46e8adf87c4249e1cfe61f679f8ffcf9ce7ff1c12240a8cbd468870b8e43949f

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c4b7a2fc5d006058bc89f1351741c9.exe
Size

250KB
MD5

f6c4b7a2fc5d006058bc89f1351741c9
SHA1

24e9d4d6f019921b36a784889585f046b9415ee5
SHA256

46e8adf87c4249e1cfe61f679f8ffcf9ce7ff1c12240a8cbd468870b8e43949f
SHA512

98997d972256a519a1b2cbb7f6bc34c5361693a379efb96c3774ba4fd3be35022063e51a622bfe570238780b66a6b70f237b1bf0edbb8a135c3d7c6e9207e372
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5LxcQjtc4qRD6d8pCQk:h1OgLdaOLxcBRmFQk

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002321e-107.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4732	50f9678f802fe.exe

Loads dropped DLL 3 IoCs

pid	Process
4732	50f9678f802fe.exe
4732	50f9678f802fe.exe
4732	50f9678f802fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4732-78-0x0000000073DC0000-0x0000000073DCA000-memory.dmp	upx
behavioral2/files/0x000600000002321e-107.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dcpnfmojoflgmjjjnmddojbljfebbigi\1\manifest.json	50f9678f802fe.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ = "Download and Sa"	50f9678f802fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\NoExplorer = "1"	50f9678f802fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023205-30.dat	nsis_installer_1
behavioral2/files/0x0006000000023205-30.dat	nsis_installer_2
behavioral2/files/0x0006000000023222-104.dat	nsis_installer_1
behavioral2/files/0x0006000000023222-104.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32\ThreadingModel = "Apartment"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Download and Sa"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ProgID\ = "Download and Sa.1"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Download and Sa\\50f9678f80335.tlb"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ = "Download and Sa"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\InProcServer32\ = "C:\\ProgramData\\Download and Sa\\50f9678f80335.dll"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96}\ProgID	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50f9678f802fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	50f9678f802fe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 4732	4472	f6c4b7a2fc5d006058bc89f1351741c9.exe	87
PID 4472 wrote to memory of 4732	4472	f6c4b7a2fc5d006058bc89f1351741c9.exe	87
PID 4472 wrote to memory of 4732	4472	f6c4b7a2fc5d006058bc89f1351741c9.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	50f9678f802fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{EA1F5BE5-2FA2-8C05-21B5-87FA13742F96} = "1"	50f9678f802fe.exe

C:\Users\Admin\AppData\Local\Temp\f6c4b7a2fc5d006058bc89f1351741c9.exe
"C:\Users\Admin\AppData\Local\Temp\f6c4b7a2fc5d006058bc89f1351741c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\50f9678f802fe.exe
  .\50f9678f802fe.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Download and Sa\50f9678f80335.tlb

Filesize
2KB

MD5
1f14de44d0d63a79f91d3fe90badb5fc

SHA1
7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e

SHA256
bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c

SHA512
86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

Download Submit
C:\ProgramData\Download and Sa\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
7d2d22116753df1e9900d1707ffdcd7c

SHA1
8e06acbacf9850437683d56f1109f1b5339e7460

SHA256
170de5a79fd02ffb986d058d8929e77bb2e05a01df26760bc169751c9f53c92c

SHA512
ba73a7aa6ee1bd95bf2c89b9419fa0f384b041675bb9f7f9d814d9dec07879074e6d49bb0634ea114f0782b51525094b0abb97c4fffd2a23d09838475fe143d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
2790646675e356d177debceb93b48d76

SHA1
92c1dc35225ae00eeb443d8b08999c2dec5f76ca

SHA256
1992dd81e06dd9a6df35cc1d00abec34f58d8e433a3c8833cb7602206ac21b6c

SHA512
ad38532ec8704e54eb06e0f8505abe8cbfd0b83d58281bfcbfb5184180d05bcfdbce35cb43af20b9586d535bb6f81f37b38c822ff354c5ef199e6e895108b6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
20502f649785f75e1d24c5a54178c9eb

SHA1
7fb79238a11ef8e58f8409ac0e5d4d8aba6ff2c9

SHA256
957dbb0c80321c0af65fb11b3551aee350c009b3cf4333f859d4189bd5b34fd1

SHA512
fc97a4f2c1f80af9c6b71654e94506bfca8d34e855fae55b1011e735d2658d3a43cec7bbdc1f1129393d37d12f42183e815531218217a0edc6abd46514dc9cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
f7f4de47e7662983768d795675e15939

SHA1
48ba622bd1a6e70debbc4e0796a52048d3029997

SHA256
e4f56360c9277a01f24c2d6ba5843f7a63414fb1e025826052d0569336090735

SHA512
5b69507863de2363653a3c4ce3a071a13cc5aef5b96088f2f5dbf61ff05c32d80c5983f2b8719f8e1d79be9dfc1c82c1ec59bffe03a95932c2ed3d08686c196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\[email protected]\install.rdf

Filesize
718B

MD5
a18ddad43c2341558f7902bd8e9e5203

SHA1
3292fa4e39bc75577c8ee4fbaa5ddfd0d252f81f

SHA256
6077ab4d72d9b2935f2b85b2ee254ae221b9c640017205d5140bcc4a17afd628

SHA512
5ae087ea863a457503dff33918100f5eadcc98d5474c5da4fc3818be3ccedbf0d9c2f4a6a5bb49a8d805a76161416ff87fa6758ed9ac61939089e0b6acf828f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\50f9678f802fe.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\50f9678f80335.dll

Filesize
116KB

MD5
da161da8bcb9b8032908cc303602f2ee

SHA1
8a2d5e5b32376a40f33d6c9881001425ec025205

SHA256
0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e

SHA512
39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\50f9678f801260.48419320.js

Filesize
4KB

MD5
4a32a7a2494ae26495370f45e88e4117

SHA1
273d478faa99a260b72df306d2d747a535ff756c

SHA256
cd57e172625ab3179fd44fc58fd9918576a05820a781f1b40263ffdebec48088

SHA512
8f024e270da8dc093083fe937ed25d042aed87bbf6f0dc293d2d2a0a7f50647b7e86173563ecc8207d61551415e110d120f40959f5a50759f03522a7f1eae60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\background.html

Filesize
161B

MD5
cef74d489209c5a8f915e314601c8503

SHA1
55de2211286a063f9710ad4f68def80228b7a153

SHA256
b7dde844a5ec0320ffc7c6d5ecfe9c4b1e5cd10153589e6e63df085c30e2596e

SHA512
d88266ab0f35a45920e7a42ee79bf38d630cb3b07c835eeca957a7c48b8510908084e05a8ffefcbc1a7b5c50af59956d3d78759baffed1874b47ad3621cd0b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\manifest.json

Filesize
484B

MD5
3e7ce9d2f8f91ee27c09f98a2a1c1659

SHA1
0fde827400ba70be8b27d55240d2dd2977c77395

SHA256
8d41908ad472fc1e0494cf7b0904595072dfc3628316696c6c0c5632066ce8ca

SHA512
dd2ade7d3a8cd4c8d2bc3a967da30bf5e5726e9aec5b3ed3f754d05421aee38859ecf8f58f8c0cff2c9c96179aef27371c34968964c39ddef39861721afb7901

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\dcpnfmojoflgmjjjnmddojbljfebbigi\sqlite.js

Filesize
1KB

MD5
583a2a78f940e5f179e983efa3c0d17e

SHA1
ed14c7c8bd6819123307e56f161fdb694595cd9d

SHA256
d2605623786e0055272ebd7f38b944a91fb5c21b8ed63a527a5c66b2ef88125a

SHA512
524c3c5882a7bd6befb9ef76a3b9d0fb2cbdf7a638887b788fd5b10743eaee5e05ef9f0b985a3bb15b4957b57f8c23c20ab2bcd2c83fbe100e36a39967562505

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4B41.tmp\settings.ini

Filesize
6KB

MD5
60f8de5c068a58cd9005b3b6753bf4af

SHA1
6923513bf746094bf0e52311cb9dee7134c826d6

SHA256
584be17787ca5925dd6f862063ffa1892b6bc5f5f950f077750aa576b59113d6

SHA512
bedc14a31a708c65a8777c13d4cc74683f91f90406746c0e06aaac7e989a358085b432d5f6b4051c0fe6531dbb87a22b1716402a999ad1ed96a187115acb0b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4BEE.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4BEE.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/4732-78-0x0000000073DC0000-0x0000000073DCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads