418bd77dacca9769b31868702cf425445024ecf80aa7ca438b9bda5218272de9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe
Size

1.0MB
MD5

01645bf801dd2338ade6b8de32e0c7f5
SHA1

7ea4d06b5206d659f3d8f71ded745859d24439db
SHA256

418bd77dacca9769b31868702cf425445024ecf80aa7ca438b9bda5218272de9
SHA512

4a3c44d93e26e6e4e424d424bd77d71ac7d0e43930e51901624c70a82ad7de9e76df205b9282a35ff64177492d92b20badea0c08d54aa970966e884e2ca520d0
SSDEEP

24576:4LiDKSlDaDmYT0LAGP9u9joQX4A6WueBZk1rbfx4NKFiodhkX2f:4L+VlDUIEV9bueBZk1rOEioXkO

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
532	hTO.exe

Loads dropped DLL 1 IoCs

pid	Process
532	hTO.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\occmjppeebfmampanmmegklpefldafcf\1.6\manifest.json	hTO.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\ = "DOwnload kEepera"	hTO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\NoExplorer = "1"	hTO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hTO.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	hTO.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	hTO.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper\CLSID\ = "{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper.1.6\ = "DOwnload kEepera"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper.Download	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper\ = "DOwnload kEepera"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\InprocServer32	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper.1.6\CLSID	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	hTO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\VersionIndependentProgID	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\DOwnload kEepera\\q8.dll"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\Implemented Categories	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\ProgID\ = "Download keeeper.1.6"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\ProgramData\\DOwnload kEepera\\q8.tlb"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper\CurVer\ = "Download keeeper.1.6"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\ProgID	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\VersionIndependentProgID\ = "Download keeeper"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper.1.6	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Download	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\InprocServer32\ = "C:\\ProgramData\\DOwnload kEepera\\q8.dll"	hTO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\Programmable	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\ = "DOwnload kEepera"	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\InprocServer32\ThreadingModel = "Apartment"	hTO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\InprocServer32	hTO.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\Programmable	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\DOwnload kEepera"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper\CLSID	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}\VersionIndependentProgID	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	hTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeeper.1.6\CLSID\ = "{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}"	hTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0}	hTO.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 532	3720	01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe	82
PID 3720 wrote to memory of 532	3720	01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe	82
PID 3720 wrote to memory of 532	3720	01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe	82

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8F3D3F48-9D4F-BC5C-EE1E-CA5CCB487CE0} = "1"	hTO.exe

C:\Users\Admin\AppData\Local\Temp\01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01645bf801dd2338ade6b8de32e0c7f5_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\00294823\hTO.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/hTO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\hTO.dat

Filesize
3KB

MD5
9a3d51ec6b905891282569fa676628a5

SHA1
68a5dd84db4904195dde3760c1b8cb0628554181

SHA256
4b1c8ae3643061516b3a6b0bade7d0d2c9fd8df1cc89eecfccbf6a6e517b386a

SHA512
9e92c4b5ef1c525efd93208ced116dc8eb9a0a01715b86e1cf77d359e24519d27bc9df086ef83f2f1c64c75986aca364e32b3645cfcdcdf8b9dff978ffc8a4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\hTO.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\background.html

Filesize
140B

MD5
075bd72b9cadea3c95146f4b84f6d699

SHA1
e5182aa4dee5366f21cf8adfb7f1f69ce39b0eb0

SHA256
dbf39ece0098b538ee35f501aa0ddc721dc6b2b5552d07ffb0de2d373b8b0036

SHA512
c4580183c8a82a99352e8da133b6cc2b11b7c57fffa46c9151e69e158dacaab0046cf273be25712cf29a19986a2e21bd25c0b02a185ddef4547d6ec4584ae48f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\manifest.json

Filesize
508B

MD5
ec74867e41df8163642f369140baf766

SHA1
2d8b574f31e74e94eb98d09014180fe2f3bbd2dc

SHA256
960d5c110a99eb2bfb3222385b932004b74340fa6ede383a33b49537e99cde59

SHA512
2d7c7cb6f1114f773648ab43862c361bd4c199cc7b55dcd448c2a42bfcf99acebd6e3b9c6c5b15bf3c47d049c3105292ff78adfacf22ef09bc35daa852df7130

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\nok.js

Filesize
5KB

MD5
47f5059a5e8f421dd9b55a0e126db5fc

SHA1
0ddfeb04fc31c9d2aa805c998a407b1ce7d463c5

SHA256
a784b9376424e2d67251ba8c93bc379333c9a167efcf5fff61aab4cb243883c1

SHA512
367d3a02d8477e7e92c6114ed5a331bbec962a4e8cfd78b848feb47598aa36603073906b3585e7ab09cad7696998ecce1d350ca7adf04ed6a138752c22a227b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\occmjppeebfmampanmmegklpefldafcf\sqlite.js

Filesize
1KB

MD5
4c02a3254e090e9571967da9ba230c7f

SHA1
e22a9872d391773e7692c00939675e81b6ee56a0

SHA256
c13d713026f34699f28ce76531d18bc1f3255137455832340b720a0dec09e36e

SHA512
726b20a614d3461efe69c02a379aeb7fe5852b8be13363cca2cf531ba69f4c63e3df27dcaf96d4e6c6068b50b706a39eb3261a2d42d4b9d2d0778bf8540785b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\q8.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\q8.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\q8.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
98B

MD5
fe2365e0a23119d0ebd1dba6f2b99af0

SHA1
b625b3917f494f67f2fce12b10b3afca798a0984

SHA256
f6fb9fde7220a0917e98ada6c1906bbbaa4697a9d37dfde3582a06da0be7271c

SHA512
a03dab3073fae4f3a65523dc3c7833781c795e25676e51d81c11ade1963945d9fe53717db985d8a94ee43f5b3f745ee9dc1fa00c58034c95f3e2ae3f64781262

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
3e822747aa5902c4d33d2f90c97586e9

SHA1
8e9c7e722b75739bbcb0bef1d2cba6fef262529b

SHA256
5aeb3c14980a5300d440cdd5da280d1ef41d51b6e3fccde632cc25d1b15a3325

SHA512
92df6be789bf0ce31eba7e087d0d52fb693cb3552497b0090454293816de57f653e7cedbfdb52c9108b2ce06acb6ea3bb6ae5d1490bbd198d3312e2b9e2479fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
608B

MD5
9aea2bdbdbf923e3f79cb757f0f40f91

SHA1
38b9425da510e41f8a000dfba6b392d49a62acba

SHA256
363fb74d477c712a36428f8aa38440db5cba29e825d149bbc3b14fd259b31054

SHA512
f88d0343c3d51c41af47d1997f81e01dcef5546b72c57328866796da8e9c2c88eb4f8a114d445d6dc32c428508a0cfcd84b96167475b0a7dc23557e458017419

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads