85429b5d110d28f85e68cc528912f214716dc5eb93b13feb6badbe88df508f49

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 14:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe
Size

315KB
MD5

bec1b5a210929d6be080107984f25d79
SHA1

7081f5479d0a5fa288740dcb26e4dfa4d6905063
SHA256

85429b5d110d28f85e68cc528912f214716dc5eb93b13feb6badbe88df508f49
SHA512

19090559bd9494fea3302fa0966d3e44b6579b4e01996d424074f249bf89f7512ae49da35da5c6c61a3662804b4112b9ae51b3a2dd74ce914989923cdc7881af
SSDEEP

6144:91OgDPdkBAFZWjadD4sTw1xfu9gpOLM6ihqmEwDZ65w79rCPsBEgYG43:91OgLdawwHfu9gELM6ihqmEwYK79r2Qc

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2420	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe
2420	setup.exe
2420	setup.exe
2420	setup.exe
2420	setup.exe
2420	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F2241521-6052-EB6E-2A78-25220A3CCAC4}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F2241521-6052-EB6E-2A78-25220A3CCAC4}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000018784-30.dat	nsis_installer_1
behavioral1/files/0x0005000000018784-30.dat	nsis_installer_2
behavioral1/files/0x000500000001942a-99.dat	nsis_installer_1
behavioral1/files/0x000500000001942a-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\ = "DownloadnSave Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{F2241521-6052-EB6E-2A78-25220A3CCAC4}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{F2241521-6052-EB6E-2A78-25220A3CCAC4}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2420	2028	bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{F2241521-6052-EB6E-2A78-25220A3CCAC4} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe

C:\Users\Admin\AppData\Local\Temp\bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bec1b5a210929d6be080107984f25d79_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
2466511e511c25d1faf01999dee37204

SHA1
80343ea359ea587f823fb17a726be5a9f0c879d4

SHA256
7d42cb5b05980288fd527f64b2ac6473bb05ebbf06bade19503ed40405b915ff

SHA512
7a953c0a754f9d266100e5413b5addd7a890e51bd1080d980079dd4119e642e367f470a812afc22c59f63ebf71efe9bd8dad10f992c7fcff91f73189908cb2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
4dd6bd34ee0de3ad16ed411b2a3059bc

SHA1
769ac7998d19f1850f7b53d559b8ce50373ba33d

SHA256
90cc0f6d181ac13ae9e0af432a72cabf24b61e5536eede153c5c79fae9ffc510

SHA512
4a762ce64a43eb342b8e8b7543aae2162086a08f5473c385349d4a3ad41f1783dca86bfc39876469f0f316f192202aa87ab9fbfb62066b388be2451907bed69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
9694656d7c759c005973b39283decff6

SHA1
c3ba169243c5e53c5ec719679bc409c5c110ad3d

SHA256
e46492c9198d924e3be0b389199c852f487153a4e907b4d219fdcc346c600153

SHA512
8bdf472384a5c9463ebad04523c2116bb0c1085948923f86c5ace56537d53f5fe787236f3032bb9d72e8aa58233621005ee407b37b75ff46d4ca9371b8babc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
2f7278e60fba9fe89568693d0f546e38

SHA1
ea1976fc52f5bac4d8abccb812eb6dc1bd10b007

SHA256
011de2a32ab07c8926a748986e4e01b77eed0055b6c11b4c530d33d8b342abcd

SHA512
0127ae69d1b3ce36e74d314b7d42f67625dd7741ab8984ec7ea79417e58f76d6bcabe203d0316a377fdb516a5d0ff0ee81f65e9138db8f1777dbd2afe4bf6b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
2afc956263202402b958260351955867

SHA1
6ccbd70ce6bee77a2dd3a8c38b6e1941d542989a

SHA256
8715bdba07e236e20e41b218f0569ace0b4135a3e5f68ef0d3f68e4786b66720

SHA512
1d001d24b5bc6fd5eb2119738f95812848e52fa59f729db6197d9218e175f716dd19a59c7b26cdcd72f2f0959bbc1f3c17bab0e9d6d6da6ac82855c039e807e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
0fc56edccd7091c1180005b2c90ba04b

SHA1
2f2ab9393a4088efbdd4570774287c38ff9ec6e8

SHA256
504a3bd5a1ff781fb30ad6c95cc228b9b166ea72df72e1273740a19afd50f104

SHA512
8e708ef8cc1f010b949032ccada40a0466c25010155e1ce9cfca61ed26e7f75db874632869df0d5aa1bc9e41fceb09537f03ffd580f62e7f4ba63470b1963d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
a0d90f0ec784a99076d31fb54a3b059d

SHA1
5d220b134b83e82f2ed6334ec9a50fa68948d4fc

SHA256
250b9d861d26e2c2513b632cd587422a516eb3d65a0d635fecc14bdcb9dbc9b3

SHA512
1f2de19a31e3c100d24594eed8e5569014d8a34da6755d6ddc0efb828e0aa9299c379adc0cecf2e06c414d4a67e208616bb0b05e9c121ecaf421b1b151b0a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\[email protected]\install.rdf

Filesize
683B

MD5
10e1e7ce5c20637fb81244690e637251

SHA1
e199b5b9bd4bde1b5a1b176d30608180cb675e2d

SHA256
a6c973f21b504403a77a0b4669bf1c8e2e5378425eae4df5b92f0046e03ccb2b

SHA512
998fde736852d6c43152711d837ae7ec034609d64ed724e28cd1a4457909650f96e5bc61e8b3a68e332e6e1408f5982508d8ed409e3caceb56814085351617b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\background.html

Filesize
5KB

MD5
aeeb2f8aafb8fd92e3f0cf03117fee59

SHA1
af665ddce5d9168124ff7261ba05c64a5e651b14

SHA256
2627b0564f0620e8b01fed2b5cc11b8d9f850ddfd03b69de0920fca2b64dff47

SHA512
acbec81dd6ba959459175ff40632af1cc5b9e041e116d60cee96dd2cfeabe2fc225f1ca79b1df47f2e626243a84df6300544579584c0abda559b611a8ebaa70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\content.js

Filesize
387B

MD5
4c087f4a404d0c5d434a4024fc36646b

SHA1
2c3ca7f19f0544035115220c209a2a7b6ea88ece

SHA256
a44bcebfd536dea43bf2c23823d38e7b81990ed34817e8823194f45689d8ce3b

SHA512
9f7d75e4c987005b0fba362d41039a227d1615b400639b132dfb451ba1f43eac0d5940211664abca9b41c9bf2f3944f3c51628ede85f68346199df89d9778c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\lcnlncoedjbllhcahedkglimifnkccef.crx

Filesize
37KB

MD5
f1307a8d3fa211966713e27ef22f0fdb

SHA1
50c540b3ee3f9dfb8fde74fdc23dab3d1198f212

SHA256
ebfe94540ad5b6eac67088ed3451c18dcc82314a2923e1a3ef1bac01a6b21ee8

SHA512
32c7dbd9a2a3b0fcaf1d095e7d8293b83c19212f877c7acf890738bdeee63fa969d6b6bd6ed63c4fdc22bd07c708f2663e3cb75f18c66b3e26c507afbf09e0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8343.tmp\settings.ini

Filesize
618B

MD5
dc67b3634786b0ecf21c2d3439a29eb8

SHA1
144f93e64ada2b0eb9999b2c91d10a7c359bcb26

SHA256
b702e47e54abac670a7b4e6d6350c953af6ea9c80636c3fe59fe14e288fb9e22

SHA512
8370cd7a7e9b732663d2412fbff4b0671a4280d0a8110bc493f5a6f622816c256e2790230e85bf20b82c7963848783097343c2f0fadbc05f17ebec62a2f9389c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8343.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads