b4726579e4dae242096f6e668892e960ac5d264faafe4188c298ec7e6d9dbffc

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81cd35b129ace486146d08f901f33210_JaffaCakes118.exe
Size

313KB
MD5

81cd35b129ace486146d08f901f33210
SHA1

72d5a0ee547e4e17c4e48c633f3e38f2a82a1070
SHA256

b4726579e4dae242096f6e668892e960ac5d264faafe4188c298ec7e6d9dbffc
SHA512

0ec30ffad24ca466dc5054e76c46e76cdd3b9667195ec665db6c1f5fde7f6957dda71962ad618d37d717576823ca0de3bd1c4c171cde8c2d1a0f859afda63788
SSDEEP

6144:91OgDPdkBAFZWjadD4sMjnnTz/3aidj+tQ7BvtmAS3:91OgLdaPTr+OW

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe
2240	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\NoExplorer = "1"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000195ca-30.dat	nsis_installer_1
behavioral1/files/0x00050000000195ca-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a3e6-99.dat	nsis_installer_1
behavioral1/files/0x000500000001a3e6-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\ = "wxDfast Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28
PID 1716 wrote to memory of 2240	1716	81cd35b129ace486146d08f901f33210_JaffaCakes118.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E1EBC19A-3B2C-55B9-1300-0FBF321B3140} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\81cd35b129ace486146d08f901f33210_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81cd35b129ace486146d08f901f33210_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
a205c56785bc099e17c9ec8296586c31

SHA1
eecce5807537e48067dac29363c2be6ce228f9b1

SHA256
02b7feab428c798f7c3a5a250ae90776fe0026c9ff4697e7464ad1264abd9808

SHA512
803324698f3dcf6cbb1a4277f48c72e344a21ab9d8e4f6dee6aac35268fcf98fc6eb820f7d2fd2b9de5786880288c187acfca5a6f5e0ffba77c9ff5c540f0b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
72cb546e272aaba8cf717b7f03fe5bce

SHA1
2d4aef375a5bc8a63de821edcf422cc1db87af2f

SHA256
dc4dd046f56549fdab4bdcfcac59ffed1c5bcfb0c564429bfdcd760a860fbe3a

SHA512
534c1938d6b73d7c73b2dd036d61b73f96a4202beb239d07fa00e30a95fa5651ae3c95baf6ca1b77da8f4d22312f86375c441c9217fefff784881b81f5afe791

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
3ab9fb3c5aaa259424715dc6756dc127

SHA1
ef54679eec65a0df1b63ee0786ea0c5e9a65000a

SHA256
e7dc91e7444fab65fd4942bd80f287392ffd5513d9b2f3db5297ccc6f1520b40

SHA512
eec67705263637698520f537b6d928c8e181b84cd5148775e9945d4d4fe85fca11166613c7b967020afdd24f73cbc0c5b75eebf0ced8d0f8552233344d7e839b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
7aa8dcf1d0f5e3ff7e3d29151c2bf894

SHA1
e28ec8630f07732d3e09b2af7cfe6404945fc795

SHA256
81743db9d770149122dad53581f1fe242db1a3c6855f9f165781ae7836e54af7

SHA512
c94db5074c16eea6aeb990b9c11b0163b6c7b9f31d21c71aef5ef3ed91fec1a540d858f2435daf2ebc98477c037b1563a0661b4ba6c9495d1efa3563f20b1317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
e55e7180e1c49ee5d2b34f6e1123d85c

SHA1
6ff420f4bbf833a731d148497c25e1dedab695d3

SHA256
6be8d3a0780524d7c5a273e60568b8d5d83603b2685137d66bf05ca2bedb0ba5

SHA512
72bad48729a96ca32b82bd311eaabb7fc5564c4b2cc43f05c4d2f127016179c8bc3e81f0800f50a2b8657ef2c9c5bd19f2a7bb73d5f055a49d8b652d4a257c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
f27a154147211aa415a726afd4fbf78b

SHA1
5e04afaa3e202bc8ebe268608b4dbfef49ca9f65

SHA256
c3befe337fdecb1e5942ee5f87c2af5a2f62deb618e044f8069cc9e020f8f8be

SHA512
ad00beb4177f752e7775b358ca1788a6d2fb1559f00ffda17d6e173b07ac31cad749cac3916a5e49c406c7930a5a5f221b61172bac0d9eb825dceb35a758939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
f75c032affeb84aad938ad6752238968

SHA1
8963d482ddf2a93fd69daee91a65288162af731a

SHA256
883abca6f4079beb1dcd1f7763efeb7c98f7d6e0400eb07ef198e05e8210e491

SHA512
426dd4169af324cc02ecaf7615ff7e0a076f2793ea5d600b4dd9ddcdf77b78a2e556665c76b6f4d51d7793f6a56199556a7427799300316a7527da7a6007305f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\[email protected]\install.rdf

Filesize
677B

MD5
b70d3a98a764d279d37fe772b71eed3f

SHA1
2f37ebb6afa8f18409910d83a942811e72f22c80

SHA256
d34e4ac51199d2fa6c362fffed91ff620bcc6c3e25cf6dad55ab103020fd451c

SHA512
d6e16476afee1d82717f96252fc9d787fb33e6e9debee3d99dd4c2ecf6274ca628732207faa9a185717c13be9c3598bd9271efac598d4956ab5c2fc3df829882

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\background.html

Filesize
5KB

MD5
db08b25e78c304a84d72fa63870dfb88

SHA1
aae0da059186561690a09ac18fa86e0ada95775c

SHA256
cfec889da0e79e7d18413b2aef2ebc2ea088241aa10ea4efcd8db73cefbf4453

SHA512
3fefebf5710055f459038411b81752f7c26bdb8c84cea4e7fd06fdceeb09102ba68647d31bc23901eab58329e79ae36aafb7f37e601b6e3450d5e17374474fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\content.js

Filesize
385B

MD5
e5f6e3036a1823858c56688645578c3d

SHA1
41350e7bfb9beeed6446a9641536f9bccb35d581

SHA256
3a60704218d0596690017a34e7dc068cdbdcb62ef48937d26188185fad53360b

SHA512
9256c29395e51fbbfa7d7c821c903beff5b3f59da6a779dc22be67ce2d8fa53b023d1e51315cb82bdc0811e9c034f18f9090e308980a2bb9a5b2dd3aa2bb8349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\lajpfmegkhfmgfifachlliilnjdffcng.crx

Filesize
37KB

MD5
cca7a42181f832e81a3b4294933c4659

SHA1
9d2a3d1f45dc1db689aaeb08ee4adda477a934ec

SHA256
cd73065baa67f5f9b1ba97552d063e7612b6128bfd12e183b05eaa1e3e55fd3c

SHA512
37a0667751b55cef27ec82c3933a5c90e2c9ec4952d0ef6d1113c991b9da3569568ed5c8ec04e1310113667f8354a639b81ce4616dd1885f00f5350a1d29a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8324.tmp\settings.ini

Filesize
599B

MD5
885635033a9ab3ed16208ef869443102

SHA1
04358b8ff2251ff1d546a4d0f24431b96cdabba2

SHA256
d8a377b78850ed6adcbd34fee37d65a2478e2c543d188af7974d58809d2a8afd

SHA512
1ac3f842008b0efb7a58b3fa31216933ff575ec9458d0d523db661a1b809bc327bb9c93351c9a326cd0da12540744241ba3b0afc6e399200613a9eb37b25accd

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8324.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads