5df991b2697bdd400393ce3f4583bdae6967dac344931b03ac81cbde6e9e8535

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe
Size

281KB
MD5

74e272f161c1e6741de38382cbcfdc59
SHA1

d822231fd439c091773bcf8acd0237228e7f0480
SHA256

5df991b2697bdd400393ce3f4583bdae6967dac344931b03ac81cbde6e9e8535
SHA512

e8923c81dd378c333130a302ad521d9c7e5686194018a9f10e435e7680ceaa53d4b81862e5ff7a84a2b38a44cdc306af95af65a671eec5f0fdf95f8fc3756759
SSDEEP

6144:91OgDPdkBAFZWjadD4s5ah+NUkrhs41JMU78Q80WcKabbtu+:91OgLdadsZrhp1JMn0bltr

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1948	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\ = "Codecv"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234f6-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234f6-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\ = "Codecv Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1948	1100	74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe	84
PID 1100 wrote to memory of 1948	1100	74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe	84
PID 1100 wrote to memory of 1948	1100	74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{281BAEDB-DDA4-C0FB-9DC3-097502AE7551} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74e272f161c1e6741de38382cbcfdc59_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Codecv\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
be5c2182a52de44bc85f7438cdcd7258

SHA1
a0f10f8734a833af7daf7e1a8fd85ffdd30b8ce6

SHA256
968fca1ea34eb0e059fb93401e96c245d3265f2d6b8d451c5e9385b25ef07042

SHA512
4f931d8f1312ae00d793cd6f8adedff22a472c3a92898bf778e03d5ace1bb8a063c72f23bfa9829ef09ab26f8aa6723fdc5747a70d4e2548d7d303b8a69484f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
ce81e22672af0b52f027f91ed04861b2

SHA1
cf54c0fe84d6713056c8e259442cb9e25df9f48e

SHA256
33ed3f5c864008153cf47cb63ad1ee9b522805119154a23818e748460ce97047

SHA512
f0ba0d96070f4ca8c8a2b854a2d4f50d0862a137aeb94c9f1603557caac1e887a2d3db72aa369d7a2ae1fa6dedd4ed05e4ee43a933928dd04873de7a49c458d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
96afd12d33c37cadbbc6fb164ee630b0

SHA1
5a4911cada27846f843a2cc4c62e198c0b498fcd

SHA256
79958a6f3358e67cba0c3c8ced8719a72adacfda5772ccfdb4972d07e65f3986

SHA512
54d1a6ad01137f7c362c60354974a3076dddf65ba17b8db90859bd133ac1a44cf050d3bf237c65d73a41e6958ad1b625b36896ff75b0d51c4f4a89391583106f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
ecaa5b1e3f89fbb4362a0d34148cf496

SHA1
f1e289708ea501cd314f9a836d2406f01d737adb

SHA256
913d8042253016e2dcbd49937b230b5c572f0afdd22aabe6a214c0e017c13c5f

SHA512
1a9678f7b57801c20b87a9aec25df4976d3fff02d4405594a94c6250ab0dc0986d6d2527efa8f12666901b7867ad3c8188b3da1b4ad8973332143a856473e6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
39de18ef7f5d9791029e7bb9346a3d0e

SHA1
293bdc463b0a529280feba66e254a87d07b91b0c

SHA256
c947346ef7c4308fc57b5256686bee11de5c51961d0c896784f8c62249cca481

SHA512
b3e75e5edc719aa9e465cfeed402a82749c33ca0cfe78f91bf195804b7c5c0e913666285fcf1e8fa846dafbfb4ba12b950c7cbd5b0467dc7329cbecadfce3810

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
3cea23641936ef9bc7de26f3b25e536d

SHA1
04eaf5c493c0af2dfbc70ebb4548e83bfc4a14cd

SHA256
2cf20fbf94a1f279727aa866447cd20b88444f8db896726c8df8b69bdd77455d

SHA512
887827860528daf4e9d32d2787f63a4a6d7a35bbdd31007c9f8a15b1a77167e0c5f4b24d8fe72b08eead2f42469ee05f3c14935d4dc93f342baf11dcc89dbbb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
f6f88f222c371ca5e15ef413a2226fb6

SHA1
355187da6bf9a720fb30c7d52309f31fb7ff9fe8

SHA256
ec2aeaa91d2705f07a5bb98d5f96bd19cfb200a19755e51e79b632cdbeb35aa5

SHA512
ef5f803fdaa5242fbd52df97b7298dd73b3dfecc7fcd5a38ddd00bc6c8379a31472a236de695350d8bd1bc107f53d9079c82a04df526010ca50efe75f94f7333

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\[email protected]\install.rdf

Filesize
676B

MD5
a73be91c09060f63e1001a567db0a9fa

SHA1
2a3c9504b560cfcb5d038f1525b33f1250d5a137

SHA256
263aac13b970cd8ecfd543363a96c7cc59780daf09939ff038b5794d1e501826

SHA512
4b445c940781e5d620a6e55c7effedd4cfe27b241d40f582e2de9b22e5d4346ba5aacfdb1c2714bf954f4df325f5a20eee99dd56d0c7c4ac0cbfff4846ed47cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\background.html

Filesize
5KB

MD5
c6157168094eed1ce35c78054a139149

SHA1
a2c51d28c6d2ad6b392efb0e86e9b67b51dd109f

SHA256
50de05f633e8be2420ca119847fd43511b6fc7b7b7cda68b1aacc9e6582b3416

SHA512
297870226388e13faf44d9b3d50ed44d319bc2887605d8324cb0f3b7279f61fff5122d5d1479cd4e3c8d2eea65e82ffa31d31c15bf8cc82bf8d47bdadb7fdef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\cjabgnngoddfhcpijeehomjhbgbpfeog.crx

Filesize
3KB

MD5
fa78010a7a023297e2ac8d45d6400c99

SHA1
4ce6a91f680239cd7f0885bfcf057da04da22aea

SHA256
225f962a91094a4e5c8c941b60053edc9a003c133dbae05b9b50fb981953b391

SHA512
65213853f6291634d68565c58cd1cfb33d96f3c4ac6f949aac617926ef97cb5b0fa5d200c2d2332a4f8753d19423d56106d5e55d0f90d2432ca633e1592c32bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\content.js

Filesize
734B

MD5
60361dfd2711ba40256a8edd4873d1ed

SHA1
b8f70f6eb5047bc5ba282a823fcc1716ca3612f3

SHA256
c1d01f1d6bc9b8533eb4353523f4f8dcb3f8b394cc091a43fd8a17dd3915cd75

SHA512
efe542c116992bb6ef8da22ebbd055c7ed5681e23a3547730b04c66755e330c409782144cb78cd21a58f2c9ce08c66791acfe49e9702c19671ab14a5db6f62e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\settings.ini

Filesize
660B

MD5
f2f063d33df805d7d0b23404550bc849

SHA1
7dee5cd76bebecb10c8ad6bd864af74ec88590c2

SHA256
d1fb2225dd577a00d57661a3cc4551e6a958c5fb4e0d2433efeaa127d5cc1565

SHA512
5622ebf8642706ff489a70231e7d9e79289cde49b7e703562d89f6010a4f2c4b7c99162a99192632e6d4a4b41d9077557f5426afc8b7c309e01dcb6a912517b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS80C9.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads