39a638cbf923cb85d50fe041961ceb1314dc469a294acae8b417abcb03ae8c8d

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2024, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe
Size

551KB
MD5

827399b9f58846b604177e4fa4fc19d1
SHA1

efd8fe777997ea74f66013928e683c1b3fd9a60f
SHA256

39a638cbf923cb85d50fe041961ceb1314dc469a294acae8b417abcb03ae8c8d
SHA512

103b72a44c95831d9dec699600824bf204cc38865d04280dcbfa234dfbd6eb127916dcb7adb15931aab119a0a4d638081f4b71f7ef815914b2f9f8bc49f7a234
SSDEEP

12288:h1OgLdaOsWctn+MEfOUgbJuMmFcouJqk3:h1OYdaOstMOUgJHJJqk3

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
3908	regsvr32.exe
3908	regsvr32.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdjpmcojkcgaajfigelcjgimdkijfhij\1.5\manifest.json	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\ = "safe save"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo\CurVer\ = "ssaffe suAveo.1.5"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\VersionIndependentProgID\ = "ssaffe suAveo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\safe save"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo.ssaffe	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\safe save\\d7W.tlb"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo.1.5\ = "safe save"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo.1.5	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo\ = "safe save"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo.1.5\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\InprocServer32\ = "C:\\ProgramData\\safe save\\d7W.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\ProgID\ = "ssaffe suAveo.1.5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ssaffe	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo.1.5\CLSID\ = "{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\suAveo\CLSID\ = "{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4248E27E-4016-2BF5-1DF2-4D6B955F7BEC}\ = "safe save"	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3908	2068	827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe	84
PID 2068 wrote to memory of 3908	2068	827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe	84
PID 2068 wrote to memory of 3908	2068	827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\827399b9f58846b604177e4fa4fc19d1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /n /s /i:"" Y7A.dll
  2⤵
  - Loads dropped DLL
  - Drops Chrome extension
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\Preferences.C__Users_Admin_AppData_Local_Google_Chrome_User Data_Default_Preferences

Filesize
7KB

MD5
cc672c7853dcb058787675242dcd25c3

SHA1
5409ec897d6d2d5b068597ebed8bc58d126e1d7d

SHA256
d2766bff0b53eda40c84f8ebc7fcf2b26177210e8542695d21f4086399e34860

SHA512
b913ea33d86172754d82f232337e64f0168524a527453c6a8ada8674cce1805d8861dcbc7057574c7a821bd409883b69813c21630912e4e900ab67e42f3b6ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\Y7A.dll

Filesize
203KB

MD5
41b13b132cb601ecc466654b90296353

SHA1
245258ddccb48826f22d57444f49fa30be1b36fd

SHA256
7fa4bb68c313e1090587a64b90e87bdcbc14ea3fb7c0e8cff94c657c969b70bf

SHA512
0e8de7bbe3695848e299fe3f3506f2e982a60cf0a0dd11cde86de4af67ef3c7b46458680d7bad9cedaa266ea33cb2e77f2aa83fcf1bdd20bf31d1936f2bd69a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\d7W.dll

Filesize
180KB

MD5
0e093772550eb9541dd715c016b5584a

SHA1
20338dc859a5652f5661280dc508f4e5b533e76d

SHA256
028999304f35f7a6fc2cf6e360d4ea587612d63ce191fa979cc98ccca46ab149

SHA512
0030b395e2fde6bc9f70f52e71d8e87d306cff8afd2acbad725c4cc92b6d7916a38c1d6d156feaec841966492d32394982ef51989e2b8673d7c00e103f744dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\d7W.tlb

Filesize
2KB

MD5
48e9706fe9f76731f3576122fc3e9e33

SHA1
387c8c4898ead8ace488a7df80fead429eaf167b

SHA256
7bad79916803a14ca817e5c39f5ec2f0f240044d6dc24fb4916c8fda338060f1

SHA512
e9b44a2b1b7a806066182a084ec9df81916fc6db79710256e173377e7cd64a732c006830bbe324a9a734731ecde8b8251cfa995399f6d4df5322faff99c458b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\background.html

Filesize
141B

MD5
9d9d1578e0078140e04e04696bcde2e5

SHA1
261baaf207519f6989da46d49aecb5f5a0441985

SHA256
9ed3b84647f920eabad8feac4215fa11518d386c928691e810db71370ac3f208

SHA512
c9a00be47d244422b32d7c99ee28a9714ab4d4fbf587aee3df7dfff351c0b453815f4548c2931540a95939e0b66871b3200ac4629548b88a0eb7f6616bac750f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\cden.js

Filesize
5KB

MD5
3857bbe84c244a1a3b68302a7110ae89

SHA1
e3b154573f5deeb2194ec5b4dd209de6d0dba09f

SHA256
05fe38af415ad9966d88139f19fa3fa01154f01a80e9ce4648084a6706a53ea6

SHA512
5ab501428f68b406f86273067748a1ceac0a83b30cbee573e68c5f6323aa019dca5a8f690564805bbde715526a12446d327841ead4c0a454eec286118ab00edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\content.js

Filesize
197B

MD5
5f9891607f65f433b0690bae7088b2c1

SHA1
b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de

SHA256
fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b

SHA512
76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\lsdb.js

Filesize
559B

MD5
209b7ae0b6d8c3f9687c979d03b08089

SHA1
6449f8bff917115eef4e7488fae61942a869200f

SHA256
e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704

SHA512
1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\manifest.json

Filesize
501B

MD5
977e11ca13c3e242d4a436e3f7a31661

SHA1
3e40072591e887a3558eada10ca5ceaef90f3118

SHA256
fcd05ee0e7ae52ad61014b65bfe87e8185feb6f6352f3103cef2d003a6b766cf

SHA512
7a23081aafd38cba0bd1f1046be3b15922448280c6a338684f7f1ff5cd938d78935f380c0860deca6a89f8eba77b0d46a1362cfc17ebcf28c0459705f7e1ccc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\mdjpmcojkcgaajfigelcjgimdkijfhij\sqlite.js

Filesize
1KB

MD5
347c51630c1a3b9ddc7fa08baf632694

SHA1
db87052dcbb2535526e68a1309c9f3a7882399d5

SHA256
4d710e1334259121041af12199c872e09198e9296e1baaa9f469476cf0fd87fb

SHA512
418b561c4793e9e2e59208b1ce4af92714bd43d1add90de0edda168c6f5eb79c495ebc7109b51dc8a7ed5ec90494a2570a1e612fbf99811f7e13ef1776805f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
ce8e81088831fe0b7aab97ea5e1cf172

SHA1
e2c369870a882cd5ff7bd79eb89c5ab007aa0e82

SHA256
42270ad1687d555e68fbeefa4e39aacd2bae27467af223d618ed1e9e1ba239ea

SHA512
e51b583ebee44531f518f00418e934e45b2a4494d9fd499d77d5fb7d13970df162909540f03ddc46ef546426c4d0438842dddc0154e69dcd6dd3a9fbb78cd376

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\[email protected]\chrome.manifest

Filesize
100B

MD5
b4239d4f28e70f8b03097a4049c4a10e

SHA1
76344f029cdc4c3d46554a448169d5b25b11f3ee

SHA256
e9645ccb88da15639dc6c18f8564f0f66daa3b0547a4eb3dd001c281e0dabc84

SHA512
604df628d53a396afca17243309625dc19fd4499a4fbca4835167bb5983d11a9622a364408ef170b7a451c7907d5d65620320e91eeced6c6ddab02beebd0e4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\[email protected]\content\bg.js

Filesize
9KB

MD5
8a2d79936c12f4f43cf8c30e4f347a54

SHA1
dc1b35816e4f300cdfb7539a2e69eeac3d1e5b21

SHA256
2b2d60d3084d0afc3837ca8a35dd1db2ef5627150daf980fdf95d3d4dc3bdc35

SHA512
7a490fe574dbdc5baee479a3a329d5e504f788f83d5a4e203086427c220e625ad9c64b1f02b32229dece8a6bc1f9bba7aa745c8841420d025c68634a937da357

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\[email protected]\install.rdf

Filesize
600B

MD5
d2842a7773ced806bbffe5cf6acd2333

SHA1
5021177b26920999e6b62d5245f586f0a1e1ac94

SHA256
f23815dc08438580d8f9b4fe9cd1899c513b3dd56a26ecfb72638363b5519038

SHA512
15903699abb2f53abc0c215e58e233648ac00c4120809c1a063d3c72647119cdf43cf01dba237a019e35fcd413529ebe3d1e4a338f2ae6711766cde0b7b47d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD11B.tmp\settings.ini

Filesize
7KB

MD5
ef48adf7395c733837e964559002cf9c

SHA1
d0ceb816d8a239eeb17c10ccf54a9a11d0873e0a

SHA256
3fbc43753ba66c5898eddf535fe88350fc9f4b2a2f2d30f1babc3bbdd03f47b0

SHA512
8a1fdedc4838010cee1835cf640859278e9be612bca277f92592d88b46206dbc12175f804a3ee1fb8084df0661476fc0fa8b563b015735d4ea17e8513dc0111b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads