35ae6848c61a63e3087e41f0f26dec377f80d2348385d83318dc87299d253b2d

Analysis

max time kernel
120s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
Size

502KB
MD5

2fa5bd8c33d85d06716b95f183744e61
SHA1

95eb640bf8b1f885af35c026118f7d44aab0bcb4
SHA256

35ae6848c61a63e3087e41f0f26dec377f80d2348385d83318dc87299d253b2d
SHA512

38772447484fed579ed0f124a79a3539a1d19ae007584f91b7a86a948e5f9bce21c2f5843e7be6e9d709c1ad8d23bb79a935fad2cbe8dabbfc7be50f5cbcd93f
SSDEEP

12288:WGeC05T/BEF4mxBr4brIlScSHomRM2uPy+mkSdST6HTPMRn5:8CaT/BDi+N7ZuP5v6HUn5

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
2712	regsvr32.exe
2712	regsvr32.exe
2712	regsvr32.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{373A8135-92F3-4567-B5F1-4B835B9D9161}\ = "TBSB05048"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{373A8135-92F3-4567-B5F1-4B835B9D9161}\NoExplorer = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{373A8135-92F3-4567-B5F1-4B835B9D9161}	regsvr32.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\tbhelper.dll	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze-header.bmp	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\version.txt	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\version.txt	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze.dll	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\basis.xml	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\basis.xml	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\icons.bmp	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze.crc	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\icons.bmp	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File created	C:\Program Files (x86)\URLFreeze Toolbar\tbhelper.dll	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze-header.bmp	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze.crc	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E2D5B2A1-869A-11EF-A540-C28ADB222BBA} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e0100000600000009030000c203000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044656deb13188349ad86e3791bd684780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{EB6D6544-1813-4983-AD86-E3791BD68478} = 00	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e0100000600000001030000c203000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044656deb13188349ad86e3791bd684780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 101fcdb9a71adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{EB6D6544-1813-4983-AD86-E3791BD68478} = 44656deb13188349ad86e3791bd68478	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MAO Settings	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000095c5d65c0de95c4f8223a6c3f914e2386fda9a90778c300fcb571f53279df62d000000000e800000000200002000000040716f3ed2f79c2339b64b6fd839b0072cd6b1f4c249c7eabdb16d846c59dae390000000d26a36f242cfd1308c443ec8b393dde3d82f8ffc95c07d66e6dedeed4d3f02592fb0c63e79cfa08ccd1f81bff9f79d14ca2103857e44b178a1e6fb3a7a19db8f925badf488f5855637cfd599a7e1f07c4319aeb721a2cb6428a301ce22c1bb5fac614fe2a9ba51cf0c184a7262f83027f3fdac2b4f1b2f59052fb5b8e78f4cbb0af70626b5ecf16fa0816ed99e45aad4400000000b6f9069aae2b0cc881df01060cd77ba5a1cf012f17c89a3989e23e67af2b223f7d54ce6febf7fe014df48b7837168c74021b05e2c127ed6a15b746809461038	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434680393"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{EB6D6544-1813-4983-AD86-E3791BD68478}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000001cf6365abfe5f0449523f6f47a8c252dce3b616bc4282c6d4f0f7f42ea7aa11000000000e80000000020000200000003421952b3d9f999995a9b6a3457577f3f483dd3f5c1b72e083c6fd1d68992c5d20000000a7d849fdb5fd1265a9a6533e14efa8407ed1023456504f40f5e8951e238d157a4000000031eaedcf872ca6c49b71423402a8b40996e55a7b0ab6d64e542df81299be21403a472769ef733e1adf19897789348ea4abb252722f73105ad449c9f1a1a509e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e0100000600000001030000c203000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044656deb13188349ad86e3791bd684780000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 60d902a7a71adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\ProgID\ = "Toolbar3.TBSB05048.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2B08F363-DAEC-4FC5-8C61-2E9267A7486B}\1.0\ = "Toolbar3 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\ = "IPosBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048.3\ = "URLFreeze Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB05048.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2B08F363-DAEC-4FC5-8C61-2E9267A7486B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2B08F363-DAEC-4FC5-8C61-2E9267A7486B}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.IEToolbar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.IEToolbar\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\ProgID\ = "TBSB05048.IEToolbar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048\CurVer\ = "TBSB05048.TBSB05048.3"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88BB509A-B27B-445B-8283-15CFB8F7E905}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\ = "IPosBHO"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID\ = "URLSearchHook.ToolbarURLSearchHook"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\InprocServer32\ = "C:\\Program Files (x86)\\URLFreeze Toolbar\\urlfreeze.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048\ = "URLFreeze Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.IEToolbar.1\CLSID\ = "{EB6D6544-1813-4983-AD86-E3791BD68478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.IEToolbar\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88BB509A-B27B-445B-8283-15CFB8F7E905}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook\CLSID\ = "{CA3EB689-8F09-4026-AA10-B9534C691CE0}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\URLFreeze Toolbar\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB05048\ = "TBSB05048 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{88BB509A-B27B-445B-8283-15CFB8F7E905}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048\CLSID\ = "{EB6D6544-1813-4983-AD86-E3791BD68478}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB05048.1\CLSID\ = "{373A8135-92F3-4567-B5F1-4B835B9D9161}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\ = "TBSB05048 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2B08F363-DAEC-4FC5-8C61-2E9267A7486B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\URLFreeze Toolbar\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{88BB509A-B27B-445B-8283-15CFB8F7E905}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EB6D6544-1813-4983-AD86-E3791BD68478}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB05048\CurVer\ = "Toolbar3.TBSB05048.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C5C8BAE-63B0-4EC3-BADF-BA4D087E4345}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{373A8135-92F3-4567-B5F1-4B835B9D9161}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4509D3CC-B642-4745-B030-645B79522C6D}\1.0\ = "URLSearchHook 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.TBSB05048.3\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TBSB05048.IEToolbar\CurVer\ = "TBSB05048.IEToolbar.1"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2772	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2772	iexplore.exe
2772	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2384 wrote to memory of 2712	2384	2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2772	2712	regsvr32.exe	32
PID 2712 wrote to memory of 2772	2712	regsvr32.exe	32
PID 2712 wrote to memory of 2772	2712	regsvr32.exe	32
PID 2712 wrote to memory of 2772	2712	regsvr32.exe	32
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33
PID 2772 wrote to memory of 2628	2772	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fa5bd8c33d85d06716b95f183744e61_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.urlfreeze.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\URLFreeze Toolbar\basis.xml

Filesize
6KB

MD5
673aa08cae3fcfcbcb1e7614d9abab27

SHA1
a4f1e012aba0a2036792f2d9cfcb45195f5cec45

SHA256
0cd43636d74174b5799103f99bdc95ac802f465b247f69086769dcd0a18636bb

SHA512
08c5e69c06a0e5d44e5837dd91fb99e67c19e23e22bbd4c994f58b746a4a8c6635951a8a13a7aaca89b20ee8722f245bcfc993f56be0456c63fe83853a0d559f

Download Submit
C:\Program Files (x86)\URLFreeze Toolbar\icons.bmp

Filesize
181KB

MD5
cb2fffaaa404ecb4877117d5543f3171

SHA1
5b7568d03a7578514f0ef25072ed5c79b1f91125

SHA256
0d98a239e2323cfaf039c6a7c88fceb7d491f48bb71cba4f5fa99e816e2168ef

SHA512
52092e972c748b0462fcc33643fa63344688a44246934c7f728dc5339deab50e79026c7ab11008c88b80e24b4ddd6b36d52f1c8265f41d946c961c9ec0ea045f

Download Submit
C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze-header.bmp

Filesize
5KB

MD5
93dbf5984d93488ad789c070d5d93b6c

SHA1
6ebb883f90a3898952b57cb3b7c703fffc3171ac

SHA256
241b817d20a3dd5762a4093a703d29986e0110d338d41885be577cc343ade9a1

SHA512
d5f8a92331bebed6fb8b0e225ce14cbbee5e8e46690854437c93efe2e4b94ac9c7613c8f66fb4fb1ba7c7816f68e9b3551ab3b45bfe2e181d6a78150bd83beef

Download Submit
C:\Program Files (x86)\URLFreeze Toolbar\urlfreeze.crc

Filesize
120B

MD5
4a6367845967f7f8df3a9a029fa5acff

SHA1
2d37f53bdc44e0a1dd1928b17f6dabeda1c47aca

SHA256
0c29637bc4484c8aff41bb44ffda321ad9120163026aff523431cf4a8c922891

SHA512
120957ebbf54cc11cd77daef32a9dcbbfc4de5a850553414dded7937a621c65ab7bf922b72d601f676ecaff192539bb5ce8f440c548d5e898a53735ac32ec89b

Download Submit
C:\Program Files (x86)\URLFreeze Toolbar\version.txt

Filesize
51B

MD5
c2a9d10df6c5a7e0c79f77382c36b7ad

SHA1
519c7e90c2a526686bb3dfffabb0d0da747f37ae

SHA256
dd41bf9a5e5ada5ba4db6cd4f9877a1dc1a7a6b909677a2bcce65b76b6cadd46

SHA512
8df975b04b36b42fbb4d155e9354aad0473c7d2953521b443a08825ccb102d31a39516b50902aa41d9030f8b5ecc098bec4716b245241c05e68205c4f9e6a454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1b90e8d1bb0eb0e03c897d6b750f116d

SHA1
e8058966aa31b8f50f399fb1862b465a32b75620

SHA256
415b41b668c1413ee521d6c854c3de7fe5098fd35a7326278be9e94ca66bf578

SHA512
924837fc6123a72a46f7c7e859a953413aba9968928f0f171add5e80588a85bda94df5afdf1a3f11eb2780fdee34041ad47664e37ce038a3418246f05d5dd7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
31ef6f4aa9b15f0eb9a8e7cf9185098f

SHA1
7c66040286474454afd520706f03390e3452fda3

SHA256
d7952d51e163a1dbf0b2fceca7265ddceb3f28a85da326e0fb0760c0d7ac98d3

SHA512
fb5fb0caf299dc9c9a6d01b75ddc2df900d872819affd1fa9a6c99946386aef89f5f754078209f5d219bd7f04d20c32100ef22338e921fd0bc6de83ec439d8e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a65f26cb46a73aac72fa98ced968106

SHA1
f5bc723131276ab60281ad9812d5cccf8b956b26

SHA256
b1ed9dfb587f4d61d80827024b3a3227b24da5031a80d61a3af7b784d943c8a1

SHA512
b4cb8b1f11d620da7b7a709b784664c0c23c819f94143db471229ea374b9895b5ca75d7be587c6a1d49903afacfba94af021c7980c449b81870436c752e0fc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3ac1d73432b0b3a54b5eb263b3721b2

SHA1
078dfc063d8b9db0752af9959f82daa422f50235

SHA256
4467c53d9a35604e3d5b0f5137848acf21534c9347c7bb445a131e4f8d2135d0

SHA512
9ec90c264b10fd66ae118ca2dddc48c2d4c15f866af00d1ac6613d51dfba4c556d244985756f452b2cb270cbe28a5aaa2c3535cb7828a8966e049358586c43bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fddfd55a306e4c8d98603cd746ff0d26

SHA1
e7ab4f4f075ca8c26d0362a8bc724cf038d7e022

SHA256
595658c97e6988fb645232da02184534e238d048c3e0dc24c0632648b12c5914

SHA512
ffd43a855784e442da9221188248f28c926b40ca11f5bb2fc4d0b437f7fc8ce537111fd97a7fa91fbfec332bba57230d21fde9deb5e1f4165dc410116cc8edaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28a1472cda1fb3ef2e509e56932c12bb

SHA1
287a6f60744137b01ae51851a629c2f8cbb5ca7b

SHA256
dbcc79c8e602602eea2eb73c296abd54797b8770b39ccc27a62794700fbd2c53

SHA512
f8838a64ac5c8331cda375ee478a24939232fb5ad518920d9e3f2035f6aa1394badf3a124e19761d2be3e7444328c1cb21c73be7402482ec5b55fe553f10a17b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc86e5e54ccab65aae446f6e2c978585

SHA1
d4d876accebddfd681e653263e7b2c8d905be9c5

SHA256
b61d4f54c776c322ff387af25dc37f08bc81ab58b1b3a64580bb731c24053108

SHA512
aae3ee3cb6dca7c9b22d1a19c9a0170b6f81053b828737a443263d75f6eacabe3fe045a7c8b39110a9033ca8704429f4b1565ab6be6886af6051a0a5c5352e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b443541678a5c887f2aa9f403addaba

SHA1
1e34175c86b8023841e4f5b20a1767a95c64bbce

SHA256
6972539a9bc8f0ced6fab565d6dc5ad9196411ee57128cbd603ee54adb66602b

SHA512
b3cc5fa33f8e9de065aa6317999751856ad670792159843e1e106f2cd69493a09d261c5835dedd8f8758a21006d3cf86172488880fec676557f32e04c0585b45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f28d89585c41eea4178c83768eff0a

SHA1
79802b81e011d5368cf9575abb89b753319fb830

SHA256
99cc7557a0742fb19948e2e1cd27cfd05a5943ae0d27cbf6793decc094b8bc55

SHA512
d4f8a4b024e241ed6250d2631737cb5e37301b9356da28fbe63499f3be0f01bae1630d5a733871e08d4d49ae625365b3d6240d42ed0c1082ee318439b50a4f7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b14254ecfe6f5dde302075eaf9ad97a

SHA1
057d04351e33974e4ea52152d5ba72c6305ba87d

SHA256
f8bc05bfc0f1e752f9e51882e32eed6bd56a9986e01d8d00d924c6d99b5a280f

SHA512
3798d18204c4694a996809d40adb798b71e41108f08138384a4ee92bec5fc4d636ab74b30c784ca4e328a835784222a712f27069072fdffdbf28a6d8bb4ac0fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc393eeae65dbc418a1cc01941aa4227

SHA1
4bc7b9a432aa16f4bd012bfbb023c9a778b46c03

SHA256
cee9921726390b3e14b75b858ed66be5f3737f24b948527081cb81a122e68f75

SHA512
385f7b8f0384a7dd3dd4b8248c7454122f96747ca66b62f1a98bdcee659939f758b04930d2f20e3434c233a3fb9c1495d84b7e3ef57b390b9c3a0cc50b5cf66b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdf37abad53ede09d881fdc8652e2a48

SHA1
1b679fbf5dc9f41fc7b8374507d06640bcbc752d

SHA256
396e7e6129905a87f12fdffd4758398513ac5e70b134d3cd755a68927fb3acd1

SHA512
66c34bdf395c36ec1399d208177b582b51f3ac9219865f61e08ad6522ab84e1427de86ddaac000b3e85546d5e4560badf10995083351d5cbc21f5c93c249f892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bade2bb4312b6ca71229da06b2a47fc9

SHA1
826b6c3b5b95fa3db3f3fefe66b9135e65226287

SHA256
c785a9be41cec3a2b7711cc4d26a6645a690a2d514c16f61b8376d570ebe89af

SHA512
95e31d92095dcf9bc64229b56be04b2ab33fd3f19b75ecd05bab56f624c59a7c99b4bf76474388dce5916a4109d29479f79da6773257a115c582c77a68177c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd773082c424ee8bc2668875c27c1001

SHA1
19a64e58772e8017284e4d443d87e92ac18e1ef7

SHA256
bd803e3e9289d5630b09bd5fc5df03e62276073965b7d366719934bea0cf606d

SHA512
cb0e3cf2df5bcab51d82a5f892b5c2db145a8bb672c4a5275797258e978dd9600c6b926a58c566d68a8653d6c1fdd82d1cf06ab9b7e8cf7788e18e560ba7021b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d303533e2235d946ac9946b9aeedc4d8

SHA1
b1a9d2491d5b34019bfbdb897a7b6d6ac92183be

SHA256
a212d71e15cdece0f91ec1995e68a8f3b5030ccf269e437aba02aed040754773

SHA512
90df7a1cd201190ea13313f8a14f654757861625778a417341679ecd849db881105bd117bdc31561318029537763908bcf15812daf813b5f43f778c264dfd14e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9317ece6a10b1b9c8678b1b6bdadd554

SHA1
727514752cb58b225371a2f88e5347f53e340b6a

SHA256
3a3ac5cbd4bc89cffb1bb32bd83da08b58bf73324678b9a8fe57850a47f760e5

SHA512
009baf2f135b87bbb20d98321d6b2c91a84e510fa4f64a13725a7d18aa01dab87479c54d0fa4e5ec4f3083b461c1979dc94f2df69b60109c0021e9eef993cf71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6106c557e4a75e6b7baf8c6069e0a819

SHA1
1419c527a24169d4a79c44ec7975db1b053449dc

SHA256
91ece58e3301b44bbccfab4429d6e6cabcd4958b3955a85533eb5a5b36ac354b

SHA512
1906b99efb6558e592d8c7628c958b29e92a99db31cb57cec09e1a0bcbd1b7f0674748ff787669bd01b0202539cb92cacb3370e83632195cf4cd68fc579143d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c02539efc24b3b5866efa9914659a3a

SHA1
ac4095915915edce1d049a21396bffec6eee08bc

SHA256
1f04d554cbaf6ade1121ca0ecd31a5d238bf47798779b34470bbe65255d95475

SHA512
14faa383c5de1453cc6a0930fef035cdd5f912ceafc24c476d3d5f8b8b52c0fb7fdd15070612e23cb041e84aa3872172bc9d03135046d7daaf06e404bc566611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49973145f7b71dcd2c12df8ce652867d

SHA1
70fd173cf15bda14fe7a86ce2fe5999a2c340ab1

SHA256
38484cbe6d762bfc9c41d2d774aaea2b82b2c01c231afbd92a8fcefbae7d6799

SHA512
00bcff97b342fd628064e5868a1dae663530f44280aced4e10e6f81309d23225b06523cdde63bf2858319dbf979a7e9f2f82ea649abd9fa6d468073cb2e1c7b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1d24d45bfbbf573aae79a6d60fae5bb

SHA1
29ecad83abe1a28c5c2e8d6f7e1919d3e775db03

SHA256
96ac0b9572e8a5b58945debe6e010cada11c3b804004746a17a5bd400e02a9e9

SHA512
7c030fbec5f26a52b73bcb9fdb3930b3d7ffb03daaf39029826eae33b095f7cb97770ca500c39a6b5d59603d5f77ac15117f8ddbc7c82ac19f2464734c599e03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a60eb3dd31090ebe74aa22519754a3a

SHA1
68b0ed6f32d48444c6f413f96abace661e2d38cd

SHA256
c5ef1f82dda4ac8c001ae9c58f700625b38b6dfa1f3d92f16577305dca0dabc0

SHA512
fd99f1dfdfbf26fe050a80202efb1cb53ca18aee05a060a14555ca8bf87fe811ef52bc2bef2ec57a42847af26ed3853ff6320cff091459d15dd3d6d697c8e840

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
242100d6dfb91ec50890a497e89df436

SHA1
8095aed7c49db4fd901dc6b973a4441c12c917fd

SHA256
0236873d1d464fcd1999ecfb1f80c8449df8910bef5cc86d9a9afad97e2ffc7c

SHA512
10c7c3c09a652ca8d9a72b497a22404e30b0b0e49c3f1fd3f8501a26e5453d686733fbf21eef0e5e6e9d50dd0406f4efd96db65aadc86f7484f6041e3a9021e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f912608bc80cdde56034fcd752705128

SHA1
9a343583182c598bdd7e58822915c745976d2c38

SHA256
f65714da2a896b11116c3cfb6b83d3b69427bfa398e8781b3b849784effd6bc6

SHA512
75340584c419802bf24d63da04bb0126b1bacb42ec39e5231f5658a22f9b5ff68ab8fdbe580498383cd240d67a5637ac90092dcd2a12b32b49035e41476c71e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b63bb9645f003012877ea9433f0cefc3

SHA1
a05febcf3805adebeb1095bf5d8b32d9b1d7c627

SHA256
0ab501ade64e4623c7cab864b91152c9e31ee0ccc085f460514358b038fa6dd2

SHA512
23597fc951f6a2e1a59d5bea51d61df28e17e9e5bb5499714d27007c201323ac5a95815666e4290e943e7cd6b7a47e551689c5c9248a8e3aa2456ecb6c9959f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f4b69fec74c52756e621e873f275102

SHA1
63f0f6bceb2dca97a230d949f779e3893b250cdb

SHA256
72f3c1c2edb5c3a13cb4ea57980d80dfa4d01780efd1e68aaa5d75914e5a4f2b

SHA512
ded70b994fa096f9a3548795f242496bf60ebce4969f82c2e136803fb9bd2e38af8f07811bfe220ffaeec7a38e29415421c6e306d7fe849270cfab29c6d5bb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79e0dea33a96c055cacf7e049b361fec

SHA1
63d8db2e3d20e9d4eb8c0eab8a87afcd56e3433e

SHA256
9405d0b6501aaf445df2d7199970b41a8bd290fc6892529e1e6268094347e1ef

SHA512
8b9238897674416ca871b7afb5ae8abb0bd13e4b137301c923c9a072e72593c5c64ddc0758f6add9ab716d4da20af6aa5a7a6b5d76fd442a9cf55d0afa066e78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c89b02fe2800cb7e907bca8a29f23766

SHA1
78b20650d6ea36c626784dca9ae3c8c9be884302

SHA256
c99177f403f67655d5ed4a4e4782a3ef38a99d84bcfaf3e10371b86f332037cc

SHA512
ca04a868fc50f790bd29d303cc3d51a9e8a9bbadd8d8ea182e8fdfdc0597ed70165a2c7a02d4185fbcd95f73a4a08232a247c431cce1fc1521e93767ea6076a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\e1ur8h2\imagestore.dat

Filesize
799B

MD5
f3fa8c6d2af8c276150e5d09e84d3f47

SHA1
bb44ceafcec2135a9a13d35c1fd11a2531d32bf7

SHA256
9cf1698f683f83848e13d9dbe7554393fcbd3b56789104c066be096b053e73cc

SHA512
605156d505e802e8a5e33719d50f1c8eb3fe3045b1e0a387d8b8951f7edddae1eb2e5e15e85da2d070058c745a160a1d5f1584eddcfe0239a96e8af947c960c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\sn-logo-favicon[1].png

Filesize
603B

MD5
950ccfc43a1693d3b6892e9365d3c079

SHA1
c42f4244418ae2f2305a977f907278bc1b3de706

SHA256
090735829c25937deb7cc8cd712bea6050d44a34270c97213fae7d5fe8b0b7d4

SHA512
73534e3809673f41dade7213b93559353d213bc70b698b2e9c674f5026301514a2b07315a5ba4027938226d0f3c284da310f050f2172e45014dafa0c5fcadd3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4DC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF4EF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\URLFreeze Toolbar\tbhelper.dll

Filesize
372KB

MD5
87503cf652a007ccbff38d5b370e94ec

SHA1
141f20a4fd5bd549eb7dcfe0fca0918ca65d4bf5

SHA256
cc1ae922b46a94e3af01d79ce9e38b0f97482351150fab7e384b62d0d646479a

SHA512
9c806981911697e32840cd9ed42eb65accf024d74f304cad8b1951b1214145597cfd98f75038abdb4db53fdd726256cc697ae576cec0247b29811df943e36bc3

Download Submit
\Program Files (x86)\URLFreeze Toolbar\urlfreeze.dll

Filesize
1.2MB

MD5
18119d058f699d165ddf4b8e79e35494

SHA1
b40b9d7743e99ad78570c40a55133e24efc6aee2

SHA256
d9ef9c53ca7466bf5007601ea002dbcd2d095e34474da64e6b4c4079d3dc93eb

SHA512
497c3f5ed6790ad47e9564d9a943a07ab0d54d016487b8a4b1cd4c405f66b73fa2936c7c5defb9a04b89f636b658793f2abb91c8e299917ce52daabfdd0841bd

Download Submit
memory/2712-17-0x00000000009C0000-0x0000000000A1F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads