18fef23fcca6daa71aa80b5c0eb61ac2d29a943cdb0c6dddd5742c3591da2216

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe
Size

315KB
MD5

b5d44ecf58e8f7a275bd41fcf48ca13d
SHA1

bb2192d4953af68e5a8695d45cda0eb587d4431c
SHA256

18fef23fcca6daa71aa80b5c0eb61ac2d29a943cdb0c6dddd5742c3591da2216
SHA512

937cf572652471a7dd8ffc072b08b23e6589dc4c96636003bfb1f735c3b9458bb1e0939629907d1c8c424264ed21514ba655e1aebe2eba08049982e673122141
SSDEEP

6144:91OgDPdkBAFZWjadD4sdty/Jz04RyyyxznUvj9+QRY10HiTGKfb2bh3Q:91OgLdahB1Y9n4+QRYuHAGKfbcg

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe
2904	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a40f-30.dat	nsis_installer_1
behavioral1/files/0x000500000001a40f-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a4f7-99.dat	nsis_installer_1
behavioral1/files/0x000500000001a4f7-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{A00A2EC4-19EE-E83E-F643-BB0B1194214E}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{A00A2EC4-19EE-E83E-F643-BB0B1194214E}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2904	2784	b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A00A2EC4-19EE-E83E-F643-BB0B1194214E} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5d44ecf58e8f7a275bd41fcf48ca13d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
1a0a0a3a530b6ce4cc72bed413e78194

SHA1
93d9a635329968a070a0b86e8d1fa0f993607b58

SHA256
774c09481ab955c52658a1176598ca4d3039f4de36cabf3d23ff1e3b2d6260a3

SHA512
3a20fca7a8fd19cc6a540f650f765cf5b9779ab58dd5f95150b1fdbd059f05522d0b35bda4830b35d4b0458db97e21ddc107e5d19561417ea4fda78f693d9bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
61d211c1f2383183898d21352a42ced0

SHA1
bddd83433cb27a02d6cd6c7dac6cc82c499ec7a7

SHA256
26d9f537a9088672855fedf7d5b375b2f175bee01343b70bf033ce8cd7eb53ac

SHA512
f593ba32a431a0d70717897e7694798322afca99eadf6ac2c5e97e1c71659935503c1c9e31770374528de0745aa7a2d1c012dacb1f8d8cf541443823f6d414b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
9ecc906e5ca631398c3d1ee1d2829c12

SHA1
c088788d388a3ee9b89781e058d3d5038d5c72e5

SHA256
8fdb5bf5d9979deecf6fb2f9d8f9ef6e005367c3b750fffe622ecccc4da1e802

SHA512
9b13ebdbb2aa030d7d3a4c435e8edeb421b089def193a341c7a7d9c53d4048d5109af9ea60f27b81b9fc394d899930f70b6d1c6e8bfe0987615cff202fb639e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
87561d9f40f8fb0540a86efaa0f7dbba

SHA1
a8768b72f23ad666e1102ac581f583753ffaecce

SHA256
bff5b654528b49e37820e2468f69e6f617dcaece49ff3aaeb551aabe232a689c

SHA512
2f98f3b5dfba249b6a3e4ebd97c57afd5b8cd34afd62e8c972223f60c28d43119ff05462ab03f3ccce09ce53c9998688fe7b84dfa312565707aecfe0bb80d0a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
77a350a1c0dc216638e0400efd644754

SHA1
61f3012799116cd6de9b7766bf6900c70a29ab59

SHA256
5ed493bd690eb4a04ff80e48df8448589f85f999de82a5be357931d4993cea85

SHA512
ddfa713e02c08ec63a42873828aa99b77b82dabd5edcf10122e0143e1d3450688df847256b8b4e383b21dfbdf7fc5172db8ea8e9b8ac295301d1aea405f97559

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
ca1f6fa0e2ac3fba5a44454a0a52f941

SHA1
97f4486e44ad607fb6662627ed13a1098d911d12

SHA256
208b229524df7a3d94fa7790131921b7ca13ee001929f15813d4db73911ffb79

SHA512
701d29cd149bdb5d8c8c2d3a2d2dfb9a908a4fff2128fdb88fb513975905df3e87d61f6373346e2518071ae9eccbc7e3b732ab4e66e6d9bc1d5af234feedbc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
a5291e57e22b023e8e4af5f97cbc4b80

SHA1
8094b8b219618a854746b1aac0ddd693ab5c03ad

SHA256
2f6406ac8d0fcdf118d21f5a332d06291b24069b135d1ed1fe2239ea7261d648

SHA512
972b8a49c7e0fbafd59d6e1013fd4bf22b61557e04a14c1dc786c5bdc73a2a912eab6ea31949d4d413df7ebe1c70c8d5e40b5451707b5a263acdeb0b36caf0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\[email protected]\install.rdf

Filesize
677B

MD5
959217f3042a68cf838437d8737465d5

SHA1
c28721a249daf287d7ec85dee9186da14e526471

SHA256
6af2fd0943bf0252acf88b7d5308d45bf93220e6e37dd972af14dc3beb6d885b

SHA512
59da7f898867179ea01a642639aabd7e70567451ca8f6156ae082145ad4fdc889f80c33ac71a64f4579aa5abf55ee7e30ea0de5310b4c92a8b1d6880946f2695

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\background.html

Filesize
5KB

MD5
869ffb3b285042ae29ba74efd3dacbe2

SHA1
0ec4abcb957add6da55cacb51a835c8f21780456

SHA256
6ae4e0a1ee1b785a45fd67e45344382f1d681d9b6714b2b7bc2c43a9c702bc3c

SHA512
a4904478bdab709a0599db9eaa9328cfbca7b8c5379410c301d17798a8b5033aabfa35555c4c9b32cee66ca67c1c8d9203e9bd8b6d228c8e348be34622e68760

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\content.js

Filesize
387B

MD5
e737bcaabc599939d3d8604508c00b34

SHA1
bbad07ce8d4e5648042a81a0799bd0b8689bae80

SHA256
a3591d1e3f052a76025bb9063559478ae1bc308a33fc1a62cf89f229b9ebc4f3

SHA512
4488c2771a80351f8889f240d6749ac99682f5d72afc8d0793fc8acec3dc6e34022fa8346cb555f584e4d48f4123b87bfb25f907546a4678602ceac785fdfdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\nlagholpbcinjlaidgeidmamnlmjphoo.crx

Filesize
37KB

MD5
673b0362ffcd22001e988bad59bccabc

SHA1
7e81140b4e8150bdaf50cee616ea33759f7ed54a

SHA256
2f0d5c6128a6cc22f678e14d5f3472efa52fb024c2c8e37f6d274804299b46a1

SHA512
cd3f9c930562564285648d474a3a104dcb2e48636dd675a9b0fa23ef5a5c4075c88ff8ecc61e373792b7ba8f012a47d48da90fd5cec40e544b5ebb773549d03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\settings.ini

Filesize
656B

MD5
fa2f662636e9e99843ebeb5dddd6c7a8

SHA1
90417b40a5575bda8442335433978f557acd8bb1

SHA256
1d95b68cc039afeb33e0feb62516b97c31b0c82052c39a3ebc422749ef15c535

SHA512
a991a8f0e41521e8684a8a8b5eb77f3c6ff6d491aaf5fe0fe0573c6457e444369eae4ad105e6476d113aadc2bf44f1073ef91a94d03f5513a0c2e4149dc2c690

Download Submit
\Users\Admin\AppData\Local\Temp\7zS27EB.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads