fc447b51643bbdbfd9f00165e537ed048888744132cb695717e860c18a667ff8

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe
Size

257KB
MD5

71b2671d482af0494b94af77bb31d289
SHA1

6798cd37eadf55dec0b1f01a4f0d57f670824649
SHA256

fc447b51643bbdbfd9f00165e537ed048888744132cb695717e860c18a667ff8
SHA512

39b0682a2eee07193af9e2e7d618a73b40e369c9555b5c2bad1d0fb6e0d6312ddd7f307392af0eff38df6567063c5d121ec6b5faf79d8c779c6270c9a7bb484f
SSDEEP

6144:91OgDPdkBAFZWjadD4sUXGEwYBLXB+fHDSsfSUMCBwO:91OgLdayEwYtXB+fDdcCBwO

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4888	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
4888	setup.exe
4888	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\ = "ADDICT-THING"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\NoExplorer = "1"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234a4-23.dat	nsis_installer_1
behavioral2/files/0x00070000000234a4-23.dat	nsis_installer_2
behavioral2/files/0x00070000000234ba-84.dat	nsis_installer_1
behavioral2/files/0x00070000000234ba-84.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "ADDICT-THING"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\VersionIndependentProgID\ = "bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\ = "ADDICT-THING Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\ProgID\ = "bhoclass.dll.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4888	408	71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe	84
PID 408 wrote to memory of 4888	408	71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe	84
PID 408 wrote to memory of 4888	408	71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{24F0A7E0-DD79-37A8-1974-AF7D4FC3C8B7} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71b2671d482af0494b94af77bb31d289_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ADDICT-THING\uninstall.exe

Filesize
48KB

MD5
a724dac649142fef71fe4b529684e969

SHA1
e2878e84886ec53a1332ad969a825062526b5cd4

SHA256
b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc

SHA512
9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
f0ded83c97e0190109bc35e59c3a86a3

SHA1
8ba0d099b3ae07ed479f45000f422f78a579254f

SHA256
9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484

SHA512
6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
2f41493bf69f1271f0bf09699669e009

SHA1
b6d75676d8fc9f02aa0643509a4a5b046e67f70c

SHA256
9b2888672d8e5b0daa43210c855d361f5df54f942b6a89d92d27efd49ae27874

SHA512
e0882d4adba01bb102d6dcdf3e15a9c687927fdfb9dc2402adc09c5fdd78c25ed8b3a0e5eedd58e3abdd96f756401f42e7d9e342ae1971b5b2fe4d0900961753

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
084e3d8586571080a22547000eb7b184

SHA1
9932def95fefb547b87e46f393ec9f31f676195f

SHA256
3ce434b2eb70d605f1536a807629ea0b35712951fd16629c0135c481ef28d1e1

SHA512
fdf8469085bd28685ed227c07209227e73a143ff6465d023669617f9100c26bc62bcf61260d2d7de758653735a1747a512ec4690c24a403e0300d90d1c651ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
29e6359c84895cb3372316ede87a47f3

SHA1
803d6a2e4bd4304b111f228abfd2adad2cb25644

SHA256
663b22abaad55dfcc1d27950357617cee0d0a959cecf1d0a2947ee1d00f95fad

SHA512
1114d11f3cb6a468d4958a1cdc0f6dd48151c65cdbfb57458a5a997d2c07d1e2e0edf926d9464060471798b024e81508fa048a3ded8d9005e8b99212e9e62155

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\[email protected]\install.rdf

Filesize
714B

MD5
e291bde24f33fd4d16d0a5df271e6cfa

SHA1
3e519732c0d2b1444c46255e8e194bb705b0c70f

SHA256
92d95b686171e3eabe8168f36a50cf949fa101e3c887cd592896ccf24031691c

SHA512
421bbfa62907f1cc5cdffc4081bc23a00cd577c7e3fa85b57f430d300e1995d09d3a1cd10cc62c05558fdb64d7992c288c58b13785e18022ff85f6a778d86231

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\background.html

Filesize
4KB

MD5
99b67dcaaab557aac9801b215214143a

SHA1
0f7c222ce638b06f863dae854633c8a8b76c1586

SHA256
86a3d0abdfaa7b2db32fe4ac8c8a1cf7ac35e75cb7532dc933b4e4ce5fd7c6b9

SHA512
3ce7ad4c60d86491f065799183aeaf1971c9bbbbad48b36beaec0689fb27a841dd28a071383e2b825a9aab82ca5bb994954b4855896d5c9755111db0c4184921

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\bhoclass.dll

Filesize
164KB

MD5
474a025909c75c607905b9e2cae8a56f

SHA1
83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e

SHA256
25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f

SHA512
29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\content.js

Filesize
389B

MD5
ff50a7d78c4efe1cc3a5d27e07503054

SHA1
90c2da99b0ce98dfe5de2673a827a999bffbc03e

SHA256
af1a2a75ee0f81cb8f74ef4d7cc7ccadb29d49b5cdcd6951be839b2869d1f04b

SHA512
d53c4875617ccf32789fd84c5736642cff3c0ba85d7f0df47e1a21b40de5549f46d8894067959f59b5fe4efa71d8b948580e6490262b0164d945ebcda2498d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\lldiggjbcbllcpmlkpdfolibgljanjgh.crx

Filesize
3KB

MD5
7b731d110419f7e33e384f2fad24e097

SHA1
86f11156d7abee8e47507166c4204d02b2677b61

SHA256
890722e5d1a82c8fa0271b88fe38d836c10f27cf68c93b4ebc68b3d380575768

SHA512
70cd4c1b4ac3447f6c574cac869fb60e5f23f4260ce24898d50d1e86c060cca1b60b0b2c00028b3dc0cd4578d3609084e94d120c3700a23fb1ddaeb2ff849ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\settings.ini

Filesize
916B

MD5
74d0d5a3e17d28c0cabd6328e61ccaf0

SHA1
8b280fd67e7b2a9363971668d03e23f8bbcd8c76

SHA256
7fa830eeb893c7b38f77a7bd4e000facbec7041baab8878479a479078f6343c1

SHA512
de0f214e307b5ae98600e7b8bb4647bc31fdcb764e9ac89ae99b2a8693f64f01feb3850a3235feddc3636a23127b75d63f4c14ad885682020de8027de881556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAD28.tmp\setup.exe

Filesize
65KB

MD5
4ccf1a317aa8539c857835e4ebe9c806

SHA1
223b73d09d7398f40aff3ccc569e66cae3886ee9

SHA256
4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242

SHA512
ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswAF7B.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads