cf49d2125781674bc2a039923c2b005c018f509433a59adf89e2b0e73e90b47c

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 03:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe
Size

551KB
MD5

459547d54e4763356a49e86b5e02db73
SHA1

be4f621daa4d00f57f36b0205b4d01fdd6597dd6
SHA256

cf49d2125781674bc2a039923c2b005c018f509433a59adf89e2b0e73e90b47c
SHA512

78eea809d82866af417632330325c7f7f944b3b16600f4d3e3b53a2c0898d3d9b63d8dc21c66a2a82f279cba4d5856e8ab417b29b66909d9862c225c962abc15
SSDEEP

12288:h1OgLdaOvgbJuMmFcouJqkXWctn+MEfO+:h1OYdaOvgJHJJqkXtMO+

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2552	regsvr32.exe
2552	regsvr32.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdafnkhgodheghjolhaaojkiamoin\5.10\manifest.json	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\ = "savEnshare"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre.5.10	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\ProgID\ = "savenshAre.5.10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre\CurVer\ = "savenshAre.5.10"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\savEnshare\\Y9.tlb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre.5.10\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre\ = "savEnshare"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre.5.10\CLSID\ = "{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\savEnshare"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre.5.10\ = "savEnshare"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\ = "savEnshare"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\InprocServer32\ = "C:\\ProgramData\\savEnshare\\Y9.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\VersionIndependentProgID\ = "savenshAre"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\savenshAre.savenshAre\CLSID\ = "{E5A6AA17-28AD-5E74-D951-CFCFCCE6FF1F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29
PID 1564 wrote to memory of 2552	1564	459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\459547d54e4763356a49e86b5e02db73_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /n /s /i:"" lQ.dll
  2⤵
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\savEnshare\Y9.dll

Filesize
180KB

MD5
0e093772550eb9541dd715c016b5584a

SHA1
20338dc859a5652f5661280dc508f4e5b533e76d

SHA256
028999304f35f7a6fc2cf6e360d4ea587612d63ce191fa979cc98ccca46ab149

SHA512
0030b395e2fde6bc9f70f52e71d8e87d306cff8afd2acbad725c4cc92b6d7916a38c1d6d156feaec841966492d32394982ef51989e2b8673d7c00e103f744dd5

Download Submit
C:\ProgramData\savEnshare\Y9.tlb

Filesize
2KB

MD5
48e9706fe9f76731f3576122fc3e9e33

SHA1
387c8c4898ead8ace488a7df80fead429eaf167b

SHA256
7bad79916803a14ca817e5c39f5ec2f0f240044d6dc24fb4916c8fda338060f1

SHA512
e9b44a2b1b7a806066182a084ec9df81916fc6db79710256e173377e7cd64a732c006830bbe324a9a734731ecde8b8251cfa995399f6d4df5322faff99c458b6

Download Submit
C:\ProgramData\savEnshare\settings.ini

Filesize
7KB

MD5
434739298e6cf4ac47720ed45b7f6eb3

SHA1
83d9034143ec056d8c171821fb77024cbd708831

SHA256
7e1b09ce1b7ff1f574f3677de16d3ccdaa3e5ab539516dd003e285f6fb3b0989

SHA512
794298be424192e1dd015d899354e04b7100aa0850adbdb78f92cd34c899d3aec049e5fefef16d2b6ae94f7bdbd1e4bb963b5602e19959d9330602738bc8ae59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\Preferences.C__Users_Admin_AppData_Local_Google_Chrome_User Data_Default_Preferences

Filesize
5KB

MD5
a6fa2a92d23b1be9935c2741d9f3a437

SHA1
fc1bb512b3b1d65591b0a1589b816117623a93a7

SHA256
4683f076623e30f8649a66e2928044cb7e039b4d6cc43fa5c550d70fcd23be14

SHA512
878128b7903f47c1d62461e2bd26e450291151973692c6a6ab7e16ca2d7ea1eeb38e1a4a046eb8bafd9ec264e96e36f039b7a99c9b2f66316538d1295a91d373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\TaI.js

Filesize
5KB

MD5
00bf05207e15ee27db01f681de5d892a

SHA1
75ce8a4f2522cc48cbd073263c7092b3f7847e14

SHA256
510a5bd753071998beb136d45f22799971a78e0f11f99bea20d2f803002bca01

SHA512
a48f1fbe03ada71ca5b198f75e26ad07ef9d4f584fdca3685882606c13fe0b6be3186bb34cc7ed016a1aae801ebb69b3d4c4867cf6aa0dabd0760e2c2d3d4490

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\background.html

Filesize
140B

MD5
ec2cc5747a1316cece7b348f92babe93

SHA1
b47da30f4919e9ee0cb216d142268b0402e50001

SHA256
17e0bebe75bcb4a4deb482d182d9f28d10f0ca2882109c415eaba835bb4f3620

SHA512
a727099dfeffbcc4967fa1d6741f6c8105290e647801c568ee4fd72cbe97ace70638df7437b6b8b5e7a06595b03f2136f851a58d8e85b39aead1f3869dd173a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\manifest.json

Filesize
504B

MD5
b3be73a2d4f57256f6524303eb209ac8

SHA1
1e5edb10769f19c249f3f61d5b9b4a58df59af43

SHA256
d3eceaa7ad562ed7686a0afb6c45766daf4cdb4eba4705b36b800e15ea27b48b

SHA512
80eb3728a92a26668f48535fe14464bfcafedd7f5df32c360f583d2554be829edd915591d610e8ecbfb83442c1ffb7cb620d79ba3a97576c642500eb3cb6fb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\fiogdafnkhgodheghjolhaaojkiamoin\sqlite.js

Filesize
1KB

MD5
e78aab99f4b897ea0165c5005e11b6d6

SHA1
df853f922987d4f02ecae1d693ca055bd049d54d

SHA256
5895990243efc0a19bcf9343d3363ebf60ce8e023e4a2c495d40f0ae6f940504

SHA512
7e828f6ba35110c4937f479b79997ff90b21570b298b602c7b8e048cf8010287381fdc06b803ba889ab5ffc3c017a7a3b95331fd22bf8bfc2b6f506c9dd85f50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\extensions\staged\[email protected]\bootstrap.js

Filesize
2KB

MD5
af659a11cec11135a85c73504f4ec622

SHA1
1a0371bd2b7a6442e3dd614b76945182b24d25d3

SHA256
8e5c4b40fe8b19d05d42070d85452c3a0d0e2cd31451acb5e7a86b542fd7e2eb

SHA512
02051413cf8861d14140e96a8613f84043c8f7078f3271df9101f701a32fb39823ef98bbdff3dfd86b58d8d8ed7c19d5b0971c77a553a18d83ac14d046905832

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\extensions\staged\[email protected]\chrome.manifest

Filesize
98B

MD5
773ebe11760a7b2c3625770867787762

SHA1
fb6bd28f5aa0d3fcbce430c1738df9dec66e11b6

SHA256
846f1367aa30e504814af1b092e07714496a047853dc284e6e48892dc56790fd

SHA512
f5c44c1fd39dbed4c51dd1cf548521c701a71036fecfa5f15960da02388ee1bdb88cd84df2e72484c1a344dc16042d7a440eeb49a3426945a9b827d6294f3caf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\extensions\staged\[email protected]\content\bg.js

Filesize
9KB

MD5
b0c0ab49349c484b7a88215a7aa894e1

SHA1
9bc5750d94a27ad047af3427f51fa0dcc9082415

SHA256
27b1b3b525fd4bb75d73a2fce3db66b8f5dbe5a0e51986684c5e9d05859d7e68

SHA512
f80f63bd120e8ae2929526cebd270c3d1d2bc2180e67237ed2b29af05dc3439baeb7beb8732bab5d9370e2c4c4a7a0d8cfe3fbdc06db504e968446b2c9255199

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1009pdhg.Admin\extensions\staged\[email protected]\install.rdf

Filesize
604B

MD5
e00569f79403463e48a381251c92b4eb

SHA1
5efa392927ed5f750771c0826dcdb4de374f5ff3

SHA256
60805a92b997662a83df3f0a89532fcaa215b7ed2a1ecaaecfe6bf2461567607

SHA512
f5280438bdd3d6e5c83fa107aa620216b8223bb4469105ac2b7241baa6ded8469ac49626e67d3ee90284047ad96859507346fc462b9298be82a388c896d001ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zSFFF1.tmp\lQ.dll

Filesize
203KB

MD5
41b13b132cb601ecc466654b90296353

SHA1
245258ddccb48826f22d57444f49fa30be1b36fd

SHA256
7fa4bb68c313e1090587a64b90e87bdcbc14ea3fb7c0e8cff94c657c969b70bf

SHA512
0e8de7bbe3695848e299fe3f3506f2e982a60cf0a0dd11cde86de4af67ef3c7b46458680d7bad9cedaa266ea33cb2e77f2aa83fcf1bdd20bf31d1936f2bd69a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads