858aa102451bc135144ce1f5cfa0640d843894db33a9aacb98105df0deae4c3d

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c54233209b1c217325ee2679057083_JaffaCakes118.exe
Size

315KB
MD5

81c54233209b1c217325ee2679057083
SHA1

f5c9569d4050b8ecb6f42e7508401373af4f8855
SHA256

858aa102451bc135144ce1f5cfa0640d843894db33a9aacb98105df0deae4c3d
SHA512

bf1f328e4b4f41acecae065539c3c94abc2ee9b3a733499836027651a7d9eb8e0ac7ee9d0306ce28cb89ec1793c34857df015cbd08129351f2b2928f742e49f0
SSDEEP

6144:91OgDPdkBAFZWjadD4sGMCBlwxQA2U5c5vCUb31oNESRXIk2/nIKukyv5hYpB:91OgLdaNrBlwxQAd5cdbb3wESqXFu3mB

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE9AAC73-E47F-B116-F9FA-2566D889A187}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE9AAC73-E47F-B116-F9FA-2566D889A187}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c54233209b1c217325ee2679057083_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a25c-30.dat	nsis_installer_1
behavioral1/files/0x000500000001a25c-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a324-99.dat	nsis_installer_1
behavioral1/files/0x000500000001a324-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\ = "DownloadnSave Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DE9AAC73-E47F-B116-F9FA-2566D889A187}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DE9AAC73-E47F-B116-F9FA-2566D889A187}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29
PID 2148 wrote to memory of 2780	2148	81c54233209b1c217325ee2679057083_JaffaCakes118.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DE9AAC73-E47F-B116-F9FA-2566D889A187} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\81c54233209b1c217325ee2679057083_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c54233209b1c217325ee2679057083_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
3abed789ecf8a990133ca7529858f09a

SHA1
1044e0ae80b7038edb85c9fd398c573fe92a78b0

SHA256
288b2873d8b4faaa0cb0af41442150fe99dd4f12342cc32a5431d3bce6e574c5

SHA512
3cb871412ec57205ed30a7d8c58937c6c29cf42c2cf3a19618a37a6bec38ce0aff30ba40e56d0655d5df0ef104d69ce332b7da1f39c2505d2fdc41e76d8e7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
af8299cd129b5e90ea7ddf8252420638

SHA1
4df9f4a4a874fa0e6a0431edd8431b0ce4a6c2cd

SHA256
ea149647a66af20b357fd2257df2a3e770b4372475d1611d27738b82f7449e6f

SHA512
104a7797d15c0177205f6337d9f0f2b792a68ff727496391b7f8bced0fa934915cc162c12d9d4fe200b7cd0f29d48de5f156241cec836f4f3f5eda5a0195ccfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
6b3c9a9d89500dea33d3a5875e665f06

SHA1
8b59e630f4352ee51d29a13baced156c11c6af50

SHA256
62dd390e64803b32824491f32158e5fd319651ca3161ae14c80400ac69daeec2

SHA512
f7c2d2d85da42a62a431afbfd8d381fa037309b5b84dcea3cc219035b3c71e46befdbfd3cbd52c869976ae7d738cea962e91e75793f7ada97a55e59d510304d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
882f07b983ec0c604c832da35318575b

SHA1
279beebfb8aa99e7c703d350d1a82de2aad9f664

SHA256
d79c3fbf975f24b5ccf168108b8ae2746bfcd0092eb93b462f34ea0e0667046a

SHA512
e632e0046ca30504c8e013277c73d7296a1f89eaa7e07217c455e4217a4dd514ea924961470c0b41f71af661fe05f8341436364bd81aae494759bca18d2dd801

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
644b6e24a77e92062d9d087d551291b5

SHA1
2889d762bcd7a909afa94800973858581ffcda31

SHA256
a8b985e4e9923652c55b07743fad08ea5ebb60d1bf5c9a40ecb4f4d7c76ab07c

SHA512
632c251edb09178b153abaad2f604f3d451d2deda86a691dcaf36627df34c93a00e79a16aa77d85974f640f87dab6b3da5e665fa337416f54dbd0739b671d506

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
ec421ad2cdffc7f8fab5b245b52a78bf

SHA1
96a7bc234a076b912ea847a83e1eff16d48c6dbb

SHA256
caf56176c9066192c08cc1b1a10d9f8ebadde8b56c299f3552a76b392fcd4726

SHA512
edd019c509785458bf72a95de46a3554ff341526300a8933d4b7af21843383b8a8a0fa7e23b8943de36479987b7a6ffcf03f4531c38644f19182b2fb757d4492

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
0117b77c1c969d17c1d8b9f1d2fda2bc

SHA1
f0c81245eb38fd2a0d5dd87d3e3d260048851056

SHA256
8b4f69d27299ff54df82666ad2d1037fa247483bc54e9a5f1494a2a1d86e8b3e

SHA512
ddaf4e6fa2ed52fd76672d4277a020a0d379be8dcea33b24ac7949464efc9733591a8d8ea6f29a89f8b4dd0514f72d0343c04401019bb1f1eabf541899385c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\[email protected]\install.rdf

Filesize
683B

MD5
e58fd1619cc2f18375825b82f5216074

SHA1
b7fd46c3e1568220e923eb815939be1f32a236f8

SHA256
b565081542c93c7c720ba876fa69b8c9f81bb17ab9956d87050fadfb6398a7f5

SHA512
ca5756f86bcd38b7364efa8bc46db164e17abc0fbdd548c93ca0d01224f3f03781743eb22e6a0342f26199cd98502ec6843546ccdf8049d4c5066945f7657cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\background.html

Filesize
5KB

MD5
b9ce2dcac9e4273d27e688163b152a50

SHA1
7519ed800e2efe11838ebf04d5751bb676732f96

SHA256
1983a7a07850436ffcf7b57d0daa38786f00c56721cd3797a6c6cbb37aafbefc

SHA512
718f1df3fcf0a38052cf32706c70a835381b945e0ec6de25d73af905e0df8504ebe9c77cd24e99848fff0db335e72ba896bc0a9717fa3b56324cd205072e1e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\bddhcmbkmddhdkihppbfpmolcimjapna.crx

Filesize
37KB

MD5
17ab8d92848f4a7b2c388c45dfa33ecc

SHA1
bec8dbd8f476af69978de622431eb3598e535340

SHA256
f1b61c40d9434cacea4d47638e46bf93c87dd777f0fc5b9b5b9eb564cc7a362c

SHA512
b3a8e34fb09ece16c9056991ba350cba1de0b9e7e3130c54ba56d174a080d0d910a0c3627ff9532ffc8d2ad06a66161cda51e56895fe661e144940aff175f653

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\content.js

Filesize
385B

MD5
7865595578729e7aeed61188896184e5

SHA1
a33fec2090d70b506d9ddc01e9d24f41a3bdf8a6

SHA256
987b77091195dbc08f59d256f3d04a39767cd197e59ff19f7e1739a14dcc44e8

SHA512
76cf9b364d79af8cd02dc936dab2de4a4411fa8a7b716b99a8dc71673b1d26ca18d56ed42ee8898a44186804e19391e9272cbf14f9400d6477005c07f20dc84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\settings.ini

Filesize
675B

MD5
2e5ea8e9c3bda907e70c24d53b19c8a8

SHA1
14f8de6761fe5a7666d3e256a6a50089d8d927fb

SHA256
58e911051fb6948c065546f0cb6babc5119da5021e49311b97f0817fb7629ad8

SHA512
3f24770097ccf1d36e7b9b608177030557e197c6849467cd934142ebfd16746ff3c966d8656c989f355a0a049c8b42d69e8fa25292c538ed9639a0fd0865d234

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF0E.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads