160083a867aeb4e084a1d932928d257c77e7868e7c1139e0c1b50db9327e2db6

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 22:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe
Size

725KB
MD5

373b035a98ef48a5fe64f1d9d49113f8
SHA1

d86999baa67c7498a3e07509274473b3cb08daef
SHA256

160083a867aeb4e084a1d932928d257c77e7868e7c1139e0c1b50db9327e2db6
SHA512

120bf5cd9d8044db43aea8e50f574a4581b50849bffb8817c4799cc99ed0617cbd0c17b0f6d44bbb07ecad85dbcf2b7cccfd3f4175677c7b86b67a34ffe97878
SSDEEP

12288:h1OgLdaO1o99/rsFEt5hDG0SAMs9jR/jeRJKu9TJdwYGZtyjTje5jOSpJL:h1OYdaO1OBsFEt5hDG0SAMs9jR/jaJn+

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1496	nGw.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	nGw.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgcfogigcghdngiepoplajlakacceklg\5.10\manifest.json	nGw.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\NoExplorer = "1"	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\ = "savenshare"	nGw.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nGw.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	nGw.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	nGw.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare.5.10	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare.5.10\ = "savenshare"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare\CurVer	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\InprocServer32	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\VersionIndependentProgID\ = "Savenshare"	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\ProgID	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\Programmable	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savenshare"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\ProgID\ = "Savenshare.5.10"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\VersionIndependentProgID	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\Programmable	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\InprocServer32\ThreadingModel = "Apartment"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare.5.10\CLSID\ = "{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare\CLSID\ = "{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare\CLSID	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare\ = "savenshare"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare\CurVer\ = "Savenshare.5.10"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savenshare\\uW.tlb"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\InprocServer32	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\ = "savenshare"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare.5.10\CLSID	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\InprocServer32\ = "C:\\ProgramData\\savenshare\\uW.dll"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\ProgID	nGw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF}\VersionIndependentProgID	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Savenshare.Savenshare	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	nGw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	nGw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	nGw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 1496	4616	373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe	83
PID 4616 wrote to memory of 1496	4616	373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe	83
PID 4616 wrote to memory of 1496	4616	373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe	83

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C40E6C7D-E6E5-04CB-16ED-CB8B527450DF} = "1"	nGw.exe

C:\Users\Admin\AppData\Local\Temp\373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\373b035a98ef48a5fe64f1d9d49113f8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\nGw.exe
  .\nGw.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\17230551923868504286.log

Filesize
6KB

MD5
92748b6840e58b14d2f4960fe3fef12a

SHA1
09fc6d9f4bd2fdd39997d9fcc9ba1c954782f9fe

SHA256
5dc995bc78fd14427a288d65c704b4b493defac000e940ddcf70ebaf6c7717f2

SHA512
858487fac4e9dc853e608eb4b0d9799d0bc7f9cf8dfdddd81bca991b996344618c640b716af1e4f6cd94771cb14cc9d4387ae064dbbead04acad001c2f5be9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\chrome.manifest

Filesize
98B

MD5
32fbfca9d04fe0c50cb23d634f6117ba

SHA1
5eafb7d7be75b815dca342084c1b79c9ba1c49fb

SHA256
dae168bcf933f46f3baeeee506fcf5725e3d814f1d16f8d33f0158fc02bcb3ae

SHA512
4096c627f5e5d750541213137ff18d2c4f0951bd5784732b9412ca7516d1bdf3c4bc6f35b78fc740be004dfdfff6ef59f549aaa320c30e33edf8068187c9e796

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
467954fef2d5ec190faaf3f9b52a55ed

SHA1
826cb735a3a70a37fda0762e5841cc2833566a07

SHA256
0861d192b584876f38a999809ad095040f68b47687465023002b0344b5579aa6

SHA512
355fb5369f6ea27349cc6642843e3d9450e5d125f51a53bb18b50a4b9f5d868367d9c38c12922bcb220e2ef464dd75c1b4977850ec96312ed83db14447fac532

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\[email protected]\install.rdf

Filesize
601B

MD5
7000e2ff99fdb9fe16628167e3b347ef

SHA1
4aebca7d4236a7071ae3dcc282427337d1392b6d

SHA256
303569c496af24efd36d48d69911bf255b0fc4d693070158d85eedcd787a7b39

SHA512
72e163b3fcae89ca9b4889a59bb81990d83f349cf2eb17edf28a1e4d888f7bfe4f76d1e075b30506137c8641767cc14b3f5a21edd30ca51058c5f416cc481baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\background.html

Filesize
140B

MD5
86cbebe9888394d012aab9fcda8fb620

SHA1
d8fdffd940e556f754c4772bf94f72a3664be783

SHA256
c669472cbde8bfb074aeba5b63d4a4f09cab2f8efdb00b73e7d4c529e716791c

SHA512
354435f96c0509bc8f347a3fbf569310b41c762a593361043ffa1ad1792c0b6c2e327e078008fa8f483556d4a6014d31e5a75bf2800d153406ae81e8aa64ad11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\hb8.js

Filesize
5KB

MD5
b9d5ecd86ce14749bd0fbcb75efa16f3

SHA1
62b16137050f049556bcfb90f1fdcb56fbcb10ab

SHA256
388865f676cd3f0d99ddcd64581fa4b54c67cf38ef09b872f833a0c9f2e8c9c7

SHA512
3fe7f4571963e5a1dfc6a88ecb018cdbb3d5218696dc214e3a09b66e86b084b4dbfd09555529badacb103e673c3a97d9b789358e4a92c929b3b3ce8c872ce6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\manifest.json

Filesize
504B

MD5
fd8c59ad3932102cace469938ac10464

SHA1
ad3671bda6c8a455f70905d864b12fef0ed3d5b4

SHA256
0ed424e1bda240f1d5b06ca30b49b25c50bdff1304138c6dfbb0b50c30a17d89

SHA512
8a89fe0ab156b3cb8e973b0407226b4563cd3f9d0b022de9fdef3085ed040b9616f4053f739bf3f7efdb392122f2a05524cc1a754716e136515bdede30eb03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\mgcfogigcghdngiepoplajlakacceklg\sqlite.js

Filesize
1KB

MD5
30936e600af322df7b6a58dcf3cf2f7c

SHA1
4a1298b80aaf91fe382a5be902919e7567da0991

SHA256
772f419d9e312edc535f0a16690c8d62539415435e5422da0908f3760bced1a1

SHA512
cd7e8303f983a45230226211e490d01759f377a54848498e3b6e76f5d110b9c2f65f31270495f35e0d52303f094f59815f532a466b4fd296964a5613e269013c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\nGw.dat

Filesize
7KB

MD5
bcbc566b39febb5b8276b22e6df855d6

SHA1
ccc6563438f8de3cb7bd3d634a6f95b84cd6d62b

SHA256
e4cae50163254e5224f58c3d580e81a47b5084913396bfc54e65c1e95e70da53

SHA512
5ef4a1d0a1a239fa5aa6f3159c982f562ba928bdf2e1cd08cfdfc8863ed285a59b54c74b9ace8519b08d839f67c750a8faec6087ac4b54c0cdd3c722362eea4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\nGw.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\uW.dll

Filesize
222KB

MD5
e9b27306a18f18b88945cdf066de2fc9

SHA1
4d18490fbb336e261301a967047065dd561cc2f2

SHA256
a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

SHA512
f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7D7D.tmp\uW.tlb

Filesize
2KB

MD5
39d776f73d1d3f771aaa8c3561367c3a

SHA1
eef842aa02927bd7fbe7d569c5446ef1a2ea065f

SHA256
c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

SHA512
3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads