6f6b5cced2fddd4e0af1b3ff8ecf0725f92455bc450febcea975419993253eca

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe
Size

1.0MB
MD5

3e9578d5cd548c1354860447640a7ae9
SHA1

e60f1c7add6c2a7fdf1781a0df3b7c1e90bc522e
SHA256

6f6b5cced2fddd4e0af1b3ff8ecf0725f92455bc450febcea975419993253eca
SHA512

7f28edd947e6d367e6c6506f57edd2a661382c2640544c1ab4c0572dcd4cdc095dcba2eeed4a195b4704111a0d34b1ca3c5da236aa5166df7b419c9dc675e4a9
SSDEEP

24576:PLi9E1fssH6wz2ldz7HUGIpfB6U7FcKDOt++s45IMk7EtDFjKh4YSGh:PLEkLH6g2Xz7m6OFcKDmxIBwtDFmBSGh

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
284	xiDfgglf.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe
284	xiDfgglf.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gcbemkohobgfgbpjcdkpjiljhopelkaa\1.6\manifest.json	xiDfgglf.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\ = "DoWnloaed keeper"	xiDfgglf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\NoExplorer = "1"	xiDfgglf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiDfgglf.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	xiDfgglf.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	xiDfgglf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\InprocServer32\ = "C:\\ProgramData\\DoWnloaed keeper\\GnAOwbT.dll"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\InprocServer32	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\Implemented Categories	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Downlouad	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper\CurVer	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\VersionIndependentProgID	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	xiDfgglf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\InprocServer32	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\DoWnloaed keeper"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\ProgID	xiDfgglf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\VersionIndependentProgID	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\DoWnloaed keeper\\GnAOwbT.dll"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\ = "DoWnloaed keeper"	xiDfgglf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\ProgID	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\ProgramData\\DoWnloaed keeper\\GnAOwbT.tlb"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\ProgID\ = "Downlouad kEeper.1.6"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper.Downlouad	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper.1.6	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper\CurVer\ = "Downlouad kEeper.1.6"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper.1.6\ = "DoWnloaed keeper"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\VersionIndependentProgID\ = "Downlouad kEeper"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}\InprocServer32\ThreadingModel = "Apartment"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper.1.6\CLSID	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper.1.6\CLSID\ = "{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper\CLSID	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper\CLSID\ = "{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}"	xiDfgglf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063}	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	xiDfgglf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\kEeper\ = "DoWnloaed keeper"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	xiDfgglf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31
PID 2420 wrote to memory of 284	2420	3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{D39FE5E4-1FF5-4345-92ED-236C0BFA9063} = "1"	xiDfgglf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	xiDfgglf.exe

C:\Users\Admin\AppData\Local\Temp\3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3e9578d5cd548c1354860447640a7ae9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\00294823\xiDfgglf.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/xiDfgglf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
108B

MD5
845bbfd40452ab4206084f1be7b63712

SHA1
ca4a9f95db5863b30b108544abf2df1c8d6accec

SHA256
95f6b5a5d8ada473db4c87b3cd7b326eac8028b1d268ea988a8cc884d4d02fe9

SHA512
7bbf4fe9f084575e535b433db96e8d44a5e2c2976468037215f8efd6be332d9b85d2830ea6a56c346789d5ecdda8d81e74732bec5ec1be0ed6edbb5601bf3139

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
85101014a4f58ce0a9c25e0a057153fb

SHA1
cd115555671ba060d19dde109c64d0ef37e69ba7

SHA256
adb9552288153f100d3f8afa80dd4c3db653ac41dd849230f7a0451926d2ac4a

SHA512
f38df3ee954421bfefafe9524188b724fdbd1291fcd0cd69734bdce18bb9fdb95f58312f0f0095ce4f7cf0b56b44c15f9f14a43405420f20da8930f8b270d604

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
612B

MD5
2de5fd93d62e83f21988655ca45ad007

SHA1
512e49aca2f0e1a38b9d03d0f1aaedcf6722f42c

SHA256
af2dd3804ddd2fe31d380476f51ac011c6261e71c35a858940a421c5e0fd5836

SHA512
3b5ca3070047059440108474b934047d2bfab1ecdb9caf754afa7d50d80df47fa813115cf1dbf448cb28ed286d9313cffd77d18377e66db58c9a6221dad6c27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\GnAOwbT.dll

Filesize
258KB

MD5
e1d10cccd5dde588af8ee2cb7309523c

SHA1
0b9e805077320b0ce1e6620488bd34f1c4d7827e

SHA256
9900e517bfd4b39bd7af4bb360af52f6c95ef9b3e7ef36d2633485c58bef9a1a

SHA512
a929eaae12f5cb28e224fc31298af2808f995c5a06bc6f47d95879703dbb9369e2e35b4e50a452e91741e6a949336220348dbb3c389c46ea2e0ca41f592dcaa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\GnAOwbT.tlb

Filesize
2KB

MD5
9156db5f76d48049dbc41fd1b58b3f34

SHA1
5eb1df59f9b5b06ab00137fc9e6451e323d3102c

SHA256
66fab808188a98ba49d99b723a181aa6626197d50bd2d5e15e076dcbc6fbb2cc

SHA512
742a77e71c34632146e16acadb6b381694072c7f4c2dea1df1dfc645ed42673ba153c832d167474dc41f9b608142a8c41b4aecda1efdab90d87d4f5c718bf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\GnAOwbT.x64.dll

Filesize
319KB

MD5
4f5c722b8686afbea6f09c53171d44ca

SHA1
184c60aafbb12d1023b1ce2aff4d3708607a75a1

SHA256
870c280ea861313edda0bd3950dc738ea68d006f315888d66023b54e5f98f0ea

SHA512
e471a86079a16d129ea0c01878af77d1aa132e629832d3f0f3d1f8a3dd250ed41c8d2f37403a10c8061fff07c07dda926ba7ffcc417c6e0100005a0f2721417a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\YlpL71jE.js

Filesize
5KB

MD5
5e4d386858fe89f7285d884aafa3e33c

SHA1
a33a148d66f3f352a3bef55fa12408637ff04de4

SHA256
fae788d7c5bab5c62961c61ff3c7ef81e421ba0c0e837aa4ff78d21fcdc43bc8

SHA512
7dde4b42e61666ed78a5bcaedfb63c49e90e4e31c10c2577655b359f5da922a47baaded5c3eecf8c9e2896c7b4008a0cf66d77472aaacf50d044382f4bfa6589

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\background.html

Filesize
145B

MD5
0b26fc5f71e02ed181c052978f0e7983

SHA1
f8cff87325e4e3477cf8f17b6cc0f05067389949

SHA256
f64bda34625a07b0f66463fb7d64654ea38c15452573e60dc90b7e7a48ea727a

SHA512
f570e3c22132c85c91145277d4c0e2e102735055aaa63a758a517740f8e4a09062eea09984b46048d9567d36b5db9bc43b1f3681ee489c7d26e4065bb4094993

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\manifest.json

Filesize
508B

MD5
95718a1746b9bafc02e9a925c68562c2

SHA1
fba294e8e03666c5fb848bef88f027c627482661

SHA256
4c768fa2a6c400323f5ea7abe54caed23ac53337a4b17ec1158d6fa72f13466d

SHA512
3d8df55904d1a0cdbd995e7d2498a2fbf96d466887446b9dfba9209e549642b4c2ba33f869ac7ac0430dff70e3cfaeef757210dc3e48ee5612b5918f5c191198

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\gcbemkohobgfgbpjcdkpjiljhopelkaa\sqlite.js

Filesize
1KB

MD5
3a6a14648a1159bf369f3b13381cce69

SHA1
25ce4ba1e36407f41cd96742bef6a46762c13ab9

SHA256
f0998a31d72db4032aadb923efcd0fab6479f2d17f23fb7f14c62d6d0b89fa89

SHA512
8e9492abab7a5af66b70928c43d9b249ee6baa9338fe3490dc7622c281595b0a3b7f3d029abab5ca0d4b77b722c583ef60d9cbc283b19a7c7a6b3fc414ed0a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\xiDfgglf.dat

Filesize
3KB

MD5
054b0fef12e2128671c62d2ec87c3f48

SHA1
42df5f11d492e3ea25319fe1278015ae593ae518

SHA256
3bab634049791190d3b86abc28d8592dcd3bef8688fdaf02d52c087545d8c53c

SHA512
61d0e7ccbdb00f7e1c24b984753b86b4aefa99f81b663c973c128e32951a9d2ce37191cdf6fe35bd3f8a0e62880e1184b6adcdcf486ae1f711811c2c1c442cde

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\xiDfgglf.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads