4c3cd43e25b1b2d7ab0766f5109b2b7b06f1a8e28a1510fa45b08b9947e3ce5a

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe
Size

313KB
MD5

cea679bfab2371c8632dbf1a7aa34693
SHA1

55b877459f6b11988880234d8112fc93c4bc6121
SHA256

4c3cd43e25b1b2d7ab0766f5109b2b7b06f1a8e28a1510fa45b08b9947e3ce5a
SHA512

60538c090613cf3e8a797c49609a190f49cbc6ab21c4819ddab265392ce2b1e21aa1d55649624f49678417dea89615efe266a0ba97ae45c2bea57bbb3ed259f3
SSDEEP

6144:91OgDPdkBAFZWjadD4suQshN5iWGWxwUeZxtV5utd6smO0g9W9:91OgLdaV/CkerEtLm1

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000017570-30.dat	nsis_installer_1
behavioral1/files/0x0006000000017570-30.dat	nsis_installer_2
behavioral1/files/0x000500000001939f-99.dat	nsis_installer_1
behavioral1/files/0x000500000001939f-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{0FE015F3-FD92-D542-497D-2DAB50E5F15D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{0FE015F3-FD92-D542-497D-2DAB50E5F15D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30
PID 2148 wrote to memory of 2780	2148	cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{0FE015F3-FD92-D542-497D-2DAB50E5F15D} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe

C:\Users\Admin\AppData\Local\Temp\cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cea679bfab2371c8632dbf1a7aa34693_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
a58c93034a322869d3a9121d9b12164f

SHA1
8b3e7f6b0bb7e8b88737c1ccd3c66b5ab424603b

SHA256
194ab71be646b45f8347fa8bcb4aaaa9bd483099ae408288fb1a94025399eb21

SHA512
aaa0a57738c4762159fb618a5a7c71d5e1ffaeaecef4eeddfb35b080c0811f6cdfd94029e4862401882d1a69d59ea485eeccaceff6fd7d8088b924e3e7ef7d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
b5cc2aa0905ad379aeb92f89a52bd20e

SHA1
2789b8477f64f7b2499ad006ea47bcfab5efd336

SHA256
e6d11c7c14b9c908b1f21a9fe31a221e3b7a59c8d626a8fabf60993ec51c40f6

SHA512
f8677d5ee6397b7290f1ebb9e0bd899fb9bf33660122d2dbfa51f96e3d12ae494fdd8914ecc9cb0732f1dcca2e41eeac10c5346c676a921152dd4ff5494deb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
cf9bcbea4bf5ddeedb2f3ffed62902a0

SHA1
b9124b220c94cf877acce40fddc040f820860f16

SHA256
b87ed5367027ea6376c95aee5720c3342063e45522a735a9044d33152bdd85c2

SHA512
2464eb95f04eb377f7e9959a382bf06d8b0d312b02e187589e1aacbbb0ae178a3dd55ee23a544ae9b7d21cc08b16295a1094dad5eb81a7672607079790688023

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
b683e3977132e9ac83215ec04d9deda2

SHA1
1b55bfc836e500d429166c4b6e72c1bf29b418e6

SHA256
6a079bbd6f0f53e136618926b5a9664c114124c502c650cc9cbb51f5e6e9b939

SHA512
424829f830ff665646f50ea4187eceb060283cb6f38abb54149dcd7ff0459d02a2f9153df904e0c2ee00f42e1da4a070e10797f1ef26cc14155ad1c24086317e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
a61e5915cee871f7b84c3ae1c553e652

SHA1
c8ec8971517fc8f9520db325b135448dd050fd66

SHA256
dfff05838fb090a04f3c7d205f280ea5d42f0dcdb7aada24d95a221dd4376a3d

SHA512
f338295cc2b51b9815060de72e6cc5091c84043f57fa81fb85f312a352b4236ad0de86230573faebaeb503045b90a484db3b3771e20ffd495a6fd166585862ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
dd2e97f78a59976d0c456f5209d66215

SHA1
e3dcf62f3aa1d13fc7e005ca32b970e8f0174eb7

SHA256
1ad9e45046d9f5ee92f05b36429e848c3c2040a35f7c2454da5edb004cf96e9c

SHA512
9203fab7aaedd4e9547b225246ed49038e2420a109109c32d5fb21f9fd4307ef67914fd2a2d774575cc0d8337262d880202f9d23a6b1ef427ab8cb41389e4ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
5b9ebb6ef5d1b4db619e5c6d1f98bf07

SHA1
bcd234331f3a643a1ba28254e872860e351a9d54

SHA256
e2550cc8effe13d0fef159d0d76d880b2253f5e5b222ddf1e85ceaba6a97d08f

SHA512
f61a0986490970efae356a5ae6c09b0feedd3fed31d2f1c0f6a06c8954b76911f3c301e767f4c80b083403869353cc7ef4eed6ccecd216168c43737cc0aecb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\[email protected]\install.rdf

Filesize
677B

MD5
ae41bee002e8541283af90b8629a24f2

SHA1
bf4119c4d9d98aa940437ff343a56af8933c01ec

SHA256
9f766194dd930bdeaf9f3a0eeda79dcd1bf587fe195af5210838c9207a741d63

SHA512
21c5de8fd370159588cbcb3e9bc0e5c18e2f44523c34f561666065db9c1c22c05b2fa636b8115e4fdb18841dc7e9423e84552cd964b243e87e368d4661926eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\background.html

Filesize
4KB

MD5
789e84e50b3528ce0730c0fe6254a4bc

SHA1
4948331aabc961119a228039070db65b34357e47

SHA256
11e58ff8b9dda12ca885de04d2716258e5224d88284b2d642d7fb5a3f6a7fc52

SHA512
cf51b30e27ccbcaf5741cffad0e4231fe8aaff03e208cf6f40f462423f0fc06dc5147e0f7c623e34a44aebcb2daf778cf95fff0e4545b85ff128a40f65c41921

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\content.js

Filesize
385B

MD5
d0eb3e077cc2e813426b7c31e9a8887a

SHA1
38a4ed7eb6534ec0bf5416697390c5db996c5211

SHA256
4132c05d88bab1d460b42296f9c28e5096f030442fbebdee761d59e706d7cf82

SHA512
6c4b08d9a3f7bd59838ea2ae3e966eadb37ebc24b40f1533457a49e9989ad1996ef6ec89fd06245889151846b9c7f9f7758929ad439aca0dbf7e8cc090cf62e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\kdehfmopbnhkgbcmdhjcifiddcpjeeaf.crx

Filesize
37KB

MD5
3f35a51d6ee3abdc9f9d87a3f049d67f

SHA1
80d442144df28fac4c8781c0ea83ad97810687f5

SHA256
b6b9f9ba261463065d9f08d5095657240ef01f0e69f485f4a3be54d7b992507f

SHA512
2c04b391d87c87f56c90f1fc00c559228f601f45302e8ac92b404f27666310687ad893df4b78bc1d2399aec6ad718089f20eeb989aa30e192b4cc4e9d252d869

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB193.tmp\settings.ini

Filesize
599B

MD5
d6f89cacb2b33d7e89022add7c616799

SHA1
c03fe23ea34ff9194ae32e8d6599e762a5e731ba

SHA256
d25e7c8c18ceea0695b961cb15df87b78bfb28c045464df93a9d18926e6c6b0c

SHA512
9fedebbcde4efbcdd1f11d881e97d7d120b7e5cbd0a2c4c9212ece5b3f26cabc51f11d6525f8d83bdb7e583482c3090c4033877d96c5ce0d99233c4a4f3269f8

Download Submit
\Users\Admin\AppData\Local\Temp\7zSB193.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads