f443c6d1b8b48cae0a7467d4bb13489df9ee08a7746f4a4de79b7918ad6653ec

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe
Size

496KB
MD5

e1007ab20da5caa962cab475c59cee2e
SHA1

01e4a61d7e3f814b265dca156ad6df5c4d6d0014
SHA256

f443c6d1b8b48cae0a7467d4bb13489df9ee08a7746f4a4de79b7918ad6653ec
SHA512

d6e155b5edc08a47419e7c9b62c77067bdc355c1ee2058d0dddaed8103d5cb132719b888362d0effa5e709733089bfa4d8f7ba9bb3b849ed38b5f5be82223027
SSDEEP

12288:91OgLdaAUip9V0LSBLt6cNtPUHCT8Y4rM4PXJjSU9JZa:91OYdaHiAS76OtPLTRcXJjVa

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3608	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3608	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\NoExplorer = "1"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023426-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023426-31.dat	nsis_installer_2
behavioral2/files/0x0007000000023440-100.dat	nsis_installer_1
behavioral2/files/0x0007000000023440-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\ = "DownloadnSave Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3608	2268	e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe	83
PID 2268 wrote to memory of 3608	2268	e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe	83
PID 2268 wrote to memory of 3608	2268	e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe	83

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{59AA71EF-9CA4-9509-7CF6-B6E95F1A6F0D} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1007ab20da5caa962cab475c59cee2e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
48a0d1c3ce32adc521833b10c0292aa2

SHA1
8bb95508681350e7c688a9c08ef96acee2826bbd

SHA256
34547cb647088139ea5db0e3e33949c7dc9ca2ddc23995de558e7e1e4100d144

SHA512
85f0aaedb5a86ad998c89f08d64641de02c6e90d2785e490ffe277f340020dac0ee7cf815bc4ef78df9891ed2778e8c3ebd7fb34f2515b4a88e8cdc50f140dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
86abf6894d192305c4c90bb3e081191f

SHA1
e4a93d756e65d89bac7d6f8c6121cedd0172bf57

SHA256
dbb9cb95e03e275f05233943eacafd5105541818386eef7edf56dbd674ce9e49

SHA512
8c8662250d9423099f3b6ace8b0693be46768873301d4132574862ef6269106a717722b2ad8abc3c584782c65ee0efcb85c71099bb25402dc9aff7d833bfe44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
ae394a47853fea986239abec978f220a

SHA1
1522153a8a8f38c96f504fa9a361bca35e255e00

SHA256
9fb42801becae2ef959508c9aad2e559e5aa0e588ca095a847b4a4c91fa2e7d6

SHA512
3ba5ee1ec20c18274fd9e78f69cada5881d2f4bbf871104f85b852360d01b3af5eacba400571243cb4f8dc3f38da3420a91dab6af565fe95a5248d3fa6fd3984

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
bbc918ba28219b9c9ed79d9246d731d9

SHA1
c7a058faabb45d2a8b1a90bad8ad4ab728e3f03f

SHA256
db7d3525b1b007481521cbab9c39c168bf02c3ee40c1369e75e4a0cf7c06c71a

SHA512
6f9b16cb87a4faa87bf4632f4fec552327c4bd80431f36d652d7477becfd26655ac3a06ee25bcdd33285caf7985ce730ea3bc55ed9fcb8cd62ba62dc43cc5aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
eeec573904544a543464d41424c47719

SHA1
750da1297e58426b3458c0d1fd9160140b0b7612

SHA256
02a5242251a4bffbbd10a597bd2bcee41583b6eb4470c716ebba339fa62715c4

SHA512
aa4b6d7449bc259aefda4f651002ba7eb1dadb6278328f99518af4e5262c473972efa12341d6a333e945cbd0e620ae085e1dbe15b30383ee2c6669dceb98efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
61c9e83d340f9a6241952f6053cefe35

SHA1
ae81c92a3303d8d36b065100317c0d9a2a908521

SHA256
18de578f13e1e9c58b91a6394a77508ccedccec21386499c3bc5be0f2344cab1

SHA512
cfe1bbe658372ce1a5c875143de1827c9b0041826e65fdcf3f8236a15a22f90c999d8453dad9e09f1e0d20f4e6627d4dd7d04ce396738871f3e17e8f1c7d71f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
379e1053b7a40b6f0fc232b1d4453e73

SHA1
845ad509e3dd0d3c2da54802f04a6c8cf22a0858

SHA256
66c257cae77ada0bb3595b872539f663ff7858ac9544bf7bc781898b60bf1993

SHA512
0e5bcd84cf4883f3136ffae2a954367d8e4ef2a0eff6e84961cafc99013f89adefdc17b03397a116cc6dccf71284061a6871d992f273369eb5b67a1290566cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\[email protected]\install.rdf

Filesize
683B

MD5
a39c0e1cce5f0fb5d7433bf471919fb0

SHA1
946aed4cec1919473a0cc876b8c6a93ef74b5066

SHA256
9fc7bdfc1c65cb2f987735902fb6a1a197a454d766e54cc5b65a4b5df8ecfdbf

SHA512
d5ac8639804012d1e7147273d55dd2d41f3f68d2ed49aa937f0bddf5fc14a5e4711b3d1e438d67b8bbbef1732666877d031f8f1027950668dbf6e8e32a3f3f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\aknoffgcnoodkldehdlipeeeklmknndp.crx

Filesize
37KB

MD5
0adc130d9c98dc77c4e5e855235a4dc8

SHA1
2ac8edb1cacf59d5f16478b1f4f62b22a2ac9ca8

SHA256
82b3a8095040760780dab20ba52c112e5acdc74351efbd989ab30a500458698c

SHA512
f04a19149c793f82d14a3918e0dba7b919b48e308896ec8a47e7940826336fa58ab1b01cd5fc4afaf6a6da9e553c2c22fe7e0e6cfa67e49298a37b9682145d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\background.html

Filesize
5KB

MD5
99ab953bd1664aa354cc972b52c7aa55

SHA1
099d3030dc46fd5fa0aa345eebfa57aae54651ac

SHA256
b16111003cf5400332cae4220419d34d431b3c66acb973c8efdb130386cb1b9a

SHA512
1502bf17097678d4828627df312629fdf8c31b1569763f2c442a1496720db4cc564845d57617f326dda837e5908447ae23084e16302f86fa10b5180d0d1cdea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\bhoclass.dll

Filesize
521KB

MD5
489fc1a1f5dce2adc842b4a68e67f0cb

SHA1
e73fb5755f4bc109e08f4c3c286438a0dbd02084

SHA256
24833c00ddea6a060d5b398c5667c200cb957e37269d1fc90b6b1eb5e3130f7a

SHA512
ba3d7773466d0ed856afa09c76b9266f4454e268bc2f67ccf903a85fe4986b9886d5a1210aa1c561da3bf69956ffe5a1357154f637ed952b73060f794b215104

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\content.js

Filesize
387B

MD5
fb8aa5fdb4dcf1f0a69bbdb5cdc9a8d7

SHA1
21224af1cadff04655ae5856d75b651306716820

SHA256
d157cdbdc2d49ac6760ec81a5613ed390806f009c8ece85a1cc3b16d78ef215e

SHA512
c407fc5a22acabecd4fedd0a016882c8cbeaaa559a2e8954d41e6e82211d0d51ebfb7694cc1314041d472f556854c29ee796ce4a008457fb4103e626039d921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\settings.ini

Filesize
618B

MD5
3e9cf31df8d4fc5aeb053c8af60e992e

SHA1
8596bfb864b524c12c05bba36465590d73931d4b

SHA256
8a540b67e0a966824b6e92125371d221cecd5c895b52665dd4bb10aa1b5a7e12

SHA512
f12969818f37377323dba82926abb5b34ebf724190f1de8f1312de5d816457663f5f6f0dd60769c8b8abcc07a8a5c3f280b3486c27f4b56842675da23d7bdb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS64F4.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads