14094ab383f9452ee0bf5a18d6bcfb1fbc3ec2fe4c4cc77278f7ea91bf32a96b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 06:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe
Size

281KB
MD5

8d9c7570458efa425587adb8e118675f
SHA1

6e38bfff3f0b895a767b1006b1a324b478f81935
SHA256

14094ab383f9452ee0bf5a18d6bcfb1fbc3ec2fe4c4cc77278f7ea91bf32a96b
SHA512

fc09a6b471234eeaaf196c0d1d127a04655f9b7ebfdf8e92baaadbc852c1a0c04d2cf496141578356694b52ecc8256c87f4cad7bb37b3093f2bd8e8b5a40d68f
SSDEEP

6144:91OgDPdkBAFZWjadD4sYBUKnfX8EnMbjLlSbumnWKV2LUtrE:91OgLdaDPnM3LliZ12oZE

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe
1724	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{68AD59E6-E4B4-615E-790F-2C413F373965}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{68AD59E6-E4B4-615E-790F-2C413F373965}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{68AD59E6-E4B4-615E-790F-2C413F373965}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{68AD59E6-E4B4-615E-790F-2C413F373965}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x00050000000194f7-30.dat	nsis_installer_1
behavioral1/files/0x00050000000194f7-30.dat	nsis_installer_2
behavioral1/files/0x000500000001971e-99.dat	nsis_installer_1
behavioral1/files/0x000500000001971e-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\ = "DownloadnSave Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{68AD59E6-E4B4-615E-790F-2C413F373965}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{68AD59E6-E4B4-615E-790F-2C413F373965}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31
PID 2940 wrote to memory of 1724	2940	8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{68AD59E6-E4B4-615E-790F-2C413F373965} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d9c7570458efa425587adb8e118675f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
04f5020d2cedec43dfe5795a9c25d4fc

SHA1
3ba26234e9fb4fc8e405041a2e6358c17568a352

SHA256
a2a4edd9991e75402adb6e8c55a01a1ad2002220a8a682ff4c69548f5cb71677

SHA512
a71fd5654ac87ad0051b06312742d6f25444645c99cc56307b7c13cb306eba1d3eff890a72c4c0c448f6fe4d4f7fd050b7bb0fd72f1345aeaeb715a9a4569fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
fb63b6c657bb0b4df34bd908b0bb98c7

SHA1
7a1f42a44b8cbcd2d0da38cbf33124213da49b33

SHA256
9bb6333081079b8a13cb19aa48303b224e9839b2f40a18c3860dfe03e3d0db70

SHA512
bdfd3f19025172969ff289d25a26af6ab154298e9ce62c1384f4f22efa651614b428e1668ef19e63b4a1db70be2bff85930398f4185da5a764d5899b3c7fbc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
ec554bda43e850662e1dea91c4247e77

SHA1
4d63cb3bbc732768b8598621698cdb7a77849474

SHA256
f7202d25d12a514ef1c298c0bea13b5acd6d1087124c88a1d13bbf02ec70da27

SHA512
0f13a3abf6cda8ed0d695f986b28bd5c76f6d9413ae2d904cca8520b31e28a48895e2101621e611f2daa2aa8acbceafcea6cf3c50415d44104ae60e919e76b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
82e6ba1fc357eb044c3d8ec124f64de3

SHA1
3883af0ef9c7806a5dfd43a3f8f9fe68d6264f65

SHA256
38bb780e9e01650586bc8ea42325d1b7b5ff2424cd85a1a0a9906ca86066d165

SHA512
4bb1e22291250762bf0d3c16ad78d3a866187940c479ca3c0083ccaa7874a93a3e99a2cadeec8fbcfc871fb8a628d8eeec619f45c676d2366bbabcb8f30f769a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
0b30efaa7a959526d000da44a9bcbf4f

SHA1
57c13f6f2e97bbf5e255a07e15a2c3b2d81a04e6

SHA256
5d653aa721827b81345b949b0a0d45e183a6acf6ee7697a113d5c2fbdbb08d6f

SHA512
960d9fb5eac848c4faeefedb3ae50ef843eb083763fe80341d1f4161a050d99dfe8dc6c5a3ad9c958cf8d931b5d72e0073fc25ec6d51117e66bdc39e36f7bdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
f5c718b0c36c9aefc5cda4da10243eda

SHA1
d7990d67942f956bd8656d70caced33283675ce9

SHA256
8ecb6853e507b50f8031d8ec48ff1c4f5dca7508483c15a794832ce7d597339d

SHA512
22509741da1b629ce5cfbbd34c31a6cb2c018b4c714e9762e09a797ebccc7d01dfc6e492b5c28625defe07bb2e21a1bc8ba36dc4217da2b858c88ea94824c1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
7d0fe8949f0463045aae323bb73170ba

SHA1
82213ab70a3cf7a6f5b9f87cd48fb27ac7d9d0d7

SHA256
3b0a05cc6dcedb43bd0e5164407df6202cc1074309a2221d3b58bdaa553e54f5

SHA512
3f1bedfb609a1920754630d312ed55d84d29a930f63d7d9b543f950f3d3beae5ba5aabc697708a787949391ff88b23e86dc51031236bd80ce9e82f2dcd1a9f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\[email protected]\install.rdf

Filesize
683B

MD5
fc9b1fa902c58e984f6fcf89da559476

SHA1
82a896e32694fe0d5d6abd0ab517f19f82a7a3f7

SHA256
a984c22bdfb565f635402a4b4cecf01a60eaca50c996e94e6e8d560790d7f351

SHA512
81c13a92e5b0226bca3bc9eafae6af1fcdbedde6657d7fe55a417b45fe7fdd636c2ab361c309e8027e4ff4d59b26776ec67cd62a210a44dff9fe8b10f6a89aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\background.html

Filesize
5KB

MD5
a7440ace40bed7c2512250539caf40c1

SHA1
8e956f0310eb6a65303e2e2c0f49f7febe88e2c1

SHA256
2881cecd02ab4b38c0abd6abe930e90035959de31c10993c44c79ea6abf8f547

SHA512
713cbfd241380d331c1002d56121cea7f27205393e751078a5bbcf9d5806d4c5c365118236378c194aff3066068f6d397379796c9b874078cae3a61dcd381147

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\content.js

Filesize
387B

MD5
16fd8925a166e057942e972a53e356c9

SHA1
d966509b7f4cfbef34b9e51e9a468a09fe20c658

SHA256
69f963d260002368cce0e40d1f17f9e964745458281ce19fe92667c43305d720

SHA512
d59942f007129259727f0abefd80233e08820ec4d289b7b757cee9370d93cf8ca1f1900d00aa089b36da1ef17c9764807b1c2e6d685f9dbf605d127df7c6bf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\pahpdkdafcgmmhecfejdcjojmmiecngn.crx

Filesize
3KB

MD5
7b0252acd663100ebade8354fa15e722

SHA1
2f70300b75e6d0dee91d146ff21292e24393e7b5

SHA256
9cad780509df2832b92d45f1ade948678332d4e1e97a934df53c8932ac94cdeb

SHA512
b68ce341ca1c03e3186ce743408ab913d5c3194ef71d202911ed50bf598a4e6586f969b7801839c2d0159b6293e2b78ec2e7073273c23a5d8003e9cbbc0b5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\settings.ini

Filesize
675B

MD5
d6867c01263b76954fd9ee7eda25be0d

SHA1
89430a298aef35715d3723d44dd51dff866ab014

SHA256
fbd45b37a001e4d4311469e330c1e63dd5be906027e5bc426a5e0bc8c669b339

SHA512
63474048859a1f9c8644b52bf63dd9fe5bdd566b613c72953b534aa22e646f07f0d8a076720936d6f94e6b07ffd7c9571d9cbe0a880be668800d174fef9169e6

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE9B3.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads