14d54a9d951b23bce49e7f60f7982e0b65a7160cdba6089557d0fb2e4633b01c

Analysis

max time kernel
88s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036233bab076411c06afd1bf94637261.exe
Size

250KB
MD5

036233bab076411c06afd1bf94637261
SHA1

228f32e40d49eaea612dae3479db8d7bdbcc6cf5
SHA256

14d54a9d951b23bce49e7f60f7982e0b65a7160cdba6089557d0fb2e4633b01c
SHA512

e7b18fbfdf54b85a85a1b6dcf7ce34bf4e462ff43027dd8a1a84af3971f68327bf22b0513211a22b87d2de16f642cafe2433955737b55b14c20818ff86c4dc8a
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5rKimyPtL5IoJ4cnCBR76Bggf:h1OgLdaO+10XJ/nCBZm

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023232-107.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
3964	511142da639c5.exe

Loads dropped DLL 3 IoCs

pid	Process
3964	511142da639c5.exe
3964	511142da639c5.exe
3964	511142da639c5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3964-78-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	upx
behavioral2/files/0x0006000000023232-107.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\llefdgpdkfoljlbincgnappnkfkldece\1\manifest.json	511142da639c5.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\NoExplorer = "1"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\ = "Zoomex"	511142da639c5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023219-32.dat	nsis_installer_1
behavioral2/files/0x0006000000023219-32.dat	nsis_installer_2
behavioral2/files/0x0006000000023219-31.dat	nsis_installer_1
behavioral2/files/0x0006000000023219-31.dat	nsis_installer_2
behavioral2/files/0x0006000000023236-104.dat	nsis_installer_1
behavioral2/files/0x0006000000023236-104.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\511142da639fd.dll"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\ProgID\ = "Zoomex.1"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\InProcServer32\ThreadingModel = "Apartment"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\511142da639fd.tlb"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\ = "Zoomex"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\ProgID	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	511142da639c5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	511142da639c5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	511142da639c5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626}\InProcServer32	511142da639c5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3964	4824	036233bab076411c06afd1bf94637261.exe	26
PID 4824 wrote to memory of 3964	4824	036233bab076411c06afd1bf94637261.exe	26
PID 4824 wrote to memory of 3964	4824	036233bab076411c06afd1bf94637261.exe	26

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	511142da639c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2655DF8F-4E40-5FCE-159F-33CE5F28B626} = "1"	511142da639c5.exe

C:\Users\Admin\AppData\Local\Temp\036233bab076411c06afd1bf94637261.exe
"C:\Users\Admin\AppData\Local\Temp\036233bab076411c06afd1bf94637261.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\511142da639c5.exe
  .\511142da639c5.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Zoomex\511142da639fd.dll

Filesize
1KB

MD5
7c205c06d8a2d13a6a305b638fe2d27d

SHA1
d243948693c7794c0d27b4f8edbbad643c36a6e9

SHA256
38da4ea2f5ba7ee378523d62dd7a15795d01b0dfb3af140fbfe23644f8c85c6d

SHA512
56c4f7e31a3adbc442c21656deccee2bc178fd07d1c4be56bfb04c9a5d4c1d520bf7305d00e9cb5aa0201a4dddef728257ea1a3b67eca952e7b87eed75e14b0d

Download Submit
C:\ProgramData\Zoomex\511142da639fd.dll

Filesize
7KB

MD5
a45461941b8b167709d31aa384184c74

SHA1
8cb5a966caead1758ee759383893f281c81a1641

SHA256
92418115a33fbf40ba7c04e9a26ef12015177522fd66e120155b4803424dad9f

SHA512
5ca0db2a4ae8c107d7220f763024ac3bd4fa6e71eb0c427fab9a6f174592e8ca8cc5f3eff78a2b9c5dc24e2f122449f4984fb5563d3c983637e92f2a23842537

Download Submit
C:\ProgramData\Zoomex\settings.ini

Filesize
1KB

MD5
3acd61ac0b17844d907491e935f0d0d1

SHA1
e7dca175d73065519e356d782f09b2dd13872589

SHA256
1244135a94a7534fcc585b27045a16a83c500115ee80006dfcce6ed370b3e091

SHA512
d2fc7e1cc86e9d96345d3492fd54092657af1c20b203b7ef0e93d3f6ea35ae4a0084e87e5d3c6709e340f0d634b7dbe1119e5d8c3a9ab926a5e922c817755940

Download Submit
C:\ProgramData\Zoomex\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\llefdgpdkfoljlbincgnappnkfkldece\1\manifest.json

Filesize
479B

MD5
d9670f9c069ec46aaff5a60a9608e885

SHA1
c15da079582c4bf21b06e934dc78f3bd8fbc5607

SHA256
a631255a7467449ff89bb97a8d97632411076d00bfb8dc84c19abd100e235e7c

SHA512
d7ead015d25cdf1d31ec3330020bd43c5ec702a148c130083fb5ee70a8a4691fe94db7f9390b93d7afbc083531c9c1f23d29bd607c22d7cb362a0cb299645ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
5036825409f4e3d5d298862584de592b

SHA1
6ff541ec1a1b7c84771c7e07c9c5751fb9e17de4

SHA256
95af7d9f0f9dc429edf79dbb4bb401c01aec9aa0b67082bc01e185fcef3af37e

SHA512
b64d81ba42d82fbeb937838d9326bada357cefa042b34b40d41cb38a16bc656af13c79a46b782af906fc9d79a2dfc4177f1cff2adc5ed3b61f55c76b32c90c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
984ebcca1a8dc8786f736419f4a69be1

SHA1
b57692e1d4a7df329190df26f08a7f3386d34bee

SHA256
ff5a0efe69b1bfd930c4c9b09e9ea067452f617d4127b32c9890f3cb4d0a9d95

SHA512
d5957ec4c580f9a1b1225f96c0b85a6cdd3c117f3dd740f541fd06f587cb8e452ecfa296cfe1d22fc36a3ef75c4190e1aefe45984145a3f0d6d600a754dacc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
ef53ef8459d78e3d370bb342cdb3a8ed

SHA1
2ade40832b6dc49d53fb7440941ccbe9f4d6ca1f

SHA256
8dd1ec76651f2fed5958a55d76590b41139e6c691bbfa463a15b58b173646a0b

SHA512
b66244f64e7e4a460fe22ddc69b21be071675fc0b0f5de5febec72a38d16303faa39c1fd8ae90b467b73d545d7d2e490af2f8e33257ce6d73065eb10ee80c6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\[email protected]\install.rdf

Filesize
700B

MD5
fba23a1751f5e47d218d74d1a6ec0903

SHA1
00d754596c021b90f14e65512dd9a2a4d52e4a7d

SHA256
aa87472256f5c2ba3fd7c48ff244afa1c635149bc75c51fc829ce894c6bdc58f

SHA512
a0019a978f159bb0c7aa58b03ce0c7d295165f5b3fbb9076476e9f3bc3d397d3ac534b274470f08a8338d10f2df37ac84865d8311462ce89e016a68564a69b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\511142da639c5.exe

Filesize
35KB

MD5
cff8c390139ef723a5ea49537ce788eb

SHA1
66e56f458aea566ca13b558f2936d3ea35f4a0e1

SHA256
7323d0938f08a3d91d319701976e4199d7f3a0803c862b626454aad2665bf4f7

SHA512
371f98fe1d0bd1f2627c628bf15b510ce6812509126e528defa93a87123ba6fcb9b376b342f0764a9440343c3167e6061e84e78c8311a63416581a3ff849e076

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\511142da639c5.exe

Filesize
1KB

MD5
a5f5fb4e7199843afa11676cce36820b

SHA1
7aae6b7cf38c5cfbe89fcced1b7e4feedabb83ce

SHA256
5c04242692cfed2c1026da8dccd32a9a289046debecfc8420a4bcfe06510571a

SHA512
7963ddb51a267317ea91b6de27fd521fa92a62ec9cce1df26c2a4d3debf5932b5018371d69e52c2313c0f40d4dd94ef5d28496d7194df6202f1fd7b166f6dad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\511142da639fd.tlb

Filesize
2KB

MD5
c749bca713cf6481411b5c4eaac4506a

SHA1
539cb813dea7e37eff8c1b696eb0ab42c815ab62

SHA256
0a94d2086eb6ac57ba5ee365d3f6f64f33e7c8d18419f04715460bc04ebddf2d

SHA512
11b3b333b97b1bbbbbf01b6d367188698470877e180a3854ec9762f706755156136b404f2b95a7304a890686d8f5f697232e6c28497aca20e0aa76988b0f179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\llefdgpdkfoljlbincgnappnkfkldece\511142da637d88.23979270.js

Filesize
4KB

MD5
4026521b4b5a81e91561a911fac57496

SHA1
9eb565c373a29a27e32b5d323c2e07fac2d9bb8c

SHA256
48fdd4d31c246f7895fe3a5488f47219a9fe5a5ad5e2ee5d4aa3cbd4547f1b43

SHA512
63b3974b24260966e376fe2ae9d29d81940ff6c011bdf81f725e7dc48c7e7dd60f7ee2cf8247d096d6b5ebace899f698427a8236e3e772eec474bb44f9289e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\llefdgpdkfoljlbincgnappnkfkldece\background.html

Filesize
161B

MD5
eadf237031713aaaa01268aca19aec2a

SHA1
5adb48757315d3590d69ba8d70ed1aac19db3124

SHA256
0649532ded87beaec2a5a1580c632a86997008b07d4846a8f6bf50bedc339801

SHA512
9c0f617d08f431eabe80632fed6af1161a87e1fbb8f8c5e692acec96e89122926069f52682856301b0df9751826ff54bb1c4fdced127b80bbc04bb74b6c4d889

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\llefdgpdkfoljlbincgnappnkfkldece\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\llefdgpdkfoljlbincgnappnkfkldece\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\llefdgpdkfoljlbincgnappnkfkldece\sqlite.js

Filesize
1KB

MD5
357b6011c10a6624f57ec164132fb2a5

SHA1
0d32448dcaa4456d01c0278f88aed024c92f1b08

SHA256
74d60a4e03f64a56db7c7b2be85b9c973ae2065262fe5807c4ded61c9871f801

SHA512
52b96232f4f2a935df1b37e9962bdb122907a1fc0c79adf23043bffd30ef17a3533d7d33dfed5c33c61f8e40c22a17681aff10d928619bedaf1f68829f6cb344

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS38E2.tmp\settings.ini

Filesize
6KB

MD5
e24d80e9bc0626320782e3f4aafd5831

SHA1
d0fbd50572b34fa05f19b883a59d7f650dbee118

SHA256
22ce0076b7770e94e839ad77867c69653414bee81194063e99fedbd7dbc61a02

SHA512
69f61ac5c0e2358765170b37b01ecf943ecefe38035b30c598c7eed289d07d0d56d5659fd9cecbb48911e92a3fef7a6787822e36e0a2e5e4c0c96b0c7c80cd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3AB8.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3AB8.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/3964-78-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads