4a3f6894593ea454d9feeafd835e0cb270090c28a3c0d2eba7d0263a854f3d31

Analysis

max time kernel
98s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 10:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe
Size

313KB
MD5

dff63106e3e7d5018e1b24885a310f6d
SHA1

edb2cb2757817b578f9dec50402ee20c18199d5b
SHA256

4a3f6894593ea454d9feeafd835e0cb270090c28a3c0d2eba7d0263a854f3d31
SHA512

132159bf634adaa590bbac6330376b7e7f8a68a2075ab4fa40c49b85d4a604287a174fb30bcb3117edb09a77fdf5c759fdeab249a83e43d0f5b1a2151aa3472d
SSDEEP

6144:91OgDPdkBAFZWjadD4scm7fdxlARhXJkQNjgkGwIq16vP3:91OgLda2dcRhX7NjGU16vf

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1624	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\ = "Codecv"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023442-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023442-31.dat	nsis_installer_2
behavioral2/files/0x000700000002345c-100.dat	nsis_installer_1
behavioral2/files/0x000700000002345c-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Codecv"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Codecv"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Codecv"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\ = "Codecv Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\InprocServer32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Codecv\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1624	468	dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe	83
PID 468 wrote to memory of 1624	468	dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe	83
PID 468 wrote to memory of 1624	468	dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe	83

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{77AF6348-CFB1-780D-CCA0-7C5D2DECCA30} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dff63106e3e7d5018e1b24885a310f6d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Codecv\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
82f0101af0bc56ab3158b8874a683b56

SHA1
66979ccb94c503a2e01dd3e2c5f55d6cb2d010bf

SHA256
af65e8aa998f3ac90f4a7de5f7175e9f2a30fc40249e4c77b033f43d9f631238

SHA512
025dc3a9979d3f8086777c1f5eaa06d08df45f3efe8c9f4bf1d536594fc06b787ceaf79ea2822df1674101af222d806c746ee9287ab70deb1c444a22ee7e1d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
f13e89bc4d10f18f8baab2d526c2cba8

SHA1
ecc2fd49809d87d2144c254ca42e984c99a0ff53

SHA256
ff68a49e68f7ec837c2850d24630487b3e3723fd97ec5e6ab1bc308462328e08

SHA512
70b2eb89a98001a796728c3489d8df850c38c32912cc5cb8e00a2bc68becee2c2ebcedb8ca976c3e3f7e50d45e954eec2dbefdbe518f0a72a6c6a74c6b6c21a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
e5c9cb617a26064bf8e82bf510238d9b

SHA1
562a7d6f570e373d88624bc60d4f2b39bea8a0fd

SHA256
674bdb4f0bb050b51c6a2a53b05781bc1ab369350706a0e53ab35b16a6fc714c

SHA512
8a83b4d27a66b228462561eb8f064b5bec04c19e8e338cc9dbe640dd8661da19a74d1e5994f7ac38bd5b422fc10dcbf13d9c30bc9be4a0842511b13b1ee378d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
9629f3c8d75ee7ad72d22d73c2bfc998

SHA1
96c10d9a8c74ee7408562c2709ddba60146a9f90

SHA256
9bcc6df19f9fd00d8dacf9642dfa7ebe7abc1e69921f012923a0ea4974dddf70

SHA512
ff54847a355891d8bdfbc0f43d9db5e43ab66978bc8bf71e9595808bc5b7d0dcee09e0dd99bf439f916af22106ea0193bb7a3577e3de59d8b88a6eaeeb14ecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
947397bd802b3db2a641c7dde8889b66

SHA1
11d3dfcca07426940d046468594a07423ea9fbe6

SHA256
d9f682cf72a0a9d082309c11a533c63afc4a914a7827d5f79a75f273140128a9

SHA512
3124632daf245853ace1308d4c4095fc342bbdcbed077558de53b6e9be909c15192987495612a0094cc9ac18166e0a43d5fd0865aa05026eca65e09c6d33f97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
3946aba5bf4083011ff249bf2ee354ee

SHA1
61d706149e8570e1ad499361f7f3ab7cd9e05f9c

SHA256
82fa4178a831a788a735807c2704e55656adfd184c0dfbf5847cb9254f1452cb

SHA512
e3d0ccba719f70d0eeebbbcd1d7be079c1e81de90f37a270754b1c77dc165bfdc2eb62d848dcc89a701d02715bc2179a2f0c51dff0a811f1cab52610f250c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
412eb9d658e74c0f1bc4e6da16663166

SHA1
b60d1cae1be36a5b6087e4beea620aba312abe3c

SHA256
41ce8f6d56b80d80014afdf12d204b83b2cfa731f5a37fbdf48fb2c125c81934

SHA512
587b3e9897fa7cd685ce1116a25a87deec989b74f1f5afe411005f72d19def452f67ae8b2e2fc864a7976149c92c26d7dc8e1b1b5661eb94b26611047dd18584

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\[email protected]\install.rdf

Filesize
676B

MD5
ffdc74d85004e1661fb681b0b42acdb4

SHA1
63d94b72e078f5489fb778c35037a4a4852ca900

SHA256
4af1a884448db54cc7ae6f1dc77c9591d3f4d313ed66936005da6985ba570e99

SHA512
c23c8c7d553b0819258dc0caf0f8b01cc43b49cbef5208a556ba6e7b4d39128bf260f9115c3fd35e42e24ac10eef71a525a9207092836f1acf3a105bf67329a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\background.html

Filesize
5KB

MD5
d176290628ff043ff60c61d08e24cd27

SHA1
f552ad58b4da2ca15fcf4a760a3a7a1b1e4234f4

SHA256
9740ddf06883e5cc9a20f304d95961f17ccc27a3e54fd97c7d9902303c4b2c77

SHA512
6ce7b207aed799012b9541d9dbaf2bf9852d11abd5d673f65b3b2456d549140f0c7dc03bcb89aaf9169e7fefa5188c81ea48e0ae15956fe4e04ea8f770da2683

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\content.js

Filesize
734B

MD5
f41e0f15a8caa6656557aa15c7c28503

SHA1
4f521d59ec029011df5c0f67033da4a032d40395

SHA256
2798c159af014e062d623505a3109f0a2c999cfdaef9891adb09bfc9ae11f5a3

SHA512
fb325abb16143c4c24a6c45e915ff13d7b5dff887d2a7bac87692e9adac5c97a701490b9326549acbe4fd5523868b762187ed0725386067b0e62eab61228ed46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\dgihjimcpcpejcaceddmdecebdlhinid.crx

Filesize
37KB

MD5
b08ab81869a1a9d13ca2e8504bf7fee6

SHA1
40f042a89fde26d5e8d272e12370718b5e474f29

SHA256
2e1084995aea8b8e955414260a52415ad1ba04d371f4e60827920f4668b8a7cd

SHA512
fa46bb964eff2f31da50584b5698d69d7216370df9b21fdcb131bd768e0eb822a2f732ce0174a99513cc8d8265a78e83d25502e51271604dd37f5dbf700b47ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\settings.ini

Filesize
603B

MD5
ba18db71e53244ca8d27fd1549b76ce4

SHA1
500ac95ebae0f4b47c4e9ff8f06333b4a108d72b

SHA256
65f69a31f2a58a88a41bf4ea07e4b3d326a9df07fd353711342082ad6d7b9729

SHA512
ba88b470bbe580f33f9c72582e34cdf0bea714aa3854568539f5cc2642b4f4529efb7fd026979f2496b531f47931081288f6c5a385eab6832a23306c28faff28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS825F.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads