7c029385919a15bc82c7975fe538bb7c4eb7f9feac2199afe889bff869e557c7

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 06:16 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

122c5d5004617f818de9507059193150_JaffaCakes118.exe
Size

1.0MB
MD5

122c5d5004617f818de9507059193150
SHA1

d2daf89114e8ee034bcd69fc210e7014bb36b688
SHA256

7c029385919a15bc82c7975fe538bb7c4eb7f9feac2199afe889bff869e557c7
SHA512

3a7069840f30cb882bed4752da1ef090316127f69bcda45aaa2a51ac99a0bfc327d09dbf47d7e3b7e07d01c3e6cda6e8f5bdc03c7f57b6be15055213eb79b412
SSDEEP

24576:4LinzjRWe1RtWRYAp+7jSCjfb7tWZTl9ifLk57Cg2HO53:4LiRv17WRYVn57tW0fLk5712u53

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4444	A7.exe

Loads dropped DLL 1 IoCs

pid	Process
4444	A7.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\heholdeainmiennmmokdcdceffekflea\1.6\manifest.json	A7.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\ = "DOWWnload keEpeoR"	A7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\NoExplorer = "1"	A7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	122c5d5004617f818de9507059193150_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A7.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	A7.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	A7.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\Programmable	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper\ = "DOWWnload keEpeoR"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\InprocServer32\ = "C:\\ProgramData\\DOWWnload keEpeoR\\C.dll"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\Implemented Categories	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper\CurVer\ = "Doownload kueeper.1.6"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\VersionIndependentProgID	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	A7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper.1.6	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper\CLSID\ = "{544910A4-CFCC-4D90-BEBF-7BC67DD43826}"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper.1.6\CLSID	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper.Doownload	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\ = "DOWWnload keEpeoR"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\ProgID	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\VersionIndependentProgID\ = "Doownload kueeper"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper\CLSID	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\ProgramData\\DOWWnload keEpeoR\\C.tlb"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper\CurVer	A7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\InprocServer32	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\InprocServer32\ThreadingModel = "Apartment"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	A7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\VersionIndependentProgID	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Doownload	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper.1.6\CLSID\ = "{544910A4-CFCC-4D90-BEBF-7BC67DD43826}"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\InprocServer32	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\ProgID\ = "Doownload kueeper.1.6"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\Programmable	A7.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\ProgID	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\DOWWnload keEpeoR\\C.dll"	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kueeper	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826}	A7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	A7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	A7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4444	4208	122c5d5004617f818de9507059193150_JaffaCakes118.exe	82
PID 4208 wrote to memory of 4444	4208	122c5d5004617f818de9507059193150_JaffaCakes118.exe	82
PID 4208 wrote to memory of 4444	4208	122c5d5004617f818de9507059193150_JaffaCakes118.exe	82

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{544910A4-CFCC-4D90-BEBF-7BC67DD43826} = "1"	A7.exe

C:\Users\Admin\AppData\Local\Temp\122c5d5004617f818de9507059193150_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\122c5d5004617f818de9507059193150_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\00294823\A7.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/A7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:4444

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

2.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.159.190.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response

No results found

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

2.159.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.159.190.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\45adhtv-iiiu@vzvs-i.edu\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\45adhtv-iiiu@vzvs-i.edu\chrome.manifest

Filesize
96B

MD5
1fb7be87a9a9597dc2065f39b8d1b6d0

SHA1
ea5a22a61669ca8fb00bab8797a2f4f268718cc3

SHA256
fe3ae8a4751a53837cc6d9c53fbd18d550f92670d5cb91e313e61c25036a3ab7

SHA512
6e66110dc352842d8678e09ca8d2099c281435cff46e1315a9cabe2b3ca55b1d99fcf259a2787abbb46272be4f1ad62abca4798cad8f89e5e20c85234a23fb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\45adhtv-iiiu@vzvs-i.edu\content\bg.js

Filesize
9KB

MD5
7cbbbdcc496ffd214b91a5cf6af136d2

SHA1
ea8bc60e0c8d894708ddc9121d46c6bf0678f4ce

SHA256
78e9e20ad3527989fac82fb630452954df5fe1e171c735cbbd32488a7e85ee3f

SHA512
366c57561ba3c77a03cad5c8187fed76cb4265dbaf653895ac27e02d8bf72493065905bd9ec0bdf161f20385dc3f3adbfaa3403cfcd5508d80861899d46780bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\45adhtv-iiiu@vzvs-i.edu\install.rdf

Filesize
614B

MD5
d067d7a0ada6533774837ec5127dd547

SHA1
e772090ccbdb2e880be7cee53da4e50de13b5b43

SHA256
9a357ff58576a5667192930ab0329b3b39783d34548a1c8251fb1ae44d71ed64

SHA512
206bf0c095d1e888c2e618e60204575ba6005c37b077d614b14aafbec26319ca65bee1da7564b9c68c0b04451a83b01c8bfce68f7dd80eec5e82e666604dace1

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\A7.dat

Filesize
3KB

MD5
a542e517d880825cae404e6613a4ce0b

SHA1
345c461112cdac6151595020d908f04581fce0a6

SHA256
480be2e51d9fc676cb2a3862dc4b1f54a1bc9ba54af1e992ed5a8715e2f07491

SHA512
28177b25ba5a4b8696b0292a93bfaf0ea1134fe6a8463700880ec88cc25622f6faa3ad9744f8c8f4b14bb58a538caac4b519d1afd874333074e0047da4ddf468

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\A7.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\C.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\C.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\C.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\FY.js

Filesize
5KB

MD5
51221adbed85d90f058e121da465da0c

SHA1
164d080fdc30a5fd38ab73c3e3a18696f0043487

SHA256
2a67a8d1383ff89e9546c6f8e1b89f5bbf538b4e06073b6a2968a9f15322dc5d

SHA512
d7de0d5e9c47262fe8092596d45c5d15078495833b9d2a08bbdd95f8b09769783499c076e5d57b5f43a92d9c594c9e5f34f44c0cd291a0a1d6a758798ee9d226

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\background.html

Filesize
139B

MD5
c74ecdb5a59b7e35f1ecaff93bd4ca64

SHA1
02c32d0ff4febc9046b44e15d816794247326924

SHA256
cdbd829fe3b7c31e7fee47949bc7f51d7ed126fe951c525d5267c584e64a7a5d

SHA512
6a3178d442d9861bc906a95b7841605d38c38778702ff9bd0386d3b9c36ade0a234d73e921237c4363d0bcc9148c1d767ad4b3831a0457deef10daadd40b3b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\manifest.json

Filesize
509B

MD5
da49339372c52f19ea5c3be5ac7e2828

SHA1
7288dbf9794858244dea11cf950d93d5b690c334

SHA256
683fb701a634afcee82aaec5c0f6c8c9e3644929664670c2ac63fd7998447bac

SHA512
e777a9c43f32e0f8a5447a6201454faca1b2f63d699933384b1d7ac9d40b8df72452a6dec07f5670affdcb6104256a9e01216d9466bd12c291e371e9335d34c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\heholdeainmiennmmokdcdceffekflea\sqlite.js

Filesize
1KB

MD5
0c8708949a281d8cf2781862f77445dd

SHA1
9c16062dee0aa99e8812f38e9f8cc9ac2c70704a

SHA256
4b955bd2255fe228405ed7faf098220b94e2a833b0d8e7a97680099b0a6f4bb6

SHA512
c084e05c306da743f06fa363d260bf73317e7fa2a74076a8ae141602ea0853f23892dcd689286d27a1dd60ce39f15913f22d756fc35e6374aeb9160992f45a8a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.