d159683750f934e6182f8ed8582e6804eb23b825b789fc661e478dc1f21a392f

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00890736de774c727837b4afd8312542_JaffaCakes118.exe
Size

250KB
MD5

00890736de774c727837b4afd8312542
SHA1

5758c1b4ce120fdd6f7afffa70e5d75f612c9e5d
SHA256

d159683750f934e6182f8ed8582e6804eb23b825b789fc661e478dc1f21a392f
SHA512

668361806620d433e30d102ca62398f515811e6e34315eb6eff80e50b839682c2633a01e2e0f550f9b4830142e146fc673ee128eca54b028e927911a0cd232bc
SSDEEP

6144:h1OgDPdkBAFZWjadD4s5NQPzIjaiqmiLQHJWpNYJYLkh:h1OgLdaOyIjaiqmsYJiYokh

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234f2-74.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
4536	511a0b548e275.exe

Loads dropped DLL 3 IoCs

pid	Process
4536	511a0b548e275.exe
4536	511a0b548e275.exe
4536	511a0b548e275.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhfaohjkpioidliogfieplgedfjmojmp\1\manifest.json	511a0b548e275.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\NoExplorer = "1"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{215BA0A4-62D0-3C88-1F82-B398B66851C6}	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\ = "SaveSale"	511a0b548e275.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234f2-74.dat	upx
behavioral2/memory/4536-76-0x0000000074030000-0x000000007403A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00890736de774c727837b4afd8312542_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	511a0b548e275.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d9-32.dat	nsis_installer_1
behavioral2/files/0x00070000000234d9-32.dat	nsis_installer_2
behavioral2/files/0x00070000000234f6-104.dat	nsis_installer_1
behavioral2/files/0x00070000000234f6-104.dat	nsis_installer_2

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\ProgID\ = "SaveSale.1"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\InProcServer32	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\ProgID	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\SaveSale\\511a0b548e2ad.tlb"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\InProcServer32\ = "C:\\ProgramData\\SaveSale\\511a0b548e2ad.dll"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\SaveSale"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\ = "SaveSale"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6}\InProcServer32\ThreadingModel = "Apartment"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	511a0b548e275.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	511a0b548e275.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4536	4964	00890736de774c727837b4afd8312542_JaffaCakes118.exe	82
PID 4964 wrote to memory of 4536	4964	00890736de774c727837b4afd8312542_JaffaCakes118.exe	82
PID 4964 wrote to memory of 4536	4964	00890736de774c727837b4afd8312542_JaffaCakes118.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	511a0b548e275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{215BA0A4-62D0-3C88-1F82-B398B66851C6} = "1"	511a0b548e275.exe

C:\Users\Admin\AppData\Local\Temp\00890736de774c727837b4afd8312542_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00890736de774c727837b4afd8312542_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\511a0b548e275.exe
  .\511a0b548e275.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SaveSale\uninstall.exe

Filesize
48KB

MD5
f3c79bda3fdf7c5dd24d60400a57cadb

SHA1
1adb606aaeedb246a371c8877c737f0f8c798625

SHA256
a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b

SHA512
c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
d108d302f32abf5b31a58763ac4be8c4

SHA1
f92016199f04837649d20e385c577aa1f8d4f9dc

SHA256
e4d76ff3d02e491fd26057af187b319c0b46a49c2ca13a1198bb35e38b5f1b64

SHA512
a7b495911de0b061bcf4b5ec15898f92bc84abede575543e2d3ee2d774a283a09cce3d9ce0ecca488bf8c18a1b5b0bfb6a97b585e118170376a35d10bc9be896

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
479e84d2fdbb91cd50cde3120b3c4b4e

SHA1
d9d96fb1d445ce65e6f031de8251601904828bb4

SHA256
240091a2c8dd5aafefee823e01875c3ec2a221677443f79f5ddeace57c59e570

SHA512
a715090bf0935e8154d076434cd24872732007861fe8d5c8df99643561f8cf62a9f86b6114ad036ca45b762a4ee632b33e477a8e93874d82553f783028fee909

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
26811894e090872dd70d625570d58bdf

SHA1
1214b994581076e83052e1478a35118517b6c832

SHA256
d91328ded0560e40e6d34e7786151c2eabce7ff7fef2b558f1e42ad2e5a84bb2

SHA512
616bc8c30016714df90152d0d459645a8da8c782cfdc3884d6b83b397a1dec6de3606e979e024dbe4bcc81c6b8a697675af56f45e41638c48ebf6064164db8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
aa5af67e5bf896b3b5688459c3a435b6

SHA1
e512b46e7d2cba6e89ca6a80bd19cdc98fd086a3

SHA256
eee75e0270da96c04e83510e9c6c6f62bffe87282ac6a405d149f608ac450632

SHA512
6376d6111e3ce91b6d57d84cc540cc719316c1e54520c135ae0eb208848727ab12cc92eb360b2545d532093c073cc2732d1906834f7044b91655f415f08672ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\[email protected]\install.rdf

Filesize
705B

MD5
87807c9df2ae5c57edd6d5c95eab0880

SHA1
08a89c9a5d405be9eab0d5ab42ee38f74c216f9c

SHA256
bdee32b25729cf1d6f9ecd78f3ff6b6def9e51e004b10414d28f5a8fd1d28b7b

SHA512
f4b57e8777f99f01c76a1aa72423f884b7e31d9867c19cc55ca4ad83cffd11f6696e77adbf4de8d32440989bfae8c953336e0371f06715544fb1bd3f02a8767c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\511a0b548e275.exe

Filesize
71KB

MD5
b78633fae8aaf5f7e99e9c736f44f9c5

SHA1
26fc60e29c459891ac0909470ac6c61a1eca1544

SHA256
d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22

SHA512
3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\511a0b548e2ad.dll

Filesize
118KB

MD5
44f1dc155d3d083b677f20ed0fab8404

SHA1
a696c5a0d50145afde3d3a71f70b1c3006ac2199

SHA256
67014a6fc8a77ae480dae9b09f800a1f40a40399ef967f86843a80eb4c9eb470

SHA512
04a7098abd589eb1a533af6f89d0d982d2faf9c4e7e29d02abaacf81635b789acfb5ca026f7a0c6b4a263934f0425c69f5225488c450e864f8dc8000ffbf94f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\511a0b548e2ad.tlb

Filesize
2KB

MD5
c749bca713cf6481411b5c4eaac4506a

SHA1
539cb813dea7e37eff8c1b696eb0ab42c815ab62

SHA256
0a94d2086eb6ac57ba5ee365d3f6f64f33e7c8d18419f04715460bc04ebddf2d

SHA512
11b3b333b97b1bbbbbf01b6d367188698470877e180a3854ec9762f706755156136b404f2b95a7304a890686d8f5f697232e6c28497aca20e0aa76988b0f179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\511a0b548e0955.42035012.js

Filesize
4KB

MD5
b18502dd641cd4ae871d0cebfc4c420e

SHA1
f0b17f05ed68f5517402a28dc65d539e1be2da25

SHA256
0f9a3a7d35b036f17ed1ffe67333be9406260fce681c665cd0fb0a9b04d52e80

SHA512
93d8ba751fe856c391cec3cbb11efb74d5ef199142592d5fa4113235aa26bfa38ff25a6b6ef32c1be177ddcc5754bdd9a9123492d76810db3a4cd01bc8d2c520

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\background.html

Filesize
161B

MD5
29319e656d72f003eec85e2013b7a177

SHA1
f316781b04921a372db84486842f7919501d3758

SHA256
c5cc1f13d9b9187292f6bbabfe9ee28cf5db1ac9d8e67dfb3f8fd3ffe479d896

SHA512
e318a3bf67d2cd06db724fe2c5aafcde6d313685e6d7a888e2a5270f7811b45d879c140a61602e2f0c4833c9142657ddea587d3a3444cdab4967ca04dda41fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\manifest.json

Filesize
498B

MD5
481c6643171a64bb13c069914935148f

SHA1
2bbb396de48a811f67fcd93d6a3375e18bf213cb

SHA256
bc37661db8508b5979b986e56c34016ca01be0f782478e37da434ea137e116ab

SHA512
de829fcc1be0ca0babd0fedb5318962289affdb19a0559016a119a817d7d128798146d5758502eddd21f5114034f6be0911f9401407a0e7019977a623c5cea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\fhfaohjkpioidliogfieplgedfjmojmp\sqlite.js

Filesize
1KB

MD5
823423307100c276f145a7a02638a7da

SHA1
fd0a3952c7e08c98720827818487eb46c759a92c

SHA256
b46441df413d6632a7077944e9f545e97fbb6eebe653007570d5eb01f2b68029

SHA512
3f6af13a1cf20373b6c7a3d6dda78696a765f9a74131a1ff35a1c0b9cbf5b780c4a27067534c90571b1aad3c9d72ebd17349196cb45703b7b6f78b99f3aa5538

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC062.tmp\settings.ini

Filesize
6KB

MD5
999c5eb43e72e437705aec5991b44c7b

SHA1
e16099ad3f6375f361b3681b2fdd4c8b87102a8a

SHA256
3f9c98aef07977b7391aca98751514fe76b7eb3e6c0a9f07f6e576b5a92a7c5b

SHA512
35f1bf8937f26eaccf2bdecba6fd8f242a49d6fe6d843a04497b47c80fccad3686229798f29153c995b12f3b82789290f461e68d8918e31bf4e0296c421973e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC13E.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstC13E.tmp\nsJSON.dll

Filesize
7KB

MD5
b9cd1b0fd3af89892348e5cc3108dce7

SHA1
f7bc59bf631303facfc970c0da67a73568e1dca6

SHA256
49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384

SHA512
fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

Download Submit
memory/4536-76-0x0000000074030000-0x000000007403A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads