6896be18e3a6380500b6ab383e2821d83760ea5ff037dd3cf19e89dbbbfd3c7f

Analysis

max time kernel
135s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b4ec576225ae37c8a74afb08e9d6107.exe
Size

313KB
MD5

5b4ec576225ae37c8a74afb08e9d6107
SHA1

214b2b8f09653ecdb0ac02adf532f33b3205d65f
SHA256

6896be18e3a6380500b6ab383e2821d83760ea5ff037dd3cf19e89dbbbfd3c7f
SHA512

a73cc1cf9cfb665df890b3090f43d40d51e689b2ffe91d7b98eac4445cfcd5d77c12836fd66997686f8b83554854c7c5c7ba8c280d9b3dfe627d0873622132db
SSDEEP

6144:91OgDPdkBAFZWjadD4sxuyWWvACrzO3cM1l7:91OgLdagfrzO3c+l

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2972	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A691C41-A282-3C03-E8AC-BD72BC489148}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A691C41-A282-3C03-E8AC-BD72BC489148}\ = "TheBflix"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A691C41-A282-3C03-E8AC-BD72BC489148}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A691C41-A282-3C03-E8AC-BD72BC489148}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00060000000231f3-31.dat	nsis_installer_1
behavioral2/files/0x00060000000231f3-31.dat	nsis_installer_2
behavioral2/files/0x000600000002320e-100.dat	nsis_installer_1
behavioral2/files/0x000600000002320e-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\ProgID\ = "bhoclass.bho.5.1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{5A691C41-A282-3C03-E8AC-BD72BC489148}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.1	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.1\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.1\ = "TheBflix"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\ = "TheBflix Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.1\CLSID\ = "{5A691C41-A282-3C03-E8AC-BD72BC489148}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix"	setup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4976	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2972	4644	5b4ec576225ae37c8a74afb08e9d6107.exe	88
PID 4644 wrote to memory of 2972	4644	5b4ec576225ae37c8a74afb08e9d6107.exe	88
PID 4644 wrote to memory of 2972	4644	5b4ec576225ae37c8a74afb08e9d6107.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{5A691C41-A282-3C03-E8AC-BD72BC489148} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\5b4ec576225ae37c8a74afb08e9d6107.exe
"C:\Users\Admin\AppData\Local\Temp\5b4ec576225ae37c8a74afb08e9d6107.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:2972

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TheBflix\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\ProgramData\TheBflix\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
32bb0bcd52544f414dffa891320373cb

SHA1
631b672f18c228786ae0ed7094dda2f7c65f4782

SHA256
4f6c7468a6ca5def2fb2a419ed978b10e2daab2dd2b37765ad5b06d8b3c6d1c3

SHA512
53e62a3e0c439d952429752bbdfad46e86231e14a3daf4ad3abb8f77289a2fcdf28e44b6a30d644c5a8f7052a42c232fd8e97a0d4ebcbe9eaa8377e07ce42aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
c98eda35b60ef026434b5c79b19b5859

SHA1
661b6bcb3985b749d638aadd2285b3e1cd0ceacf

SHA256
4ab2603bba83c72fdfaaf61d90fc14d57c9c44f3cd34d5622429c552a159d232

SHA512
4a00351ab97dbe93cc6f35856863b9d41c6b0e441feb1ef9f1b3af65066c183192fe574f72c0781ef854e4a6616d010505ba25e9d093e2886af1599575759a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
2c8bad9b8eb35bb88bd4fa0cd3eed4bb

SHA1
e251c7916c51884adbc1cae16fe153c37ba01203

SHA256
93085c3f8c8d6f8babdabbf920773a9e89ef25ca7a19b412a104047373dd9909

SHA512
d0db3a7848daa9273c6f9cd92ad9e74b1f94a7d8ae402af9c8b0c152a236659a9dbd6d02b035bd6aed881fa016085d5fb53b727907d05550643bd75afedd26b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
2fbbc29a79d6e943eba95bde348a8efc

SHA1
59dca362d67bd7554ecd43c50b9bc8124f2a3639

SHA256
b5b19a92d81b5cae7b46b72b31592596d7c2dbaee1d48b190fa7b70ad462c0c5

SHA512
f78208dff600fc892c74c0326794676e7dfe86de3076a739ad7cd8254dccdc58632c2f02e5476818ddc36b0277b0f232fcfc1e0556afedc24ca5871348f6b0ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
a9f13a4de3f7d0df53ee8242281457b1

SHA1
64c562101dd0000d0541ce0b26f89df0eb5d29a8

SHA256
d4ef5b36929b7572bf6a70a78c7f9963c879e7cd4a39d2597d4369b832c5b540

SHA512
a8e72caac53efdcc48a918722ebf34c926bf9258a6b7c5f6b36c13721cae2afc942ca681342cf30eec20dda06c4d2ec953762f085f5461874989b8e2fd47821d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
1a3dec5d06bedaf41f4a06d51e1d39de

SHA1
cbf71344730a554a89ffbb25227001d720ece177

SHA256
6db900efcd46ac342ed4d809fb241cefbea4406bc65ce3b13357f91d945cdd25

SHA512
257bafc76000689d369b6e2b2e3afd8092bfe857c7feb958b18d5520489ec81d1a8f070e94912dfe7065a6dd48ecdc84767d2e2300aeb5418cb1195908fdd484

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
58206bac3b64d331136d717b726f3264

SHA1
1b4cecb1edf51f85e45976ede3962892d73117fe

SHA256
f540b75a31ffcfea48af1deea16bcfae56e9ed1392d2c4098a96e60cb63e6893

SHA512
30d7b25d33f8549ea937349466711f89ebd3325ed5e77a178be25ca5e8128adb4fb07d917e97aa316e58632d4204efac4535223771d1363b0eed6acfb670ea0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\[email protected]\install.rdf

Filesize
694B

MD5
fce67ecb285a43ec9a0dcbda481d1081

SHA1
cdee403efd42bd22b6ab58b13ed91e8d02c0db1d

SHA256
72a35448bba616969c95df00e00d0bf0bdbe774607336a96b6f25845d0e5aaa6

SHA512
6b4f06afb0cb17c84ad2c6120b6d2593ae2420d59ef854a16269c7d339f4bff870b9d5559fdea81d24cc739fe5fbea3e0d355f3b4c715e3a347c88ab5f3bc996

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\background.html

Filesize
5KB

MD5
cc505d1c8db1c8e5960814ce4310d3cd

SHA1
dd45c35b2721686f6a1a80dbe17d89aa01bd0454

SHA256
dcfee1b97b89f5c3811ef18dff5987c2de3f7df07265cc857dbbc858dc9b81ce

SHA512
da3a586d103172f2157fa79cdfa82221c32c9eab4caeb78a873f476ea80da1cf0670832853095fe76cdc679f9e0104828ae6cc08959547f4c9bec0baa24e8fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\content.js

Filesize
388B

MD5
d25d2354bac9e8df25f08ca1d322230f

SHA1
c1075f5a6cb38be3272faaa7a5c3d57572080491

SHA256
39d0186d32244d2c519052f99353cc6998ef0aa0038077733ba7ada529d248e8

SHA512
e981590867d6b850c5831749793e8082fb4f8afcbb65348a6b3681853af045a97df5030c184d0229710ed00dfefc164cdd78b85a37b1ae0a2d1e6449b4dc0f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\ngpkclfphmlbbofjhfepfjkebmllajcf.crx

Filesize
37KB

MD5
4a125732cd8343e21e4fca98bd2e725e

SHA1
141f40ae7ddb364a10e0f4dcee33b95d67ff58e7

SHA256
8bf6f081252985dc67789a7dd883251ef5c9682b9cf211b68470e2cdc6266543

SHA512
a54b9a0d3486bd5b0149beda4874b1becf9674276c20bd68a593f7b974fa8151e36b7556a63925cb211c52af0def50bbf31a9c27d62abe02d01260f1ca58221e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\settings.ini

Filesize
595B

MD5
1585b4108bb03f4eeb3b3e539dfdd245

SHA1
483a61189c5055e824474af6d8572606bda3aa84

SHA256
34eeb8cc95f8e5bd253ae223b803ab2a15efccd198cd1673b22a5fa4e60b5471

SHA512
cef15c3d543a569af3a635f8c19406b48ff599711160d0c3c10da2f1021f2953d987bb265f95be703b21b9bb2ca34f313442adf14907bea90689cca0df074828

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS44F8.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit
memory/4976-103-0x0000022331C70000-0x0000022331C80000-memory.dmp

Filesize
64KB

Download
memory/4976-119-0x0000022331D70000-0x0000022331D80000-memory.dmp

Filesize
64KB

Download
memory/4976-135-0x000002233A0E0000-0x000002233A0E1000-memory.dmp

Filesize
4KB

Download
memory/4976-137-0x000002233A110000-0x000002233A111000-memory.dmp

Filesize
4KB

Download
memory/4976-138-0x000002233A110000-0x000002233A111000-memory.dmp

Filesize
4KB

Download
memory/4976-139-0x000002233A220000-0x000002233A221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads