfa8420f65f4c3cf7be9dcf0b910134537e2f25d3da42b9

SHA512
9f8c4ffdd873822e0d2f516cfa1d713826584fb38d8a52632a5610ac6301b1084a59b35d8298d0bf08054de8a4c8969b0a54a94019fdb3565dc6644027418395

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\pantallatoolbar

Filesize
1KB

MD5
f5c3baf2e03a0ba35d6c56a3c1473bb1

SHA1
8da3dfcc11f9e5e202c9e6568cb7af131f30e074

SHA256
ca3defd835363639cf2f8f57a67c9cb448fde541fc518f90d71c9de3fecb2dc2

SHA512
756763adfa53a66b6260d40312169018fb1a5e4121f70d991d7aee5021b5fb2de25b36e0fd9ae02eebaa219ddf8b7c7f20553a1dfc5f9a7aa2f23e0a0bca9f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\pantallatoolbar

Filesize
1KB

MD5
afff1354464a372a4a09ebb65d2d1c3a

SHA1
d5dd30689a4672c73dc01b83de42e8411b91c552

SHA256
5cf2f911d42f85552474ed3c03ec709ad70f78f49fbce09d41db34dea861c648

SHA512
2d7ce723e1da81aa656b6a67190b1335a6396d328e09f828c60a805ae9786b164031eb91428dc64c64b2915a0a270d6c1658d77b9b35700431e5fedb974af216

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\pantallatoolbar

Filesize
1KB

MD5
fd3b1244b806ee6c04f43258623c4d31

SHA1
b8a7566953fc115150d889e30d25bf4343860a5b

SHA256
647b538b3f5482d8756bb4e5a5a258c2c8ad9b0cad606694a8e28f7bf2aeb138

SHA512
8ccd5b36ca1a5b3601f6647bc049713ea790066bedd52dba4637bbf6cf8f49aef3623618a38b1aa298fb98f5a4cee71b8d16af424fa10ade305350bc5f60b7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\pantallatoolbar

Filesize
1KB

MD5
a78e8ff7b6e3a803e270a8a5fc09bf11

SHA1
887c43a761f779c5e9553bc74f71e5a5b159186c

SHA256
469f0e1643f6a75f351a7ffb934e00a392593e7f09956a86fe7391f8f73fd731

SHA512
2653c6808a9a9838e2ba424a83dad239eb17cfb719f490986dd93b14795421921b08087e25fb256344bcc1a03c64659ef8e2f96223f8d5bcfaa1eb0681e95155

Download Submit
\Program Files (x86)\DealPly\DealPlyIE.dll

Filesize
76KB

MD5
ee5fb0fd8c2d19d90e8fad8e8636a38e

SHA1
5d41abc6c1e69e72466eeb4e4f2128ac0343bb16

SHA256
02e1d44c854de1f8400a1cc24c2ba89efec402cf327dd192b0c581c6e01dede9

SHA512
607212af21ecd1d0bb0f308f566a457c8ed57d71eb4848242f5efe450de149b232c0953dde49140a8b4e6571fabbc21196272a1a856a6b34cb2da27c38def68f

Download Submit
\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe

Filesize
210KB

MD5
1e3e68a0a110922361890ff0de710d74

SHA1
adf466a53c099099541e48655118e2dfeea75be2

SHA256
0930a168d6c22438d2d55cda730b93b330e849325d6ac47590682b3417541baf

SHA512
3a769923b6822dc4d62f3bde718efa87c3da8d5fa7237128236c6249e0d4a1345c0c1b23fdf669052ae30551ac79258ab9e654eb44480b7f0033ea460562f565

Download Submit
\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsd68C2.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
\Users\Admin\AppData\Local\Temp\nsoA7C5.tmp\nsisdt.dll

Filesize
5KB

MD5
df4795dfabe3bc9278a73d496cc4b40d

SHA1
2648ded47e29ecf3e1a1cc20c631e83caf566897

SHA256
2261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10

SHA512
013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303

Download Submit
memory/1872-340-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads