45a69b9ab8e6c04acd56bcec9a01f79d426381131461b29541aedf7c5a4afcbf

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe
Size

551KB
MD5

04841c8e02494d995571c5effb6c305a
SHA1

59bf295d9f6271efee2237c6b6f89137a8ddb51a
SHA256

45a69b9ab8e6c04acd56bcec9a01f79d426381131461b29541aedf7c5a4afcbf
SHA512

e9c2014c988eca3d875f135007765942678343e91eec80f082ab0aeab6f8843c6b4a3eb7bdc8f411c60668a39a7ee18df0612011efbf49f959d120909ae5fb5e
SSDEEP

12288:h1OgLdaO6Wctn+MEfOUgbJuMmFcouJqkF:h1OYdaO6tMOUgJHJJqkF

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2564	regsvr32.exe
2564	regsvr32.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kebcngflfjljhaanbelefmdjcbolmiod\5.10\manifest.json	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\ = "savEnshiaree,"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\VersionIndependentProgID\ = "savensharrE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE\CLSID\ = "{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE.5.10\ = "savEnshiaree,"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE.5.10\CLSID\ = "{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\ProgID\ = "savensharrE.5.10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE.5.10	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE.5.10\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE\ = "savEnshiaree,"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE\CurVer\ = "savensharrE.5.10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\ = "savEnshiaree,"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharrE.savensharrE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savEnshiaree,\\6sAfC.tlb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savEnshiaree,"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{085EA297-A552-FD91-F4C2-E2DB3C65EEFE}\InprocServer32\ = "C:\\ProgramData\\savEnshiaree,\\6sAfC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30
PID 2548 wrote to memory of 2564	2548	04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04841c8e02494d995571c5effb6c305a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /n /s /i:"" s8RiL.dll
  2⤵
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\6sAfC.dll

Filesize
180KB

MD5
0e093772550eb9541dd715c016b5584a

SHA1
20338dc859a5652f5661280dc508f4e5b533e76d

SHA256
028999304f35f7a6fc2cf6e360d4ea587612d63ce191fa979cc98ccca46ab149

SHA512
0030b395e2fde6bc9f70f52e71d8e87d306cff8afd2acbad725c4cc92b6d7916a38c1d6d156feaec841966492d32394982ef51989e2b8673d7c00e103f744dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\6sAfC.tlb

Filesize
2KB

MD5
48e9706fe9f76731f3576122fc3e9e33

SHA1
387c8c4898ead8ace488a7df80fead429eaf167b

SHA256
7bad79916803a14ca817e5c39f5ec2f0f240044d6dc24fb4916c8fda338060f1

SHA512
e9b44a2b1b7a806066182a084ec9df81916fc6db79710256e173377e7cd64a732c006830bbe324a9a734731ecde8b8251cfa995399f6d4df5322faff99c458b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\Preferences.C__Users_Admin_AppData_Local_Google_Chrome_User Data_Default_Preferences

Filesize
5KB

MD5
abc2f8f21d451cb05616779aca2f7584

SHA1
5e7285093936def7bacd954d4b116d71f0f5bd1e

SHA256
0a711cb6a5a84d6051aa2d7d8e2e64ac87c948bdc14bab37eff83922e1d598d5

SHA512
cff802e6432b1c51a3b427f9bda216e6216b24a5dce48eed963b1a93cc7c1a8e4765ff1f2efa677c88cab58269afec43b4d5bfa3f22508b32af7537a95947010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
c873ec7a4afb709c0f3bf1b4f0cb3807

SHA1
15314c5922a2e6b8e3556394bf6dccf40afb8064

SHA256
cd6141c41c8d403e1c2dc127cfb723961ced1bfb77b256421062117a15d75457

SHA512
ad7477a748e519f451e67d5c2bd09e0dae30b185db118177ea84e4bee8892c1cf18f3d39ab7afa7ffb33c19b0ec98dd2ce872a5fce58e9ccfcfd29f55df019a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\[email protected]\chrome.manifest

Filesize
104B

MD5
3dc52059551173ff74bbb8d32709cc8a

SHA1
1fe30b7f9473a34537e2709bba8807f0b1dd16af

SHA256
2131a2b17fc0671e829c77e9c2008a7c474f3174f50bf065e3771a040d967ca5

SHA512
f715a06cdfa7d1a5dde4317f9be17e95518388e9af6e98713a6b636d3e65081576e73e8e02dac161f102715925331a3b9b73ebf84e7e329efeaa91bf69b43453

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
f93efbfc480e1eb58e9ad18569c8a02c

SHA1
0bd1bdc6d625be67dd4a1774768a4570146001c8

SHA256
def0126a7b8c54a6a5402aeb8e704d3db94ee146f32189f3253b0915e9d3cf0c

SHA512
4c891045c7c8f751b90f83389539817bd604c1d552257d362752d96ae7cece00e8d868ce0092080574a0f7a519609b85283963bb129aa52d1b489324f8f9ac47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\[email protected]\install.rdf

Filesize
614B

MD5
50814c9b70165f8cd839ed944c867546

SHA1
2f4dcf656ffa7e444add99d3943a858f2c049cae

SHA256
ff6ab6e53599d9eb04072cd9aaed5df90da9a6ccfcf08829deccd8b26d2c8343

SHA512
d733ef3d776c38beef76ae878a0f7e9e7a736e581a11941aa75030f295cf79b0bb891c70c90cd436ed740e36c950bd8df4cf2694ca8a3cd8f32870b5e9ddac12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\background.html

Filesize
143B

MD5
d6bf7ed8729c419fe52a64fe451eb2b2

SHA1
efb46ba5c949ce774eef71ec2d54489d6317826e

SHA256
f4254b2c93264cfbfcee20cce941b561f0afec80366cc0170386215b7286308e

SHA512
d241f0401aa647f691ede0e9dcfb691ef6f4cf476fe3651d6ffbe8411c3449746d59dfd78990eb57c540f074e1ef66de858b83f683599ab33beaaf6ec81e8bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\l5a_Ws.js

Filesize
5KB

MD5
6a482c5818d13d9992228e15112b30da

SHA1
b00224d3c5db38d5c4ee317dd178e54b1efba1ed

SHA256
f4d4bed981ac9553ec50751ec671e94bd26990ba87eacd1e21bda9b20924b23e

SHA512
af6d18e7226a02a9684fe0ba752af3243297b993a24837787c403c19eaae7edb5eaa65908ac607c825884952f953422e5ea2ee2baac0b55f9cc14113656a7be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\manifest.json

Filesize
507B

MD5
489d090a07b3ad4313c78601930e0211

SHA1
1612a7963f11e929a0eb6bbd3b2f17bc9e7c9d1f

SHA256
223df2527b4ec89f2b9684348b8b517be4a165de9da32fadb240109a9187d1c8

SHA512
faae49ad50db14ba00401f15eb55083a9de095e292cec3d1844463e733c71ad2f9eb0e1c712b00ce33326c1d5150143ff73b4cb6b5b966e8fc25e2156aebd742

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\kebcngflfjljhaanbelefmdjcbolmiod\sqlite.js

Filesize
1KB

MD5
32bd91fecfcc582be548b76a3a159414

SHA1
5509df6c61029626b114b0ed85bf0a4b4f595266

SHA256
839e070457eb2091fce3d06cecb9cfb6e69a1a7184c3cb0611c188693e2eae4a

SHA512
32d9927b45290c0e5502e37d3b6cbf21a2a198f002f226b0e0cef2fcbf1ab4d9326529ca657944c177523fe8069200e4c8ed986f16e5119594eb40df05688849

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\s8RiL.dll

Filesize
203KB

MD5
41b13b132cb601ecc466654b90296353

SHA1
245258ddccb48826f22d57444f49fa30be1b36fd

SHA256
7fa4bb68c313e1090587a64b90e87bdcbc14ea3fb7c0e8cff94c657c969b70bf

SHA512
0e8de7bbe3695848e299fe3f3506f2e982a60cf0a0dd11cde86de4af67ef3c7b46458680d7bad9cedaa266ea33cb2e77f2aa83fcf1bdd20bf31d1936f2bd69a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA6F9.tmp\settings.ini

Filesize
7KB

MD5
7ab2c47a9651afa311534376df24f843

SHA1
308627dc029f87277d8057d23d51005dd1cf91f7

SHA256
518942835344b80dd797e61b04f974ce46c4784c38704fecfb19e0fbb891d01f

SHA512
20b8d45771bca031cd7409f9ec94d64f49818635a3350f314e2fba5d2aa2faff73a6b31cd53d4e15e183787e51dab7dc6adfa478957ebf28df41f8b7a40a1ee2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads