3e4978441eda3c101a6c295bba37ae25d6fa7ac37fa99f2307c461e045fcf289

Analysis

max time kernel
11s
max time network
20s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe
Size

551KB
MD5

2fddb666b32fda91845dd60fbdb334dc
SHA1

b2a0c04d8afbb17c3d41190eee02ad8f62a6465c
SHA256

3e4978441eda3c101a6c295bba37ae25d6fa7ac37fa99f2307c461e045fcf289
SHA512

ae391bf9b42df9f6b2ba724eab552a7522717a7349f1bd12d45c71c860701a2eb9c048b7376cca5b4c79e793b5900e85a667270ab3026ac35578057524fdd4a0
SSDEEP

12288:h1OgLdaOSWctn+MEfOUgbJuMmFcouJqkQ:h1OYdaOStMOUgJHJJqkQ

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2792	regsvr32.exe
2792	regsvr32.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\phnimdlmhcoiebiebfchkpekkmmmgokn\5.10\manifest.json	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\ = "saaVensuhAre"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre.5.10\CLSID\ = "{07D6A1C3-7700-E06D-87F8-8EA2108C4700}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\ = "saaVensuhAre"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre.5.10\ = "saaVensuhAre"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre\ = "saaVensuhAre"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre\CurVer\ = "savensharre.5.10"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\ProgID\ = "savensharre.5.10"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\VersionIndependentProgID\ = "savensharre"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre.5.10	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre.5.10\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre\CLSID\ = "{07D6A1C3-7700-E06D-87F8-8EA2108C4700}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\saaVensuhAre"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savensharre.savensharre\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\saaVensuhAre\\g.tlb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D6A1C3-7700-E06D-87F8-8EA2108C4700}\InprocServer32\ = "C:\\ProgramData\\saaVensuhAre\\g.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29
PID 2256 wrote to memory of 2792	2256	2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fddb666b32fda91845dd60fbdb334dc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /n /s /i:"" w.dll
  2⤵
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
43086c84123384a5b19ee8327e27a520

SHA1
bd9c0ee92f5b4c1a2f6d25e5cb0a17a3a23c3603

SHA256
0bd612c5d1d1ca11099df78759f7fb56f7462c777d32a3be4b206041f93a4138

SHA512
1170b520abf3ae6cdc3c02c51a659da7ae8a156ac467d5ee28fd8c241a9286128e6ae8cc1fb1d21813923203f2056a78bc0aa37d4d0829ec87dd1edc07ade360

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\[email protected]\chrome.manifest

Filesize
96B

MD5
7cca1884f6aff9ce581f5b7745e43e1e

SHA1
c44441173ef302783b1fd97b0309862202836fb2

SHA256
9d18a377768d32f62b815629afb42cd7c340dcce6aefcc31f6b8ff15500a48d3

SHA512
eeb0634dc3c6a5fe7bf9c94e253becf621bca3321a877bc23f9f180478145e9852d170328d0fd640af267bae78a3561a1afde5dd3d56b715cf51e32d03cb5991

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
1930214eebaf2d6ca588b28b9183816c

SHA1
7053d05ee4a99c2171502c84751a138603ea8b97

SHA256
c172b61917bc52c06a446cb2949ac3c19cf36e4d3994e9bc022eeb875cf5f6dc

SHA512
e0b29570a405fd8478e2295dd7016c56fc84effa6786c28f4ecf41542aa392ce9beb1f8dc3d8683d44ab0e89b9eb4664977aace4b1d054c30b5920ff72e972b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\[email protected]\install.rdf

Filesize
615B

MD5
3bfb17928367ec8a50e1a2b9fdc6c235

SHA1
fee306a8a1923089fa7caebf5b6371a71fd4c185

SHA256
75282b568b48d51dd2fbbfb6738ba1b04354ff4eaf74b7543cbc9e2390cc10e5

SHA512
d2abb096b382c37c08b0964abde8f1e8ac97eb9da319d49137523e6fc6c86544e05418f57c35a20dbc8ee1565099d772c881bb22e5bf067c86741fa92f9d1c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\Preferences.C__Users_Admin_AppData_Local_Google_Chrome_User Data_Default_Preferences

Filesize
4KB

MD5
a68857f11f990381c074fa01ad829f46

SHA1
a4154e144f2925b58e8f54f776a2bc08c04555b5

SHA256
a2cadf9530e2e5376a56f48f73c79c2fd2c1ea68ce6d359512034bb7878220ac

SHA512
3218a1e2c99fa6b65cbdaffb98985fd0d336166bff3309c99235770e06cc6c5cebc8db9f7e9b54d21935adb756f91c90b5d97b461f16544277639fca54c6b0b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\g.dll

Filesize
180KB

MD5
0e093772550eb9541dd715c016b5584a

SHA1
20338dc859a5652f5661280dc508f4e5b533e76d

SHA256
028999304f35f7a6fc2cf6e360d4ea587612d63ce191fa979cc98ccca46ab149

SHA512
0030b395e2fde6bc9f70f52e71d8e87d306cff8afd2acbad725c4cc92b6d7916a38c1d6d156feaec841966492d32394982ef51989e2b8673d7c00e103f744dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\g.tlb

Filesize
2KB

MD5
48e9706fe9f76731f3576122fc3e9e33

SHA1
387c8c4898ead8ace488a7df80fead429eaf167b

SHA256
7bad79916803a14ca817e5c39f5ec2f0f240044d6dc24fb4916c8fda338060f1

SHA512
e9b44a2b1b7a806066182a084ec9df81916fc6db79710256e173377e7cd64a732c006830bbe324a9a734731ecde8b8251cfa995399f6d4df5322faff99c458b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\PT.js

Filesize
5KB

MD5
de6a0020ad70ee9e29c56c239e7f5c67

SHA1
623456c34d8c2092d3ce0af9dc41e8722f101dc1

SHA256
4f9faf003bbc2e2e6dfcecc2324759d0c1e54d6b8e207ab7985de24385a5bd02

SHA512
9d8fc47301ebcb69f7e6b9fe88f5e66919c9ffb2d17a2a054b92d608a8e4bd520830875316107c32bf2214cb541662c9f17dbb12a5b36f9c170abf2438d9110f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\background.html

Filesize
139B

MD5
c816c42bb9ef5d1718e73b20c709e304

SHA1
36bb58fae8688ac66ecb398b9a740b2c3c0cfceb

SHA256
d687fe0626d8c2450da68daa5cdcfb30ed338a1f610e8644e46a74c7292853ad

SHA512
e4f2676dcde10703b17db599de9863235561d4b2230acf3aa3ed4b943b5d6eb5364b7cb8db935a8255ddb4fef28ba8cfc2545c55ded11fceec5384221ae2b0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\manifest.json

Filesize
507B

MD5
bf029c5588397d1939909a606956ab3f

SHA1
a270769c5ba948b33e9a371a8d364362f276d3e9

SHA256
59ef8898a9f6592ad02a088e07c5416445d0ac844fa58b4ecb223a105fac157e

SHA512
6b719dfa7d95692f12f8b8e89971f2942c7f1e375d63884c75950d4c115dcd2de8e33d48623df6620dc5e05dfd04e3bb0b776b6c91dae0868701a73aa9ced2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\phnimdlmhcoiebiebfchkpekkmmmgokn\sqlite.js

Filesize
1KB

MD5
cfdcc7bbebd1bd1d46cd7cde33048fdb

SHA1
9f5d563ea5ea4cc4f3645700f263b92a0495b89b

SHA256
67e855f57d0fecaf54c7950a302d730480d7eb284fb10e49c19420151d6ca152

SHA512
7e6dbbd06de4e40cb89374a1e8858b17964dc231ff3d23a01c5e6366a0cec172023bd2f3c01b8b16c6f5ef497b7cc4653435170b942dd4a948f806870ddc4bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\settings.ini

Filesize
7KB

MD5
60546608c53c7268699d6009a1d9466e

SHA1
8408ab1090e6f9480604436b49be4906b084ea63

SHA256
86beeeaa36ea42c182bfe55d706835e73a69fc0ae8c7aab0b4947e445b856926

SHA512
d0fda9761e47e4b58e579d4f21f385d3de8fbdab89feadab1b307191d25190a53bbaee6ccb39c3b526e6772f3dc141cbb07f374eb6475720455feb88a6a57ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2D28.tmp\w.dll

Filesize
203KB

MD5
41b13b132cb601ecc466654b90296353

SHA1
245258ddccb48826f22d57444f49fa30be1b36fd

SHA256
7fa4bb68c313e1090587a64b90e87bdcbc14ea3fb7c0e8cff94c657c969b70bf

SHA512
0e8de7bbe3695848e299fe3f3506f2e982a60cf0a0dd11cde86de4af67ef3c7b46458680d7bad9cedaa266ea33cb2e77f2aa83fcf1bdd20bf31d1936f2bd69a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads