6ba8ce815b5ba3d98cdc4aa5eb85e86ac410dbdef54a02c469f2b5fa73735811

Analysis

max time kernel
132s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe
Size

315KB
MD5

a1b3557bfe0970dd90bc20a5d93a999d
SHA1

7dc85dad3afcb17eed612b266716c6cce36e5227
SHA256

6ba8ce815b5ba3d98cdc4aa5eb85e86ac410dbdef54a02c469f2b5fa73735811
SHA512

d3c7a63ecd056a3cce65af6e096f9f48173750640cdf36ef2bbb401b18caef4070e170090b986b619e76dfd137315984b11b1156b342bd7d3a931bc1e440d09a
SSDEEP

6144:91OgDPdkBAFZWjadD4sPBRg9ESOHQjz9Q3zqRCfWERmKLZtH2m:91OgLdaSRqOZOMfWERbLl

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4660	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4660	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74CD1F8E-5D52-018B-904B-F3F89183FE21}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74CD1F8E-5D52-018B-904B-F3F89183FE21}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\ = "Codecv"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\NoExplorer = "1"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234f8-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234f8-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{74CD1F8E-5D52-018B-904B-F3F89183FE21}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{74CD1F8E-5D52-018B-904B-F3F89183FE21}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\ = "Codecv Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 4660	2344	a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe	85
PID 2344 wrote to memory of 4660	2344	a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe	85
PID 2344 wrote to memory of 4660	2344	a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{74CD1F8E-5D52-018B-904B-F3F89183FE21} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1b3557bfe0970dd90bc20a5d93a999d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Codecv\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
d0f8ec48f28ced7b95e1d1ec9517e702

SHA1
9acb2963d8514df3b291c1c13a8abebde72c1663

SHA256
558205409237acdbe11fef8fd34a6db27c9576c977b0f49e8912cc9f42f7e82d

SHA512
5d0c0dfe6dac6905078c92943cc640986c6aef0db010a5924d446ed2a18f88e8ed6f1d10eacd0fb20a8e02895695de54b24cf6642f0ac53349fa88f7628e96ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
ec928c642542062183079ecec6762455

SHA1
04cfa1e1d832187e228f648bfde7d56f09da1b78

SHA256
92615d56eccd3fa6f3f403c326492d37bb340b6b4ccf8098c0c4c26fff78d39c

SHA512
fa13cb245e8b154e3c82e1a029d3d8ace321b0a9064825cf4c1b2c4d4d8f51d65d297298c35fd47c411dc45df64c1e6541e9eb93641ef6c2cfb6aedff93ee9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
7a8d4dc9a8a1107c6908085716c931f7

SHA1
26d7e2eb3a97d05cc809042afb02d6cbb42b5559

SHA256
dbaf12e8c02434dcd103ae8845e3c1271bda4a648cee76406bb5961f7d769504

SHA512
aa56ae8ae2f7a0703cf971d92652a8d674a4e1136b5f85fa4ce5d1837ac9efe95a8c6cd79b2597288cc14c249a2fcbcbcf183285e2879825f6dbf2c6ac398cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
eaa168da185d40d1df89632fcbb13fd2

SHA1
d8ec0f95fd9dbcb90759f624014fe0b69684baac

SHA256
d83b8942aa15570723fb5b6e8fa39e37a506e09942aafce52750fc1cb9e6452e

SHA512
e27ccab21681c64b86e693b43a4922edf0dfde474b51dd8210eeeb2db7099812019b47e6b2105fca597d7cd1064c1bced7a60f97030acd68d4e4d69566180c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
d4b5b64fb991e1e9d53e305658199d21

SHA1
416d60d110d5f4f6c6f828d985b3f16adfc14902

SHA256
907422c19922a7c98e332a8efb8d572298439302016d29007749248da16924e7

SHA512
cb191560aa2a212bdeec8d4d16968bf7a09136097706ec5d643ab642ead1ecd1ae854a37dc62299b3e5cc9daffeb5c608a4eb8e797c5c55b46b0b362a80ffc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
c0bccbdc86b799fc0c81ee5635f6a41f

SHA1
3e56236cc68ccd1eccad3ffebfa2b1bd8f923ce6

SHA256
77747544c8f483c761c17ebfb006eea6c16ee40b00d09a242bd4ea274f3fef8d

SHA512
cb9c2065648eb147eda5470622e6e6a0e4d0e5f1ed46969936c726172cc1d5959833dc075473ad4480f3603ae7447f28696c58dd74b712c856e89974d1b5515b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
e570f507211b0e812880201ce3ade7ea

SHA1
5664ce4d0c793d0a8a06fd76137c8a794c527bba

SHA256
72d6ed0e83b1cdfdb0cbee2fbe8f18528c3db2ed3c763e91e0d7ee6b50e43eb2

SHA512
30b489179119cc97e57caad032c87e3283a01f9a893751c7f85dd4b9110cba396f7039d34145f019647a8574f060fc36c63fe64c1ab151cbb650927c25ca320c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\[email protected]\install.rdf

Filesize
676B

MD5
d36f8ea5aa22e4c35afb0deb154036c1

SHA1
48c09af664a921663bb8f3bb48f6453973cc884c

SHA256
22471d108689b14084d99878f77e7412985a734de14c1c169778d88c243b1c17

SHA512
1388d9e8cc3cf455fc36d0e3ad05d0337831be13ee418fadb184ff898acd26bca0d8abc606065f01bd0a4160a73458026fbe9b2d846765ca2f1c0aa8fc1896dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\background.html

Filesize
5KB

MD5
8b9ece6229429081b6a66bd25c040e24

SHA1
c3dbfb16a1c812b4b4aebb8f9f978561b9dd17ca

SHA256
66afaf6bb66a319ab24a6d3806cd103ed6abadecf7da064249318a9e5a92baf1

SHA512
735fa299bfe25b743844c8e3bb8804718a495633dca8b809caa3f3ef1715e8065ece3809fc625e9482b1c95986faad782a2318d02e7e6aaf6d24fe8dbcd4a134

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\content.js

Filesize
734B

MD5
b1967331e10316faf847727971da30f1

SHA1
efa452122a382ed5cacbf090f967f20ce89429e2

SHA256
b69942f6ef5f000fb282869f559c9cfb42a7374a91a0924b2ac8cf9a0c3c9190

SHA512
7e202c2bcd6a2e4c618f8137bd86e2cc72f99e3b6b0188e100ec592db4c1f9ee1264d6dd4667a0abfa0b7a5bfc2e65373c8574bb39572db4fa53df3bac9740e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\mfhhlimidmblfgfmkibjjcddeilnajnb.crx

Filesize
37KB

MD5
b8008481bfe845b9cbedc2f679cfa960

SHA1
a05b05401c3a36f230ab8c2bc043d3bb283926a8

SHA256
40ba82833e7bd088fd904302058d98269ad02a4c7f4af2c7683276f504e05531

SHA512
65d9ff97eacafc58b671cc7509f462df4ec70b15d063e5944652dc2619a8f00be92c8a9d19cce8451cef00262c54ca21ad9e39740c2001acf4657562ee12ae74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\settings.ini

Filesize
603B

MD5
c1f13c1f36bd79d46100c3e3575f8254

SHA1
1450dffa7a6e7cfb11008d81cda1830131884e60

SHA256
46bbe95a64c627e17664cefe6a6217ac06045cab88bd6e91c4d2101cf3a48da0

SHA512
0be622cd1a6d91d9aac9edf406b34b0330093c82105053f2ce466e6f9a03fc5a631eace685fc1c1cdd94e9f787079ca101c838cdacbf4efebdb47fbfccb93071

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8637.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads