839f5f23aca298493150870707ed7fb8cb4992eb05ae1e7735d62d29e118147a

Analysis

max time kernel
13s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe
Size

717KB
MD5

550be68aa0195900fb1ad01eb835217d
SHA1

2fcd31bc15431cbb2cf1d9003b3ec7fc2b93ca0d
SHA256

839f5f23aca298493150870707ed7fb8cb4992eb05ae1e7735d62d29e118147a
SHA512

e58c2f9469e6e3379d94fa7963fafb0a89f4d842ad2d567fd918348c52274ed17c9f9d626999cb17879f4ef13a2f6f8214b256ead03ef7736d5ee0830219be81
SSDEEP

12288:UKnekrL58728GcLUEVyeVtQsz6M4SpfFh2w0ws/+UzGgt55INdvZunnlfhh1Xxt+:9Lii8GcA4zLh2w0RHtQN1Z+RhPcR1

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
644	Z8cf5.exe

Loads dropped DLL 2 IoCs

pid	Process
2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe
644	Z8cf5.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oepgognljgmamkaaamakgpngfbidgijk\1.6\manifest.json	Z8cf5.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98633022-8E00-A8FB-9940-38FD82892EAB}\ = "Dowenloada keeper"	Z8cf5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98633022-8E00-A8FB-9940-38FD82892EAB}\NoExplorer = "1"	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Z8cf5.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	Z8cf5.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	Z8cf5.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\ = "Dowenloada keeper"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\VersionIndependentProgID	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\ProgID	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\Programmable	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper\CLSID\ = "{98633022-8E00-A8FB-9940-38FD82892EAB}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper\CurVer\ = "Dowunload keeper.1.6"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\InprocServer32	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\VersionIndependentProgID	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper.1.6\CLSID\ = "{98633022-8E00-A8FB-9940-38FD82892EAB}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\ProgID\ = "Dowunload keeper.1.6"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper\CurVer	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\InprocServer32\ = "C:\\ProgramData\\Dowenloada keeper\\Z63n.dll"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\InprocServer32\ThreadingModel = "Apartment"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper.Dowunload	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\Programmable	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\InprocServer32	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Dowenloada keeper"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\VersionIndependentProgID\ = "Dowunload keeper"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Dowenloada keeper\\Z63n.tlb"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Dowunload	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper.1.6	Z8cf5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper.1.6\ = "Dowenloada keeper"	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper\ = "Dowenloada keeper"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper.1.6\CLSID	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\keeper\CLSID	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB}\ProgID	Z8cf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	Z8cf5.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29
PID 2344 wrote to memory of 644	2344	550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{98633022-8E00-A8FB-9940-38FD82892EAB} = "1"	Z8cf5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	Z8cf5.exe

C:\Users\Admin\AppData\Local\Temp\550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\550be68aa0195900fb1ad01eb835217d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\00294823\Z8cf5.exe
  "C:\Users\Admin\AppData\Local\Temp/00294823/Z8cf5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00294823\Z63n.dll

Filesize
222KB

MD5
e9b27306a18f18b88945cdf066de2fc9

SHA1
4d18490fbb336e261301a967047065dd561cc2f2

SHA256
a9880b90d24af3786886306aefe5c79ff3cb2fb7b36ee5fb7bf2af85f240d63c

SHA512
f255e8bfb13cfa070b31f47b12a4aacf9ab75a6a8191b6b83740d02c3f007b6d5255a5c2c12bc7b599996742973d2faccb5463d96d16c7aba40e34776823c706

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Z63n.tlb

Filesize
2KB

MD5
39d776f73d1d3f771aaa8c3561367c3a

SHA1
eef842aa02927bd7fbe7d569c5446ef1a2ea065f

SHA256
c2156787eeb818e587529572599fa124773c71330fb93e1c79f4cb9141090941

SHA512
3174095accbf422730e60f61523dec01a9a4519cb4642a641c5f547d530ad41f5386d383b90f7daf34f1f36635775929e99d7fe0030aa24cee30f4de8376eeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\Z8cf5.dat

Filesize
5KB

MD5
1859dcb2745650c172291cefa248f734

SHA1
4c8c0b2177342254c170adf01933e768e0b5876e

SHA256
5046b4845a7ab27b254459a3f8687176af1675629a97cf8c879e5ec808fdb54b

SHA512
2d54f418de31387803b3318fd202d52f048e6a12ad5017a215a9acbc2a940acf19ed2e70da21a3d4f01b0d01ac54572e097fb87f0ec96355bad156cf2737ae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

Filesize
2KB

MD5
1b53c596cfb1aa2209446ff64c17dabd

SHA1
2542da14728dcdbe1763f1ee39fe9ceae38ad414

SHA256
a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f

SHA512
be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

Filesize
102B

MD5
3322b3395a6e4ea3f339ed0538783f12

SHA1
e453f3f4dcb530a9430de8a4d94b958312d19a43

SHA256
578d815da9a95708661b5537c8fd87524ec3c30cc443b9510aa242cbef4d161e

SHA512
b26cc3f752ebf41798f663a0dbb83f851cac8adf43bc1d7f521b61c20d141dbf64f349f1bad10e70744d62cfc6590b187c449e192eeccf21527d0d32a0e7fb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

Filesize
9KB

MD5
e40cf5d377ef6eda73864f051cc85917

SHA1
a2538cc25a97d2f381fbf3266c948d91dedde49a

SHA256
d0be287b4fbec0d4b898807f10b4d0b7324c615ac7f117d7e388668d7934a262

SHA512
d87f1f9f534266fc4195b5634cd48c0eaeda67352f390a6848d19c9c304ccbb04691b070b109179ad3e74c2b0109b640c0039cd699b6fc99f790c15dc7d5f0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

Filesize
610B

MD5
4e625ca310b63034f7c7d325a9f0442c

SHA1
32a88637eb131fb25b7d8a64718e1532e8cf103a

SHA256
d3a06edd81b5730d2f95f146b5b02dc358c333ac87d8c37e2dcce839aa3dac29

SHA512
dd76a73bb745cde20fdb707e208c5e7c35d01e36862275a0a3afd26d720f25511d970b0aa8be8a8d068b302cc1b9633c37242f030942420ac4fdc5370c1dd68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\9MdJI.js

Filesize
5KB

MD5
be68871d2aaed21cb61e2ba8cd87eed2

SHA1
719cbd4f103004c94754a6ea504cd5687fb74f8e

SHA256
440b2e210f31f0ae3a1120140a2b2331168f23de73b2cabbbd6932d14e552f81

SHA512
d1638c7cf051329e406861dfc9227b5b520e6ed2c4bb3a422ee79c3e476d3c715298ee6f2a4b6651b0c722808028889b48a6bad5e356d1fc1e0ab343c470bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\background.html

Filesize
142B

MD5
7a69227c8351ef4fa7852545ea28c3d2

SHA1
80567255d5f568f851549df7175e598dc0be32b7

SHA256
fdb7f2e01a136c374dd372ca4f33b934323b4f5abfc4f38684feb83fd7ed0aaa

SHA512
47a8bf3a4a16fa52d3780855da597871f3846185b64e07ed94cdbee75b9e5cefcc2f2cc9d30f00ab85b35cab290d3cdef9e43da87ed6897bc3eaf2fcd094af27

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\manifest.json

Filesize
509B

MD5
f7ed655e50625e39700dd5d8931e6959

SHA1
219c0b2843aad56fdb02f0e3bb4e57614b2aa3bf

SHA256
4ca9010f7d558e125ece57864152dc2def261c725127e6495e7a1475a329661b

SHA512
8ece329e2a2c778eb4b12fd14cd2f6ff10ce0c5625de2848157039bf488eb5bffc131911bee269ecfd2cd25b89bda3c2bea17bc037cd2ff5fa6ba42ed5e7811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00294823\oepgognljgmamkaaamakgpngfbidgijk\sqlite.js

Filesize
1KB

MD5
7b84dc084ced92b56458920087833d76

SHA1
2ddaf26835de3cc3644462771500bcc98f5e2773

SHA256
d2a936c0f49e1380565d07060e35347fa27217b4c5327d3c1c3fa24d2c2b865b

SHA512
1d378e27bb312fa41c6f0a7d1d227beedf53674e26b803dbb223cc5609b7f7ba4b81fe6fd7df705bc7d2fa72bac4d079ee5cacff0b88b7a8c2b06639d7b77334

Download Submit
\Users\Admin\AppData\Local\Temp\00294823\Z8cf5.exe

Filesize
334KB

MD5
8300c91b40229b42301aebc6d8859907

SHA1
0b55e56a6add6b4dd4ceff475a0018a203d02a5a

SHA256
f54a6814ac06c70ef5b738eca4855e49039783d96b70ba1ae461bd90877e53b5

SHA512
0863750da143e1707513f4a2efe1ad6cf81f5a819c7d5496d1629745afffcf72338aa9de90479d5e0936e848f9b260c434fd369027c56be175814086cafd4d8f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads