bc1d68b51aab9b2e5e2e678099f23dcbb64bacf518f45706938e6c9ec74611a7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe
Size

717KB
MD5

30505596b47da4e9bb995d63f98d6122
SHA1

7178e5c827b58e168637d3728bea41456fedc61b
SHA256

bc1d68b51aab9b2e5e2e678099f23dcbb64bacf518f45706938e6c9ec74611a7
SHA512

39a53514e74a4f0c111748312be37e12b36cd24e5a3d2d3f22ebec4f569dfbbf83c836044c0d7f8c591aeb1bf8e57d3f4d48c3763a7074d3a42df8c4b9dc3349
SSDEEP

12288:UKnekrL581Y/Rl38n87s45Oxs1GSY3FqR+rVm6y+nkRY7zjmnDPzIzKAsXyQHP+I:9Li+/333stL3FQmty+nkREzoXIzTpbX4

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3032	ZHAx.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe
3032	ZHAx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiaofpnkohnejkonpnpcamegpbcbhlnf\1.6\manifest.json	ZHAx.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\ = "DowNload keeper"	ZHAx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\NoExplorer = "1"	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZHAx.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ZHAx.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ZHAx.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Doownload	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\Programmable	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\VersionIndependentProgID	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR.1.6	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\ = "DowNload keeper"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\ProgID\ = "Doownload kEaepeR.1.6"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR.1.6\CLSID\ = "{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR\CurVer	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\DowNload keeper\\Ba9.tlb"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\InprocServer32	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR.1.6\CLSID	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR\ = "DowNload keeper"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR\CLSID	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR\CLSID\ = "{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\InprocServer32\ = "C:\\ProgramData\\DowNload keeper\\Ba9.dll"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR.Doownload	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR\CurVer\ = "Doownload kEaepeR.1.6"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\InprocServer32\ThreadingModel = "Apartment"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEaepeR.1.6\ = "DowNload keeper"	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\Programmable	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\ProgID	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\VersionIndependentProgID	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\ProgID	ZHAx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\VersionIndependentProgID\ = "Doownload kEaepeR"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98}\InprocServer32	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\DowNload keeper"	ZHAx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	ZHAx.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30
PID 1984 wrote to memory of 3032	1984	30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	ZHAx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E63A1D34-B13B-7DBF-B9A8-E14698B0EC98} = "1"	ZHAx.exe

C:\Users\Admin\AppData\Local\Temp\30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30505596b47da4e9bb995d63f98d6122_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\00294823\ZHAx.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/ZHAx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\Ba9.dll

Filesize
222KB

MD5
e9b27306a18f18b88945cdf066de2fc9

SHA1
4d18490fbb336e261301a967047065dd561cc2f2

SHA256
a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

SHA512
f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Ba9.tlb

Filesize
2KB

MD5
39d776f73d1d3f771aaa8c3561367c3a

SHA1
eef842aa02927bd7fbe7d569c5446ef1a2ea065f

SHA256
c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

SHA512
3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ZHAx.dat

Filesize
5KB

MD5
128c3dae3ea0a776b1b394e48ce2ec1f

SHA1
3417721e9538bcb372f752cb59e8b09ed8eeae24

SHA256
f677aa61e7367e150524e9fa2dad3eefc3686e9f070c891fdbf51c3a25adce42

SHA512
dad66d3a75ee264653b4a415df6340f34db4242eacd3dd4b65c2524ddfffda6c9a6558079b75e2a808acbcc9ae593919121ab3ce4fc45ffd8b8d6c296ec8d370

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\L0lr.js

Filesize
5KB

MD5
3ad560409160807bf24bd2e461e74429

SHA1
a1bcc224933d0fdd7fa8619512806416d719f668

SHA256
829285fcfdf7a106c09a5740aca0bbf69cddfe3d0d7f3c8db710528db98e97de

SHA512
c3e52344e04ecb8069c69906d9f0dae62a3befe455641783e13260bf2031552e7bed4d7598cd88350d1f3d4013082ab1a1347f90ecc61cf4c3df18435ff1b6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\background.html

Filesize
141B

MD5
9bbd9dd4f85ac41533a1716aeae83642

SHA1
7657502b8992a46c42db019bed18a166ac469398

SHA256
682da6719e01531ddadd9f5a83fa9e2bb4a4e00685f4c98580dd6501622b2917

SHA512
b5b80798a6f7fabba0d9b5e47e677b26a1b10c550208e4b0534ad5587132dc1ce42898505d354f99cf02bb8164a43bd7c19e74cf9713c24806e135eced90cacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\manifest.json

Filesize
507B

MD5
2b3edb309081c453fc7d09eaa57b034b

SHA1
d0c21edc135de6b37b9e82139f036e9d4e68ae68

SHA256
e2f8caf7809b46f782b37ce29ee42cab3fff069ed2b8eced942a77fdd40a450c

SHA512
c4995d6d9e2f27237f663b2e1d5da63ffad8881fbad2f538bfc2d5942f98cca669099b6adbe9641035f4bc838b4ada09d0b08029657e4db410833f05b4c46ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\fiaofpnkohnejkonpnpcamegpbcbhlnf\sqlite.js

Filesize
1KB

MD5
edad10d33c100f24ea2dbb8edda79c70

SHA1
12f9117284efa1dfb69ea4ea03aaf570fbeca28b

SHA256
b31eed574d4e5284b2b5b8eebd28220efc60fa3f7bb93292b7cd01ba5275c4d2

SHA512
63640f6fae0e6a8066f0b4847cc2f5b6656b6b5f4c21fc5c87c46d3400262f462715d118bedc0b52995676fff6faa328068ffd2d99134f7334dd88a9909e5657

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
100B

MD5
00f0baa7a6a96d6676de2a4d8c802959

SHA1
76916d3d11304347039372f9de2e9311ef949ee0

SHA256
6372a9bf5221a26ef730c79393afbb1a9d3ecc7b47411f168d3f9f27ded06460

SHA512
4b2171d83b8af2c3148ec090168e2e14d29c039dcca1a1b9e1a40711990668ab12262eef6ee462588e9f8c28a8c90c6e839c6818b636fd44b30d25cc25bd743d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
b291f857b8581938accfe65dc43a09f2

SHA1
6f573ddeac244b6ab7c3732887beb345641eb212

SHA256
362d5af7025b094437d211779f61adcb0e8403c2d82ce4607c7505093f1e8dcf

SHA512
49e1dc278b2e15fdf7a5fa6a8023b76b29235443635054a2e49c2d8ad5b52d964c334192ab3aadfa57d9548ce01c552c897ab3b6d2b325761936905f9d769391

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
610B

MD5
ab47f62183b323c0cd6356a357132e34

SHA1
f16fc7449513624a1b8a7a85792f64d07b6171ed

SHA256
6860de45e212922491124ba484ce5ffe758a3e35f4520fb6346157b7ebaba4c9

SHA512
5ffe94afea1476aca40d2eddd6eee9f811deb6feb6b2b96fb791f30951c3a648f89ff3e026b3ac388228640dc19e4cfb84603e15c5fc5c7d5d0630a010c72065

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\ZHAx.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads