12f9708fdb9e97934249e7494a539cb9266e53116b0ea4f950212da71e68fde9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe
Size

315KB
MD5

fb45317f62bbb0ac4e1ef8d8a20a0cd5
SHA1

f95a8f9b349680eb39879ebc0294e9e11be69aa4
SHA256

12f9708fdb9e97934249e7494a539cb9266e53116b0ea4f950212da71e68fde9
SHA512

c4bea9132f86a058eef497200b985d31b79e0cd16a1a1db3cfaa84cbcba89ac767c48caa265b0d0e73fb417905cd064eedd2a4d1e42ad02fd8191734a127136e
SSDEEP

6144:91OgDPdkBAFZWjadD4sR6XXBXiE27QFk5L6pkPr+Smhcrr8:91OgLda3XXBX8QFDpkPr+Smhcrr8

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2364	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe
2364	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001942f-30.dat	nsis_installer_1
behavioral1/files/0x000500000001942f-30.dat	nsis_installer_2
behavioral1/files/0x0005000000019d54-99.dat	nsis_installer_1
behavioral1/files/0x0005000000019d54-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\ = "wxDfast Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4}\VersionIndependentProgID	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2364	3056	fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe	30

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1364D4E8-A9A1-A7DE-BB1B-5881AF881FD4} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb45317f62bbb0ac4e1ef8d8a20a0cd5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
d8e364f3ca809d5440e5bdecd6b502e7

SHA1
328578d5a7e68803130b4d35c65f43920a6db5c4

SHA256
3769bb7e2c30eb5b10bc0ec88b6e92baa8994607cf7c84b0728ae3b50f5f42df

SHA512
d89bf05ce573ff9a6e7bb3984a229c0fc337c05e4534cc5271d3a09b838fd72961bfd0214954db01bf1173078987427657259cee50f7386e6eaa79bcbe62d977

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
ee60632852be3c96a0e58893bb2d3fc4

SHA1
c915c8e4ea7b36f529efda23aa94abc9d6f34766

SHA256
5788975f90d5d3417d5695471d3d1257c4a51369c51c1001a677be10b4574d5c

SHA512
49e7f8dd31eb69fa8a19d9f7a2879b0641b915928be3544a549d8d9d9a0109c9e486b0485832e79cb83e402d9ce342daa6af2da18865d6de8de36c5116e3434a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
80424c08f19986b16af7e7c61d0c0863

SHA1
165909f625408ae9bedf8b4c2f62a1029b2ca95b

SHA256
a71f0d7adc63fed3d552994071bf5be8e3df3a24c05245b722b377cda4701ea0

SHA512
19a2eb5a3f5bce561ea88764dc891dfe3a23e1f5f83342b9ddc17207b86de82bc818e8083b8d91f4d4bc2ccca871ee950dc88a930aaea9a739a09eef36e7cded

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
aa3c9e4f8a935947033a48015ccfb1b0

SHA1
784b7fd28e4cf6d3fdb7b92ad2cf09e64daee4b0

SHA256
5738857902a53365edb746f32a219d573e7b0a8a0a7932f298c0b76113bc8797

SHA512
8b2d64307c00539af8242520e79ca6b9beefa138e06f2b75f46a301ee54fc4eafabac7c497d80d0e6608039fc562f60cf9f89ea5ec24748a17f9c439b7911a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
737bffd2e4dd715cef2eabc9a23e4a6e

SHA1
809f7ad0f376602b160b987bd28ec3a28aaed01a

SHA256
ebf57cd78e2598528bc7533bc958bc81d5501d7c45247824b5c32d4d73951993

SHA512
ca06c4b32e31f82da37ff7fcecc1dede982a3223891102ea9763599de9a9e17c7ef0fb5ba9382e6df6063923dc2b0fce1c6663c968cfb2afadc6cb0bea4c6c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
36fce6c292936107eafa59963a0526a6

SHA1
c02882d5100e91cb0e066276b5f7021ebb3ee87a

SHA256
0d3a312b3c8c9c93fb0d789a4ba9d645b62eceb8a60344b645e6c006f461da0c

SHA512
c7e5c3f31c9c2f987b5fe80d4c61117511debcf58177079b3383a8bafc2f3527ce59a5a462a91c25cbcd3f684e89872ff734ae76f572b29515ade8e0f107fb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
c3989915f186c419fec426917f38dd25

SHA1
3afc4d47f68c316e8a383d77293361088b34f925

SHA256
5150aa548976376e86cf3f87db30eaabbb525301ee8c2fa1ceef37533fbe81c0

SHA512
667569be9c2be3512b3f7c05c151e3a9922d064444068bf6029fedba9e3fd90ec533799941e8f814db12a5b8038e43bcdbf1c09a29b4a66e0f83e1259d320efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\[email protected]\install.rdf

Filesize
677B

MD5
169ccfc33ddd710c8a3ae5b27dffc54a

SHA1
8d1d83f1453ffd2e62452c4db65657c3a293d960

SHA256
e60819bf7dc72429894395b246e8d0c64728ee03d05830ba84fb0892ab0b7ab5

SHA512
fd82a3d742483f362cd52788c492b915bd9acbcbf8ca37af1c628c4d48967de274ad4e436ab867b74d1a1d92be629f12e36d0030847db5f190b85d4bd9e5e002

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\background.html

Filesize
5KB

MD5
b054be17bc2f5f6a0c4b60443c2412ac

SHA1
e169b38482143c43fd8a28f4b1611c87577d7688

SHA256
63eed6e39e1f4d1eaee6f9648b7d62f964a9a7e33f67b316c368c85480eba83a

SHA512
d7427da3c5fec794d6c810cca522281062374816adb93fee288426ebae65edd60143b2aa4747333199530b4902f1e32dd6007da35a9b050b06f36ed97cb7a63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\ccmngfhdoialjpljkedipfcopnjmadbo.crx

Filesize
37KB

MD5
f928da5337dcc203eaf30f9ed0833c85

SHA1
a8a47fb16f21054adb59cf6e0e51b3328ad4e6b8

SHA256
c73bf8ef99ae675b5758a5f575099e312e893d4a5caad2173d7e991416c6ac44

SHA512
78393ed4448667091db76b644dd8ae185fb3a112250a764758f39671ef853b1e6acfed6ca8e52321f6e11ce89504be9178d4dfc768e52236d5e69e25aa026bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\content.js

Filesize
385B

MD5
12e0bd16cfc735e8b3498ae89ded9e22

SHA1
ec5cc0ea292a8c5a18dea5a38ce9c131a1a3c5bb

SHA256
39deb376b2bbf9fedffceeb08834f4ef919a527bd803901aaf6a0d48c87854ca

SHA512
604030a399b8b1c728f0f79c7d7e4ab5e728356af905ca70d822a1673d379ca9d508827189e8bd2705dacc2100b7cf75b7d7e85860c7277b4d622afe73b9d3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9425.tmp\settings.ini

Filesize
599B

MD5
8fd9f9e2d8960487095d08522550507d

SHA1
d7251efac8489b1f4df4db8b53a36f44e4bdadbb

SHA256
2a7825a680e3627322e09d6fa4f6ec27e166b1915b947dfae6b4d9b88eee3d66

SHA512
51b99f56b00afbe7ce32b8afd340e6e915620cd09d0f0be74afaf8d08cb83233e81ea17e858ac0f662915022a68bfcc77c34c6d77b78f2672a8432792d938ae8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9425.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads