bc54c023051826946addecb5d79d6d803ef9954284acb58f340344765ee232bc

Analysis

max time kernel
144s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 05:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Size

2.3MB
MD5

0e33b00d35c755562043fe7fe9b7ae77
SHA1

a90f1b32e7680df523287a8a6394b66ff274497b
SHA256

bc54c023051826946addecb5d79d6d803ef9954284acb58f340344765ee232bc
SHA512

260e7b5ec24020bd5346494994093aef95442beb131dd1d71736022e17f055bce078b3406e5ec5cb244b8b4d26d6fe8e83ffb171e9082efb9774fed0a042d707
SSDEEP

24576:06lzh36fbL0ySYK63k4yO6AbzppgJLo01dvXjyolmkHCAi1WcrtpIqj7mEeKu2xQ:9AO6TN6ZLbdzlmaCAcjIO7I2QnjiY

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234c4-348.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
948	Toolbar_Phpnuke.exe

Loads dropped DLL 23 IoCs

pid	Process
856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
4624	regsvr32.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe
948	Toolbar_Phpnuke.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	Toolbar_Phpnuke.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1"	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\NoExplorer = "1"	regsvr32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234c4-348.dat	upx
behavioral2/memory/948-353-0x0000000003010000-0x0000000003022000-memory.dmp	upx
behavioral2/memory/948-352-0x0000000003010000-0x0000000003022000-memory.dmp	upx
behavioral2/memory/948-351-0x0000000003010000-0x0000000003022000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome.manifest	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\install.rdf	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\dealply.xul	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js	Toolbar_Phpnuke.exe
File opened for modification	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\defaults\preferences\defaults.js	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\DealPlyIE.dll	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\DealPly.crx	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\Mozilla Firefox\extensions\{EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}\chrome\content\images\dealplyIcon32.png	Toolbar_Phpnuke.exe
File created	C:\Program Files (x86)\DealPly\uninst.exe	Toolbar_Phpnuke.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar_Phpnuke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234ae-264.dat	nsis_installer_1
behavioral2/files/0x00070000000234ae-264.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\ = "DealPly"	Toolbar_Phpnuke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32	Toolbar_Phpnuke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ = "C:\\Program Files (x86)\\DealPly\\DealPlyIE.dll"	Toolbar_Phpnuke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6174F27-1FFF-E1D6-A93F-BA48AD5DD448}\InProcServer32\ThreadingModel = "Apartment"	Toolbar_Phpnuke.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1800	msedge.exe
1800	msedge.exe
3928	msedge.exe
3928	msedge.exe
1064	identity_helper.exe
1064	identity_helper.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe
3928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3928	856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	82
PID 856 wrote to memory of 3928	856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	82
PID 856 wrote to memory of 948	856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	83
PID 856 wrote to memory of 948	856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	83
PID 856 wrote to memory of 948	856	0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe	83
PID 3928 wrote to memory of 3688	3928	msedge.exe	84
PID 3928 wrote to memory of 3688	3928	msedge.exe	84
PID 948 wrote to memory of 4624	948	Toolbar_Phpnuke.exe	85
PID 948 wrote to memory of 4624	948	Toolbar_Phpnuke.exe	85
PID 948 wrote to memory of 4624	948	Toolbar_Phpnuke.exe	85
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1896	3928	msedge.exe	86
PID 3928 wrote to memory of 1800	3928	msedge.exe	87
PID 3928 wrote to memory of 1800	3928	msedge.exe	87
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88
PID 3928 wrote to memory of 2000	3928	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e33b00d35c755562043fe7fe9b7ae77_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pf.toggle.com/s/3/2/32235-93100-hitman-pro.exe
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff998e246f8,0x7ff998e24708,0x7ff998e24718
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:1896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
    3⤵
    PID:2000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
    3⤵
    PID:4724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:2084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
    3⤵
    PID:4860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
    3⤵
    PID:948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
    3⤵
    PID:32
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1480170792421428585,5016441998649539750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4032 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4428
- C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe
  "C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe" /DEFAULTSEARCH /DEFAULTSTART /S /CHANNEL=dptgl /TOOLBAR
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\DealPly\DealPlyIE.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DealPly\DealPlyIE.dll

Filesize
76KB

MD5
ee5fb0fd8c2d19d90e8fad8e8636a38e

SHA1
5d41abc6c1e69e72466eeb4e4f2128ac0343bb16

SHA256
02e1d44c854de1f8400a1cc24c2ba89efec402cf327dd192b0c581c6e01dede9

SHA512
607212af21ecd1d0bb0f308f566a457c8ed57d71eb4848242f5efe450de149b232c0953dde49140a8b4e6571fabbc21196272a1a856a6b34cb2da27c38def68f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3c4bcd7af7ba844556b0451fcc0c954f

SHA1
5835daa1c794f83f7a5ce92db132b8aa9fd80399

SHA256
8f1cfb67c0b3277d6539a8fa3e423e83a595367b614bdbc7bf7877163ab9da5d

SHA512
1bebd771eaa561abaa7e294156d8754fd3f892c736a7213800d1e86ce9f9f8434e78dda1af9ee5643505e59452b92e80014d4176ea042365d2af357143c05f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9034a6dbc47c23e75dc6cc63718852b2

SHA1
0b647aeaaf7e24ae9ff4bae084cb6a2e962785d0

SHA256
d3b7c3acf75702a964c6f8447efb30fa9c517f4dfd5fc1b5681711c9b0e08d12

SHA512
55d9c46b3b2103b4d6bf999f7bec822cb0c6274b4546200c784dfd8e7eb82aa8b4e59fcd477485cfe4cdaf3d0f684fc5701353f1357d02d659d28a1c8f3bbf06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4eec0b2e850a1b7b96c4fc297f852d46

SHA1
c2ec40af804c606d8d811b31536b5a01bf9d5ed3

SHA256
a16c9ccb80919064b48e396ebd6afcdb3fb4dd5c984b66fad438a1add93fdd10

SHA512
28f1f074af649f82ab5d5e536d6bffba4e43bd4992067dfac0a60928955f8ce1c3592a0006206c74a872b3bbae326d5b555169001364b9157dd9448a1be9b311

Download Submit
C:\Users\Admin\AppData\Local\Temp\Toolbar_Phpnuke.exe

Filesize
210KB

MD5
1e3e68a0a110922361890ff0de710d74

SHA1
adf466a53c099099541e48655118e2dfeea75be2

SHA256
0930a168d6c22438d2d55cda730b93b330e849325d6ac47590682b3417541baf

SHA512
3a769923b6822dc4d62f3bde718efa87c3da8d5fa7237128236c6249e0d4a1345c0c1b23fdf669052ae30551ac79258ab9e654eb44480b7f0033ea460562f565

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCB21.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCB21.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCB21.tmp\nsisdt.dll

Filesize
5KB

MD5
df4795dfabe3bc9278a73d496cc4b40d

SHA1
2648ded47e29ecf3e1a1cc20c631e83caf566897

SHA256
2261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10

SHA512
013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\UAC.dll

Filesize
17KB

MD5
09caf01bc8d88eeb733abc161acff659

SHA1
b8c2126d641f88628c632dd2259686da3776a6da

SHA256
3555afe95e8bb269240a21520361677b280562b802978fccfb27490c79b9a478

SHA512
ef1e8fc4fc8f5609483b2c459d00a47036699dfb70b6be6f10a30c5d2fc66bae174345bffa9a44abd9ca029e609ff834d701ff6a769cca09fe5562365d5010fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\ioSpecial.ini

Filesize
1KB

MD5
3f202db385148217d79d53f06462e686

SHA1
6a9c47bc42173d96cf16c8a154c1bcd88e395d4c

SHA256
6e60397746fc1cbc1935279d65dcf5a087a148071fe9bb772798ee7eba9aad26

SHA512
1e9697d383daf03ee362e105bad8fca4d908ce79f29b5032d6a1b7305e38c94385eb0a434e96af7e5eb69fe3d9e1ce0a3588cdd40b6cd2c0e083f27f9fa3c836

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\pantallatoolbar

Filesize
1KB

MD5
4556800e1026520af6a9ae83cdacdb62

SHA1
718fe152a40ee68a685c3ed1b2e3063d6d537497

SHA256
031a161d5e80ba5026cb406c2e2e01fb3f6711b5f4bb3939aef9d5503b818630

SHA512
b38bdfff1e3403e98953823845a869af6cfee4170dcc0ffdd0a926ef83c0a9fe6a985da9f2baf0bea89bd502843fcbec2e74b6b51bf358e58380da974b038a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\pantallatoolbar

Filesize
1KB

MD5
a78e8ff7b6e3a803e270a8a5fc09bf11

SHA1
887c43a761f779c5e9553bc74f71e5a5b159186c

SHA256
469f0e1643f6a75f351a7ffb934e00a392593e7f09956a86fe7391f8f73fd731

SHA512
2653c6808a9a9838e2ba424a83dad239eb17cfb719f490986dd93b14795421921b08087e25fb256344bcc1a03c64659ef8e2f96223f8d5bcfaa1eb0681e95155

Download Submit
memory/948-354-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-351-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-352-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-360-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-353-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-359-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-355-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download
memory/948-356-0x0000000003010000-0x0000000003022000-memory.dmp

Filesize
72KB

Download