6782f0ffbdacfddbf436b42f83166f116b63918b969b1234ff6addea70e2e547

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/10/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe
Size

1.0MB
MD5

36bdf5c8030f81df15f32906ee1fcfba
SHA1

931a9bfc69f1bdd4d7d0067cd4434e2c120efe92
SHA256

6782f0ffbdacfddbf436b42f83166f116b63918b969b1234ff6addea70e2e547
SHA512

ba4adcee38624c39cee7a7ed89cf6c6e2c575d4323a9d117c8f963d6e69d7653f4f10f3d3107f7aaf82165b083a6cca5602d562f59fcf8b0ee2dd84f1c461d01
SSDEEP

24576:PLihXVMRGJ+wsfDNsmIAoatBFGdZmI06CaY3fNe8b:PL0XVMGEzfi7A8cbaY3fQu

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	4QfpWemimL.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe
1992	4QfpWemimL.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\egjdhcoamgmligmkflaiadjkfhpbkahm\1.6\manifest.json	4QfpWemimL.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\NoExplorer = "1"	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\ = "DoWWNloaedd. keeper"	4QfpWemimL.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4QfpWemimL.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4QfpWemimL.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4QfpWemimL.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR\CLSID\ = "{CAB6055D-EE40-A726-B9DB-DDC300F293D8}"	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\ProgID	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR.1.6\CLSID	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR.1.6	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\ProgID\ = "DownloAAd keepeR.1.6"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\DoWWNloaedd. keeper\\ntcPdra5d.dll"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR\CurVer\ = "DownloAAd keepeR.1.6"	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\InprocServer32	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\Programmable	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DownloAAd	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR.1.6\CLSID\ = "{CAB6055D-EE40-A726-B9DB-DDC300F293D8}"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR\ = "DoWWNloaedd. keeper"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\ = "DoWWNloaedd. keeper"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\DoWWNloaedd. keeper"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR.DownloAAd	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\VersionIndependentProgID\ = "DownloAAd keepeR"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\InprocServer32\ = "C:\\ProgramData\\DoWWNloaedd. keeper\\ntcPdra5d.dll"	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\VersionIndependentProgID	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR.1.6\ = "DoWWNloaedd. keeper"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\InprocServer32\ThreadingModel = "Apartment"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR\CLSID	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\Programmable	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\ProgID	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}\InprocServer32	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keepeR\CurVer	4QfpWemimL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8}	4QfpWemimL.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30
PID 1972 wrote to memory of 1992	1972	36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	4QfpWemimL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{CAB6055D-EE40-A726-B9DB-DDC300F293D8} = "1"	4QfpWemimL.exe

C:\Users\Admin\AppData\Local\Temp\36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36bdf5c8030f81df15f32906ee1fcfba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\00294823\4QfpWemimL.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/4QfpWemimL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\4QfpWemimL.dat

Filesize
3KB

MD5
0cc3effe6fa82f70333e85129c800bb4

SHA1
2e29b7fbfbf7129f254a531423802f09a9d428a6

SHA256
67be0a43b786cdd6e450e17e138e2f6e03cd14aeced95dc31e002fc170a05020

SHA512
3d84a8d6f8275eeffa205ded7df16de296ef42c28bc34c1824e8c7eed0639251cf6e4c4db9324a66c0417f29ff1ee7333d00d9e9ae80beda1901b923be3933ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\0PFZ5mLr83.js

Filesize
5KB

MD5
1fcc288fd5f7410748a01ed6eb4e3369

SHA1
4a3ddf5574865cf7720f74b79e41daa33145b065

SHA256
32e09072f4eb3d2328d172af85a61cb0563c694b2ce1cccce2ec8da5c6642e6e

SHA512
cfb89736fcff231ae18eab51e01d1dbb63ce2d733768c3b884044f897a1ea9925c4fc5a6eb6d96089075b9b00159657f88be74dd0f585d6e76917f195de054bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\background.html

Filesize
147B

MD5
e666248da5eb661b7da64ea4d794040f

SHA1
dae9a1b7e29a2c9c2059d8fe7122ada60ab0e063

SHA256
1b97a1da7e5f14f68ed99027f142dbd32fecc3a7b5586dcc63247edd174f7cb4

SHA512
69778b6454701ce2f43669b2cee43b18e11f5e0eda7704aaba4a3402525afecad455ba13399e42c75fa3c2723121c8ca15bf3e55ffb81d7f9a1590a7901c3e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\manifest.json

Filesize
511B

MD5
703dc23967a03fb35c542ea029ac9599

SHA1
19c1c1ee4f40011b6132d748ffbd00f7ee63e851

SHA256
d3e26173b218596c3e5f6791083227d13d80ac8efb12925b8b5e5704bb39bf2a

SHA512
c5119d638e2080085e377275840d33f03b226ae87d203e83e67e60e02ad369140b37c2c36c1bb727efd48766fa80dee2f616fcd9b2392379450fb86fdfe963ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\egjdhcoamgmligmkflaiadjkfhpbkahm\sqlite.js

Filesize
1KB

MD5
674739391dacc032f29950fc372ee136

SHA1
009180f5d34e95651f1096faf2279fa431700e23

SHA256
2f1628c573a6fd0e795c166b11f251266d0ba887faa570abc45c0c954e144e0f

SHA512
ef25eb8e7e0d582cc213321e2f5cba46b1ddb3ce8c7f11919ac402c5caac2eb003194d8d3ec162b0bdcd5dfbe113d912755bcfce70c723466265cb26892b2516

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
112B

MD5
e8ad713daa3d074c65b638105c6ba5fe

SHA1
2ac6404661d7dd2440944ef89eb37304eacb20b4

SHA256
05fba68a27c71e2f686e2bb56ba1069af31ba74ee72e6a7785fd86e0579902dc

SHA512
42ecf9d9c9fddcb3d34858079245ca0c30dca2c0bbd378a1e4a7a4d4ccfb2f855ffb036f17651cdc874928ee3738f4ca29fdf360ce7d7d1b64a31a24c8f9eb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
ec6de93b0c7aedefc2eb0338d2941869

SHA1
6b1d7e20f02996f11a4748d8506ec8b9e010fbdd

SHA256
a28c9712a9d374ba326a5f452018ece1d395988e3b27fe183d8c096df4983e84

SHA512
c6793c213f313f7bf6149d026e78d312ea75840993a304b12353f4aadc5ade284d11eedeb58c0c4a79df7840981972f92affea4e6e65d12117a8d9e09526e8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
612B

MD5
f3a925c8f233b77ada3f7d49f3f8847c

SHA1
7e0df7b5ebf9b82896396c1cfb4da5e8922c755a

SHA256
cde9fe31b75c3e8bc86b2875275693d2f9e0a16c7d3186423461650f98ece307

SHA512
6c823dffa1c94e112b36b05d9b07c6d077920c49c3475d5411ccf658e5bcc305f2b15faf74cdcdad58aa802a7fbcf702b7e3d6fb4b7b886c286f52d9ba807c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ntcPdra5d.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ntcPdra5d.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\ntcPdra5d.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\4QfpWemimL.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads