ed7c3829f67a53b65f6481b9fdeafc511c081b545eb77a5ed219d32c995a06c9

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 20:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
Size

582KB
MD5

2527d6920099c68d5021dfe79c4f4f7d
SHA1

6e95f6cac31d82d7991b64d8662fd3ac19a2ef59
SHA256

ed7c3829f67a53b65f6481b9fdeafc511c081b545eb77a5ed219d32c995a06c9
SHA512

b9ae830c89d32800e1c636216445446cf1ee313f14695a99612433f855ab72b74d3c55a7250980cbce6d24b684e3de8f6267cbaf53c32f2ee3b4d398f326a3ed
SSDEEP

12288:ZnZUr11dvhaVjAY6JNCZAy1dQUbRD7GnzFPkmc66zCz8hgXYrh46ywb:ZniZcR6CZAy1Og7GzFs5CAywb

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a0000000122f7-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2768	ymsgr_suite_setup.exe

Loads dropped DLL 14 IoCs

pid	Process
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ymsgr_suite_setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ymsgr_suite_setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ymsgr_suite_setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ymsgr_suite_setup.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}	ymsgr_suite_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\DisplayName = "Yahoo!"	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}\URL = "http://search.yahoo.com/search?p={searchTerms}"	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{DECA3892-BA8F-44b8-A993-A466AD694AE4}"	ymsgr_suite_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	ymsgr_suite_setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	ymsgr_suite_setup.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.yahoo.com"	ymsgr_suite_setup.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.yahoo.com"	ymsgr_suite_setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.yahoo.com"	ymsgr_suite_setup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ymsgr_suite_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ymsgr_suite_setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ymsgr_suite_setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	ymsgr_suite_setup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
2768	ymsgr_suite_setup.exe
2768	ymsgr_suite_setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2768	2972	2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\ymsgr_suite_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\ymsgr_suite_setup.exe" /yfn=2527d6920099c68d5021dfe79c4f4f7d_JaffaCakes118.exe /ybsini=C:\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\BOOTST~1.INI
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFDC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFDE6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\bootstrap.ini

Filesize
139B

MD5
c82be1261b9a948fb45f766b509c84c4

SHA1
1b581777f187a071a97056b52013b59b9b6de57c

SHA256
ea3a8a7ebc4ccd1deebff07769c331a011a091c30fac3af024994ba118881eef

SHA512
8c9a171eea012bcb4b8d275f90d3d2c9e2b08ce0fc495f12e423eb1eb7d39bb7e90be59d0f5e6ba615bc405ebaf6b1a0766a025f49cc2a323b56d3af8b6152db

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\bb.html

Filesize
4KB

MD5
49d7cbdb76e0b21966e3fba880e6af7d

SHA1
5a10e9f3fc3cfcc6fa27fa6a36e5daa42e4cb942

SHA256
2a3be7a9f6811bca198e091dbf23e22960f1eaae96f45bdca783524c771e0f14

SHA512
e8a1f624f05b4e424cd391442a652f6885f4976664b6d05b53a1656dbb6beab9e18d8e244d866555309648624d387f35528691b49b465853db0dc0c3e9e2e52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\legal.ini

Filesize
4KB

MD5
91c67f0da9def7303b931471b4a4b4bc

SHA1
7f1a018f807a0af9ed4384d5d5dc1776e4907880

SHA256
bc7146630e8a9e6bddc3eb27c2e1ffb6238c38e32259bf6e90b3539121e785e6

SHA512
56b61395a9c2b0b9f9732bfce3471273ffed34ef0c36f85a4f457a7f1cbd9c87181e628cb5ee877268169c1fa08a24a7a3f0f01daede912cb6e047b6f61ab56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\legal.ini

Filesize
4KB

MD5
531b31d889f8772d4c97c49175c1e9ed

SHA1
419e27548255de343d14fd86de5b4b23306646bd

SHA256
50f7c9e658708e8d34ed434be08e5524076790083d3bb8d97b08e55095d9c2b1

SHA512
0a7db18a5d0f52ca420c32c7c840cf48f0f5df22efe02dcc1d374bd565fec244ed9265884be8c7feb4fa038f4dd285d79d85c9dc807e8754c34c50dda8f924b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\review.ini

Filesize
3KB

MD5
d9eaf5a066f807e9c9305c8a5a037acf

SHA1
b0c3effeb80bdbbcd9c6a7acc68b59af026e085f

SHA256
6e547e1cfdfb4e1d5f13a18659edd65a5dff225f5d8b58234dd62e3929982ac1

SHA512
deb31d5e5e9c19997fc1a91c14ac18c7af996541e3d9f190427276b7f078a8ab00965686888de6a0afceba3b81f5def3300909d6952f24feeea04ae5e428dd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\review.ini

Filesize
3KB

MD5
fdb215d1960d619b95f49cf9cc9d632d

SHA1
d34c365d848167111c896a5a7fa6e1c7c3230936

SHA256
dd698465bb58a94eafeb08fe20dd6c34d7f64dcab0d63efb3ad4b82adf089e79

SHA512
4babd767268b84a3a9281ee945e2dbe1e473656741bd66c3a90d3071328524fee7b7d0ac93f002de6c91dfdd72fda0871305662d17fcb32afd5628ff68e133dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\software.ini

Filesize
5KB

MD5
d5ebff341f525accd422a4c80d9e6ead

SHA1
603b021d63f7efb3de9faae9f62b48e2a085a516

SHA256
8a3bde273a678d13c632e7d4c15be239a6f4187ff9089c28ea65d9c648290b5c

SHA512
2b249ef7b3256c52035fff8f133289e57c48740e967099e763e07b46c0c7522a97d447400819291b1c5d207ec24128a49097b19a14fe633eab6aaa1cc41683f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\software.ini

Filesize
6KB

MD5
d005a08e048b125926f4d97d250e0d71

SHA1
b61786a40fc9f079719780cd826e57c7894e29f8

SHA256
ce4babcc0c005832c653cddf7d328ee7253e2041692400c782e7e0846fd83cf4

SHA512
ef47d0d8f8daba302f8963b2a34f4f1d405046576bb5d51695efc585817b0e9b8f73c312ea1d76fdcd428daf29348f237b0dfa7ee4f3af53cbb8c8a0828cdf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\software.ini

Filesize
6KB

MD5
cc06abd37dfcee9ce07395cd8fd42b7c

SHA1
a710d58068105c45a92dbef443cc93051d328da7

SHA256
b5c27939ea3c770c62e45b08993576bd9f06d113e10b381ec66648a79a0eac0b

SHA512
acd32beb3c95bd8cb729633879e75fffd797dc164526eca7873926196d98ca0d62759cadadd96943a4e1c7a8fa03d509e95f3a8c2f8d32b78e42d044c102a18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\welcome.ini

Filesize
5KB

MD5
fb0057eccaff21387cbbf8ae66cfac47

SHA1
9d346f5b51ddaefbf50eda5592dc9afd9b78d034

SHA256
77a3e58312d3a381197eea9d53a3617972df6355b7c1c9092b2eceb8b56c3609

SHA512
3e46d60082cc7b8ae29487b3c2e97a168e40e0844262d76283b5264d9d04393ce44be4c80752bf3ba0ad05845518708c739f0a56902aa646d77ea15e8429a40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\welcome.ini

Filesize
5KB

MD5
2ef7f18bbeef123f526fd5cf032c37d6

SHA1
8dd28cbb1d1b9c7c29c6e8199d0b04e1d66bf69e

SHA256
2916f42e8ad37f03326015473890f2ce186a3543362e53e508f63cbe4197beac

SHA512
2c56bafec4a95b1d1e0e64595c78e577bd12abd0528628a75d121f109f4d05ca4bcdcc0a373976926574f9316462afa01cd869984693b42bee5f93e565522bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\welcome.ini

Filesize
6KB

MD5
f4a1aa89d4f1a69968ab9f7bf919f353

SHA1
27eee1be73bb56c5175cf0e4da019b4ea090e888

SHA256
14f02d468dd046c57a40147c7e26cfc92ac4befc18bce93833d48aaea9439987

SHA512
532769fc9896f68b382236f156daef6e09c2aa19f2225b87c01c7af339ca0df1e405d3c05007b81497cfaeb93f4049233fa567275aab2383212dccdc597c93a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE283.tmp\ymsgr10_us.ini

Filesize
13B

MD5
d19b7be66f6b0a232cd0b854a36b257f

SHA1
24b3529e40668e2767f4fc08dd8141826432323d

SHA256
0b47dd244dc0da14434e456934ccadf3270787a6f96d9e17f01ac97895192f06

SHA512
44099ff9ac1026c6fd3356f3506ff01659d6c6e0ca3fd13593d295d3d3de5fa50d7f8b5fc4f76c6dfdb1adf6381d28ef9fe2a29398a24fff655128249832ffb1

Download Submit
\Users\Admin\AppData\Local\Temp\mwlE179.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\Base64.dll

Filesize
3KB

MD5
9aab2d503fb623cbd7be6eca61176ff9

SHA1
126f2ce61b2945005a1ddb034d44325b7b13fbaa

SHA256
c71e2949e7e4acd0504768d273f11f326d9eb8c69cfdfd432f49e22226bad0d9

SHA512
a3b46c3be55f8a1e9cbbdae059688b17c7d6ae4a5f5750b95e62a23e1513214e42d2bca8583f723f58e1295f2a98e84f075113eccb62f6d625a00a7c10d6ca0c

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\YExecShell.dll

Filesize
3KB

MD5
624ffcd47adf3c40aa1263610dfea668

SHA1
65f20006818376931e52f43a47a57b8b181d9991

SHA256
a84188667fe70d7676ca90824a9e875d71d61f6fc954738a734f044fe83d2232

SHA512
cf63bd6e8e674fbafb6f5b09ec0e49f047318a409db356894b282384ccd9403bd1cf03d2ee5c6e8b619a3f316083bc6646e668675d44fb8c81482b9dccb73048

Download Submit
\Users\Admin\AppData\Local\Temp\nseE1BB.tmp\ymsgr_suite_setup.exe

Filesize
316KB

MD5
caaa34c0a5242c6884236b2b5db34706

SHA1
8a1c6ee6df79c9eee2cba2ef8f8dfec2ab1496af

SHA256
f574782bfee47c85d67a12c96898827c767afb958aafcfc339831db15bb34205

SHA512
b9b6245cf3d842b710c599b4307a329d14150eddb2d4a9e4538eca2c6930b816772c1c9142928fdf9993a76101dcac77c2045dfd048aaa1edaa3b1f818928673

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE283.tmp\InetLoad_vms.dll

Filesize
21KB

MD5
95605ab7428fda7c662e5cabf7f6b05e

SHA1
4aa961d8956f181efde0aba22c3386c1d15ead77

SHA256
81f607221eabfeb2c8e81bda3e0a9e44fe138d2c4767dba04eb76addeac65bd3

SHA512
6fca72c3f4b200862b30d36acd3ebf1d0a8597939a17024106bd8b8d26ab647a888fe524a351f86681c323fb7f7e15a4769316929b598edee2698e39d231592e

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE283.tmp\InstallOptions.dll

Filesize
15KB

MD5
1d8dc4fe108ac1f941265b5b11e3b23d

SHA1
62d48c266fe7fae6a968fbc28412714e699a1f5d

SHA256
935354316cab9b418f5de1928851fcef8df9e5dce51363022876b1a48b704861

SHA512
7b1eb169249e4f6d4b5b741c0861d8a492a91c29319813ab38193bbc52387156e939fdb8330c7a9ae1fd0d791ac9b6dabbedd0c978a6d2c6d0b6023bd448f5ed

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE283.tmp\System.dll

Filesize
11KB

MD5
301a9c8739ed3ed955a1bdc472d26f32

SHA1
a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

SHA256
6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

SHA512
41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE283.tmp\stack.dll

Filesize
10KB

MD5
0f61a81a543822de5fcb9a8a43f230dd

SHA1
d01d4a0f542f3c654637fdfe5a574fe1f150ece1

SHA256
46b4a72ae8590b0afb3304cc5c13db0502bc4c4cb02f64f37c79008c17db814f

SHA512
596b7a897ba64c32e26ba6168aa3628aad37b187a9814a286298307d8c42eabf8e8a679dbda558f8b2cdc8676c94ec819256432aa5ad7c05a5387759262a4402

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE283.tmp\ywiseextU.dll

Filesize
172KB

MD5
62290d57ea213aaae521a457ed2ad610

SHA1
56bda34dc5b6b0bf24c153a4d705d9fa19b5002f

SHA256
ee3fca26b81d24ada35b80eab9d34fe4aef5433c27ab683d26f77e3b3d02612b

SHA512
b878f006bdc55827e447b3cec4bafa908ab420ff95c24f4e659c6d3a3b910b6cb9439eeb6f67a1ac79893708b4a9eb0fb57da1d276d70bb94a865a5cfffccd6a

Download Submit
memory/2768-913-0x0000000002EB0000-0x0000000002EF8000-memory.dmp

Filesize
288KB

Download
memory/2768-945-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/2768-93-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/2768-1201-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/2768-45-0x0000000000260000-0x00000000002D3000-memory.dmp

Filesize
460KB

Download
memory/2972-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-92-0x0000000000360000-0x00000000003D3000-memory.dmp

Filesize
460KB

Download
memory/2972-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2972-4-0x0000000000360000-0x00000000003D3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads