23b2ba03839a8ed465439882ace8cf44f51852829033f247b25dc008ac24cbbb

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe
Size

251KB
MD5

fa2d46ee4ca1d8708fe85706a5a1716a
SHA1

d7f718b821e50340cecc02072af4caa362c4610e
SHA256

23b2ba03839a8ed465439882ace8cf44f51852829033f247b25dc008ac24cbbb
SHA512

061c8b9d46454a075a0a6fb884ec788bd73756f7b9f0cc91e4a14b83be389e154e63e5ccacc7b8c61a7e4be21431df8e9fa05c52ebe01e78ac428c8c8400411b
SSDEEP

6144:91OgDPdkBAFZWjadD4so+B0Pz8w3PtDxJ9UN9Inez4q:91OgLdamB0PzX3Pdj9U1

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
228	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
228	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\ = "DownloadnSave"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023434-23.dat	nsis_installer_1
behavioral2/files/0x0007000000023434-23.dat	nsis_installer_2
behavioral2/files/0x000700000002344a-80.dat	nsis_installer_1
behavioral2/files/0x000700000002344a-80.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\InprocServer32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\DownloadnSave"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{78351911-B3DA-5ACB-56AA-EF1D51F4428B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\DownloadnSave\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{78351911-B3DA-5ACB-56AA-EF1D51F4428B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "DownloadnSave"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\ = "DownloadnSave Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 228	4844	fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe	82
PID 4844 wrote to memory of 228	4844	fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe	82
PID 4844 wrote to memory of 228	4844	fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{78351911-B3DA-5ACB-56AA-EF1D51F4428B} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa2d46ee4ca1d8708fe85706a5a1716a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DownloadnSave\uninstall.exe

Filesize
46KB

MD5
8be20144dbd200c6de0c9430ed9280cf

SHA1
b81e3aacaaedd66ef0896acabc6983c94758e2b4

SHA256
634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6

SHA512
fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\[email protected]\bootstrap.js

Filesize
2KB

MD5
e16c50c73ad0c26bbd7593f325288ea8

SHA1
283626b095dbfd2fa285cc8ddcc104ce994a5a62

SHA256
bba9d13c3738ea9a3541dc9cd59950f0ebac4e73380a7ef0e9a42228346c3d62

SHA512
ac53acc63bdd53ee79648029fde8f00ce982d591de6d98a92303da495af797e9ea8818e2d5e9aed695bc72cd7741366ae992550b1b12db809252acd1729a6b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\[email protected]\chrome.manifest

Filesize
116B

MD5
f80cb7db0217af20c329d2f98f5b57be

SHA1
7610f6912a21a0a9a0ad1673805b8f876f96f263

SHA256
9bc501397b018799a8149f6c1f2ccef1b8ff22a9a313f83b10949b31b6515c35

SHA512
34f0c82ba2c6e9700e8e28b8f6aed04c1665554d35c99df60c3e720f5da6c98238669930a88229db683d814014a01e41028e0d67426d7d45ac96d7628c348f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\[email protected]\content\bg.js

Filesize
8KB

MD5
98f690120465353ff58c0d9e15e455ea

SHA1
b898bba114b3d9548d6b75110ea59c90c329d48b

SHA256
83e74c19466897d1d88953a6b64c32d497b9633d4504ad365de412c05f84cb3f

SHA512
ea33a79aa8d006ae23b4477727a5a689ef3c6f78c610acceed490c6538e40a3a4a44f72f290d615bb073e730382a9ae1dce4b72f674932ea7a1ad8209f6dab72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\[email protected]\content\zy.xul

Filesize
225B

MD5
de8713948c37a53854ca009835fc4167

SHA1
a021f2aa7686d7485a2ce0bc5244f294c9a47d10

SHA256
42aaef05560955beb292fd6c2b15ecd2593e1de94308eefa75fe7031fce6105c

SHA512
bed521b7d727e74a5e4b20c47ef4e788eab9f33dbaabae82126cd2b04f4e148d3c30b01d363fc8a68a23b6756f77623085cca234da1c8de226c76d715bc3a156

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\[email protected]\install.rdf

Filesize
720B

MD5
f455b11e81b851d0956720859ad9c7b0

SHA1
197421580777b4c629ea0d21b0036b1cb0c7f541

SHA256
70422b4346a2847acb20c6d8c24ac1f791d0e26e26a0a6d0ff62158c3a81a223

SHA512
b23325764e359e5323737c25faec4050d673bc394091b21254d072ef6768c09812c2a5e4ce884c420ca69c3f717120b1b3b190fb3f9567333f6cf518f9bc6673

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\background.html

Filesize
4KB

MD5
ff38b07f4c808a510c446512915128c3

SHA1
fec278abde089bf45ef5a6c4857789a397dc2aba

SHA256
f5d35b1f4829c1f0423cd33e3f925886e314293c760e5d4a663945fa7c55357b

SHA512
e94a0f2637afe66e1d4836a622d115dc7cf711915c2a4274903f75e3cd847047289bc1803e6d7df6c8042b3ef8dd93e985c5631f4ed419e272f69dd5299bbaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\content.js

Filesize
388B

MD5
845a451109b51ea8a851c89884a41401

SHA1
94268e5f0f405bcd1856073664cb015c6148680a

SHA256
5ad199429b0530bc4f3ab8bbb326eaf2b6a2652a521e8690df919199ceddede7

SHA512
524c17441609cec8e3439468f9c4a857e14efe955af2f8a726420083dbe25609251235a5485a4517522fb8f58c17203a7d6e7cee9cd67e70b8badbb2498a7c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\mekccgfkipamjgkbaaifogoneodljhhj.crx

Filesize
3KB

MD5
f282d1cec736fac700e62dd4c2521781

SHA1
912a93dcac9e1fba464b8ab2730c4863791ce274

SHA256
923c2aff8d39d6cf81075db909f96de774b3ce6e680287c58e95f3ed53170a40

SHA512
f5b931fd92532aeef8702ce47920395cbdabf70d753bd8076bf65c5eae35f63dc2e51ec86fe73660617a765b439297d0c8c8af46b47aa7cf7ab70ef0519129f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\settings.ini

Filesize
675B

MD5
f2a35d1e2c9cb591a2ca12d0f9da8ae8

SHA1
882a5e3c1f0420040f7bb31a4b18fccd466149ab

SHA256
8c0079c179536faf39201a73db8078c14b26e3b0c8479aafcadae3e7712c6778

SHA512
4311bad41374b2a82a7ee56226fa42c5a69b257e11b31d9412e6b7c3b1a1233e8c9c5427c71a114902c9baffa2b81c29e8aae58e922210d0ea316f8d133f1294

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS71E4.tmp\setup.exe

Filesize
61KB

MD5
16ef6e914973925977cdc5ef6b8b2565

SHA1
4815da2815975b33f5dc94d482e6dbc02588afa6

SHA256
6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f

SHA512
c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads