aab4cc77ea6a16269ea3956ccf549783e4903ca5f98f65f29d7126af5d74da9c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe
Size

249KB
MD5

36f537087b06eb5ae4ed1ad56be66813
SHA1

e744b8fee394edd5f8ff7411b040382258f316ba
SHA256

aab4cc77ea6a16269ea3956ccf549783e4903ca5f98f65f29d7126af5d74da9c
SHA512

cd1573f34b36ba07a9b798214516022eb84d753da46a75c0b192d56a2f1d2e4f4e5564df56f284b5b5243714006221d9189452212008b7c1840e47ffad50f91f
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5kNPYWDHnHDveT40Jfu:h1OgLdaOkxlDHnH7edRu

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a42f-52.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1784	50e147993baf2.exe

Loads dropped DLL 5 IoCs

pid	Process
2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe
1784	50e147993baf2.exe
1784	50e147993baf2.exe
1784	50e147993baf2.exe
1784	50e147993baf2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\ = "Zoomex"	50e147993baf2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\NoExplorer = "1"	50e147993baf2.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a42f-52.dat	upx
behavioral1/memory/1784-54-0x0000000075140000-0x000000007514A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	50e147993baf2.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001878d-20.dat	nsis_installer_1
behavioral1/files/0x000600000001878d-20.dat	nsis_installer_2
behavioral1/files/0x000500000001a48c-74.dat	nsis_installer_1
behavioral1/files/0x000500000001a48c-74.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\ProgID\ = "Zoomex.1"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\ProgID	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50e147993bb2b.dll"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\InProcServer32	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\ = "Zoomex"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50e147993bb2b.tlb"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE}\InProcServer32\ThreadingModel = "Apartment"	50e147993baf2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50e147993baf2.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30
PID 2060 wrote to memory of 1784	2060	36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50e147993baf2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4B05A7B6-9FE3-BF75-A1E1-63D07D79DDCE} = "1"	50e147993baf2.exe

C:\Users\Admin\AppData\Local\Temp\36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36f537087b06eb5ae4ed1ad56be66813_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\50e147993baf2.exe
  .\50e147993baf2.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
e9c9582996a23b2a49a058dcaa3b5525

SHA1
f527cc64e759f06c011e5eeffbd217d5249c04df

SHA256
43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9

SHA512
665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
ffc32b316a141772974e565d20241f12

SHA1
1fb188ea8883a54b9c4cbe1fcc1a5f72699ac5c9

SHA256
803fb739e585635de48417782ea6d4e4f1c197f545fc2796a2cbcdb04137545c

SHA512
98567fa0e9320feb744a0bb3d3840f9bb9b571175cf6c19fadb76587fdd28a267b3c1ee4f86f2246a9b8077a4c56d19a46cd5aac2c8b27195c097f0a877afd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
e8627fc8b1a84ff9bb4cbc472d2d8e58

SHA1
85738f0e2f2170eeb7501da7a575d200e29fcc3e

SHA256
46e9a5a727ab2ea1687b423507e7f6b69ac59fe470320b8c9286b8fa42335c37

SHA512
a166af03f63d474c00ac70eeeeaa7265e8dd16cd3e7c21a78ed1ac8b3489dc9f2e054e100e0dbcb7a4ae145745011bb5c70b598d9732b5161b33887710f4887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
960855c4068b1ccc4dfa94a2a453080f

SHA1
9fb68371b7bb55211ac0df606bf0076e1947f8d2

SHA256
343eab0ca404f2980c7a760aff95c428c5660c0e24dab93aaef7a33d7980fedd

SHA512
9484c35109056cb29a7498e58ff5aad888dfb337cb60f617e751c3fcfb56919698a446145f314310bebe4c8a685ff180b865bc3782d81232d075ae3a1631813d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
fb00d5e5c2decddc310268ab65ef2c12

SHA1
70c852120f2d85de0e27580bbc5bfbf290ba00a5

SHA256
9fa11d88e21bf18ec25f57247e2fd8f29746e551a3626868a70ed4df4ca00a38

SHA512
ce8ab237aa98494e6d7198ea0324a7e3f85aded76472746a5163a7ec8e43a364e1bdc4d286f0768cd4d315ae42ca459576b86960dabaf69fc45453993e8b04f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\[email protected]\install.rdf

Filesize
700B

MD5
749d784009bbd1f47cb4f6bc6405b5bd

SHA1
75f98d90debd96f5c0a375961af69a0921d6629d

SHA256
18482b47d0637c1b197601732aab8460a63bce0b6419234ca15329960fe47954

SHA512
2bf82856cf5ccd199db6301fc8dc17729ebd851da1d91780cf1d2b65bc1889ce7326bef1d2241c562a1035f5f9a96d4341e0ae83d81c502d96612079b5e90288

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\50e147993bb2b.dll

Filesize
115KB

MD5
6696822add17061dc0bb8ee5b42cc2d4

SHA1
d4622558ba366f2f94560da301a81c6c16f95a3c

SHA256
73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125

SHA512
0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\50e147993bb2b.tlb

Filesize
2KB

MD5
096a65b8a695249d5d554776f1eeace3

SHA1
2f2506b886a59b4408b23653d8734004ec2dda6d

SHA256
a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568

SHA512
6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\kcepmgcdmpeejlabpnapfjaekhigjpkf.crx

Filesize
8KB

MD5
8cb30a9b065d59aead71f93829e3ab87

SHA1
e741a7262a57fe93e9c01b65482f52c77aee5bd6

SHA256
b5737cea60fd58520220175ab313b895433071d297508cdbab6ae24e6c40792e

SHA512
6973981a1ed73c4152a0af6a8c063cea45bd8e4815731de8e6be7efd8d5b40ceb0ebc5e0470e37e61f3c66e91d8caea5e2924a0ee8ab8795d344036ffcb2dba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\settings.ini

Filesize
6KB

MD5
bbe80ab048de81d8632e9a3f73a3e8f1

SHA1
667dd9db4be84e1f813efc7d014bbc4688fbe752

SHA256
35c491ceb3edfe33fb6b1e313c250288f07eb9e26375828653ff2dda896ed5a0

SHA512
e333c97e4ee55512c8e2ce32c4dfdb0c9a8b4e67822bac8150c7421c352158c031304713aa5ec259fcd523e53693c9885e765995ea86e1406990b1246a5b78d8

Download Submit
\Users\Admin\AppData\Local\Temp\7zSA8FC.tmp\50e147993baf2.exe

Filesize
70KB

MD5
ebcc3eb1a7021aaead55fb677465a717

SHA1
3c8347f0fd520ee423a4aafea1112a0b06f4b6c8

SHA256
5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c

SHA512
0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

Download Submit
\Users\Admin\AppData\Local\Temp\nstA96A.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nstA96A.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/1784-54-0x0000000075140000-0x000000007514A000-memory.dmp

Filesize
40KB

Download
memory/1784-88-0x0000000075140000-0x0000000075149000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads