1282fac10c6b1fbc0776fa8526960e5cf4e4707e36b2d4147407195f47566f5d

Analysis

max time kernel
133s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe
Size

315KB
MD5

a5c87f5fa0437ee2ba4ceacf1e81a562
SHA1

92a516edf1b1068df6f34a6fbd33f4bd460463dc
SHA256

1282fac10c6b1fbc0776fa8526960e5cf4e4707e36b2d4147407195f47566f5d
SHA512

da373646049ca875b13c9e1e84a1dcd59391529e4bd46bf3f6e6f718cce9ee38a99332f32ac37f997d184deed5c2523cdb335c88762f3f9a068ce8e2af01e596
SSDEEP

6144:91OgDPdkBAFZWjadD4sdOat8ob20n4brI+Jxhj6zbrPf+4hjM:91OgLda2tzV4brI+DGbrfFq

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3256	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3256	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F62DC9-254D-DD96-7630-4DD0AC005F67}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F62DC9-254D-DD96-7630-4DD0AC005F67}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234de-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234f8-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234f8-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{30F62DC9-254D-DD96-7630-4DD0AC005F67}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{30F62DC9-254D-DD96-7630-4DD0AC005F67}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\ = "DownloadnSave Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 3256	2932	a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe	85
PID 2932 wrote to memory of 3256	2932	a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe	85
PID 2932 wrote to memory of 3256	2932	a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{30F62DC9-254D-DD96-7630-4DD0AC005F67} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5c87f5fa0437ee2ba4ceacf1e81a562_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
c0b1631b8cf12ce2438a72ee1c9568e6

SHA1
7ffbbe04c882a36b58e7b19e39cdb80920fc126a

SHA256
ef07863d6496f11e1c38fd4adf7c8d75c333f8e1abedbbbac988e42dc2f7930a

SHA512
50a822c04ca82df1832305f2bc2ba5ad6e296f3262d5bff8e6c9d91f2b6d27dc395256747b4d96720d5cf38ead130b694f67ac5b4e4c2407a14fc09c1388539b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
488c63016147fbe8948f3bee838b3bbc

SHA1
e5824bdb2664d1ac3d96a27be37cd3e265225420

SHA256
95bf259b1a974e7d59bce29ef411c4eee69e3235c2fcc2fb771edd3c8411eea8

SHA512
51a598eef442abee6a2692c28eb1ae403b89d9aca8456cbe53dcdb00bce2d0178286ed6df2c22fe656aae3b654ece99a64aee8ea18427cbfa190d2280dfac5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
ae69c4d4ff2e4691a56c701dd2966237

SHA1
be53c027edd6e8d0145c8d960b4dabc6c6029076

SHA256
ae825d02c6a15692f539d7ff8ff32df0da09c54fb7a86f8b5b29f8819c8e3d50

SHA512
8eeb0370a11592bcafd9f9f721b8115f60bc2e997b7446f708e077c635f8cd075a66ce3b8963cea26fc73e8844874d04a2d7b15c8368226a9097c1b3b4e9510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
76634437352f05c2a902ff42480a1ffb

SHA1
aa4b21398e2acc8de6f2c338544f3d15b73a69fe

SHA256
0eff4ee2d74bb51bb17f26fdc7dcbbe074dbff4ff1ad8fd96518192011221292

SHA512
58116daa2b93ad820eabc5b2d536981e87352c22a21acfc5b38b47c0c85ae0dfaf7b542f261d9c10a9fc679b479f74d054d50dc2c1e74437f76f65322c785e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
2004d78f12c5b31129aa9894cf9fc161

SHA1
2ea898434640fb2e2b1f7a8aeb470b5607bf29b9

SHA256
2c2bf0f4c058cfe1ef1bc2d4b6d729d0e47808023a6bff0ef772139d441e4a0d

SHA512
4a537f8c947450de4ca4ae4610c10e257a5a909cd5870a4b461e40edf3f4843ac00cc5a513e250e7cc381492f630df41181e7703c8266fe8525683dd0456987c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
47c51b4fb3b0acdf1f222fb6afa39f4f

SHA1
c36db6c13d098ae9b260fc08c75de6ffc09a4233

SHA256
d5559f7d015e53c543efaa68a098504ca3ff67e452c7763616510428c764c7ac

SHA512
0d21e2d23de209db9d01d9f0bd1f4edf1a51125c197d243ce04e898cba130c2a80aebbdbb629dbd6eec9e4fcd3966fc346f05911817b513d5934aa34798c907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
31fcf0c709dbe894aacd0b8784b2002d

SHA1
3957533f7598ed7445bd56e933545e3f71a6cec1

SHA256
25ef9444627dd282c7b673e0ad268459314d197718c51ec869e4e89800bd2814

SHA512
f873f36d924b12f92150b87fd19f96fd5e2ca919494db58a7ae9b8d60a8e7464192f15d64386f741b5c4ecb41416ad68d7e5bb9d83c1c43d6a8aaf0f86b51424

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\[email protected]\install.rdf

Filesize
683B

MD5
7a50d7cc1318fb405ecf344716632450

SHA1
a53d17a0def176a5e83701765c862613221310a3

SHA256
146aed9a6cca75e0d1d68d9a4fdf8e080a0352b12895210a43279095be55b871

SHA512
d0f0cad294b0d8753a4c873160a98ea6519c888244c41998a55a71d0f194879a9855ba3a90590786ee705ead07c9d4308e49b04a83c30e3245e08efd5c25ccc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\background.html

Filesize
5KB

MD5
720108acc92527f7d0c585837ca1375c

SHA1
65630fce42b5f53455d8ef9f40c42bcb58e6b851

SHA256
8bc5849d7115373e7104cf8690901f53e433fa6527210b549125ba73581bb86c

SHA512
020b6bf28d44d83e00bd009aa405d8165ddd4c44c3622bd09731efe324dc20566f51c71b0a0ebdfe8b321005a383d4c7ef48fd4cfc687f07f63d0032c34cc711

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\content.js

Filesize
387B

MD5
c464f09229c382d46ff74bd3557010cb

SHA1
37da529e0d31ffcc040a6808ca32485157629af2

SHA256
c7b25fd34c33c0f65bf0f339f57b2e496a2c00fd6c19b833ea6181549129a8d6

SHA512
2631f2690b3f044ca182f212fadd64df5ae3039cd65dd0f60b7f73c109ca7c6d8f09a72d6c0f228fbdf5ee3cb5e7370fa5163022f51d7dc905692295b3a6ccc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\fbeaoddmbdgoeaojpondpkbkppamcplg.crx

Filesize
37KB

MD5
af2c024b824a1989a9b59afd2b616890

SHA1
6147dd8327c735d3a05685ef3bed6cae4e2ca285

SHA256
b980252e2e5d66b7b8adc19f8f91074ff25f4886b0fdd861cb3a465d021ce031

SHA512
1a6e202decd943bc0779bff672c0580680f29c7976c3f0c728d3e84df2d9dfdf61923b5ab3cf77c26b7fcc5395fd598e5c214c984605cb55155775bf8ee96a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\settings.ini

Filesize
618B

MD5
1ca0a4d6734c066211f498b6f50c4de6

SHA1
35fe6fd335761c3527ef375a846678d47db7d8bf

SHA256
acbaf9e2931a593485a3392f8a6635ba3e94215d90f2d03bf40b50527ef1f042

SHA512
addd1a527c85ca0330ee6db23647d78ccba6a0e052180a790c2c971668c9a62ccd30eb38ae6ea3eb6f05c8fac26ded94f2babad69027a1d68b68db51251bba3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8628.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads