fd20152ec8950758abf9cf942ee0bae815345cc48de6cfc0aeda61ab7b8877b8

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe
Size

496KB
MD5

0af97e62f73037d01db23a41f3089065
SHA1

d9184d81a06eda23fd66dd04955e7e527be7ed12
SHA256

fd20152ec8950758abf9cf942ee0bae815345cc48de6cfc0aeda61ab7b8877b8
SHA512

beaa89f71af359aa9ba19e6f1ebf37cdf709a2191a020628f6a890449f89e763b699ccef0cca82e8e6bd354819f92ad6db903440d762d8d0e140ed9bc916bd5b
SSDEEP

12288:91OgLdaMcEw3EgqbD8b1BBwqwLoDk2K+YixnynuIh5N:91OYdaMcZ3Yv8b1Nwc4KxnCRh7

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2872	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe
2872	setup.exe
2872	setup.exe
2872	setup.exe
2872	setup.exe
2872	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000015b63-30.dat	nsis_installer_1
behavioral1/files/0x0006000000015b63-30.dat	nsis_installer_2
behavioral1/files/0x0006000000016572-99.dat	nsis_installer_1
behavioral1/files/0x0006000000016572-99.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\ = "wxDfast Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828}"	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2872	2232	0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe	28

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{CF54A87D-DBEE-EB73-3B58-CBBDFB3D6828} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0af97e62f73037d01db23a41f3089065_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
3b409806771420853e36dec32baedb8e

SHA1
d470339c5cffdfe1adfb3483005163e2d1abf590

SHA256
a300a85952e3995b7ef08200571e572a1904c545467851f526ae1ad85d107b44

SHA512
d33c0643d957b32bda3712ea7ff3d86fbc26c885b1f685de9087da24dcc5ec9c12f142a21d1cc0a3070c25f5086d737ec7ddf2ebd89661f62be02aa2fcd22aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
1ef57112fec3ad90b6aa9766cf4c6f56

SHA1
5ba99c888665157c5a24ab19197b0740fa107901

SHA256
f3edf1c87986efee4da9ae895f7626ecc954e29e8b76bedb1070de2e26359034

SHA512
080e9a1812e04a00547e1954dc6c8b0c7d1323f8816fb295585084cf9cf5945f17c2d015774f4cb029cf2deffafdc5f190d965380166517cf97e7875cf273bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
b593b82972b5b99c46bb238f2bd257ac

SHA1
f55738f67bf67e54cdcac9c2f14f812c99921adc

SHA256
289eccce0de385b34d9366a9c5d262b0a93a9ef1b470f0bc80e7f87422eaa77c

SHA512
aafdb4182700d2c4a48885aaf33c5d4078221dabf76c46475f6ad1a347411f9c7a964e1aec023867b50ececf23e0073bb048c90c45377ce3029faac3094fd559

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
c5a1aa0e4c82e1dd2134018e9fdd236d

SHA1
e58d2a64fa270b3bf34b9eb104aec5673f6b6f87

SHA256
4fa791de75a63f6c231d70cd44d1edd83d944466c20a18e0a935516552ed1015

SHA512
457c299ad52df991ad733874cb208e27d30b78c1b2de68c922b28d49fb32fe4e347670ba0a89cbbcb38b89a9254f9977bad550362169a712a86102edc9947743

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
5834cd66f5b691f39f21316957104c33

SHA1
8b72167914571ae9c615fcd8eda0f233bae87755

SHA256
97d198087c32d9443b7e1c3633279fd9e69ca5fd7ea4450ea4ac52172f790d6b

SHA512
96fe654c3fae4d9515bc54a24ee7274e9bd106773656ee829e6ebb5a9d5d22afc149dd0940e2410ce21ab2ab6bc985d39e90a6d4f9c8b8512b5b0c9fcd029c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
8496073c9ee4455fce483076d75d442a

SHA1
5812af391790a20f003c128a5e2c7b49859ac71b

SHA256
b2b4f6b4025d36103b75ac543773786c2e397d3b4f1af5ecb4dbeb8c9dd19a2e

SHA512
3df7f9b55757b49d51fcb28548404bbcdb8387dd8c094a1de98d3ea9b4726dc2bdaeb0e370030353e056c1fe7f3f43e593f8d4e6823376a11bc49774b34d3e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
73e7f8be1e69ae804af8d60fb8f17c40

SHA1
b0a50b032dbd594e6dcd209d700113f71bdef944

SHA256
b58dd9aaee97283a86441e1da6935f9f5effff245b2d0025f552f4e7c68f82e2

SHA512
05d75bd1e6e5223dd01fe03c611dc1902b97c4ee76b19d394250e5839e127f3aa02b7ec6d4fff98b9f5e6c1ff48680e382a0b281ac21abdb71b29e062688d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\[email protected]\install.rdf

Filesize
677B

MD5
7ea4b7eb66396380293619df3246d74a

SHA1
a7770bebede5a82e1343379420329913acfa9b17

SHA256
2cdd8ef343e8454ae51d04a0b76dade5cf18a147e6bdc163257253d51c9daeb6

SHA512
6282f440d6ec4d1f68ce30cf8ed4d012abe6a9cb49d6c403d6bbab4fa41808439c888b6788dec0852b9d715df752603fb004c9b70c660f501d3a550fbf418979

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\background.html

Filesize
5KB

MD5
ba5d6cd2cc461188fb9fed685f196db1

SHA1
f741670d2abda56f61e3fa6cee06400a943a0929

SHA256
04ec6c0953cd6bf896c27ec120b3ea18e31041281b473fbaf3706de55bda49b3

SHA512
955b67867159874fb60a15450f6f92a1b095fd0a8f8322c9dfb203486b1e9631d65143ac812f9e447aa455cabeac5bb8104769d17068e6c7521babe3a3a798f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\bhoclass.dll

Filesize
521KB

MD5
489fc1a1f5dce2adc842b4a68e67f0cb

SHA1
e73fb5755f4bc109e08f4c3c286438a0dbd02084

SHA256
24833c00ddea6a060d5b398c5667c200cb957e37269d1fc90b6b1eb5e3130f7a

SHA512
ba3d7773466d0ed856afa09c76b9266f4454e268bc2f67ccf903a85fe4986b9886d5a1210aa1c561da3bf69956ffe5a1357154f637ed952b73060f794b215104

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\content.js

Filesize
385B

MD5
024402c9b5ac2c9813e7d8293baf8c7e

SHA1
1f0b838048be3a8636139cdf1fb426f3922e5df9

SHA256
7ff5672cd7782997d4fbd4cecefe866b36ecfdbd0b07e5fb317a7d4353fd026d

SHA512
f15ab5215bb953a4585646e56b09275657491755b7c51ba370b1ec099b0b907cfb5149fc8dcae7d83f7bc6d30af9a0df97ca0f071ffd77a23d0ce930f4aa31a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\kmghfkdgcekeapjcpkndndbajekpbiga.crx

Filesize
37KB

MD5
acfb4a984a3d1eb2edaaafee3628ea3e

SHA1
fe0e999c56961ae9acf0acbd0efb2eb5a90a0dc1

SHA256
a93c5f6450e19a92b1cbc60d607ba3b61f9573f975535cbcac730931135baa6d

SHA512
4ba8917d45fc4a48f6e589fb96cdd8bbfc3bc9fc71e0ca3ec48eeb060441cb77f4718910eb2201bfa42fca84cf8585bc89434ab2eda13248d139d98f10aa1e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS1036.tmp\settings.ini

Filesize
599B

MD5
838789aa573771b6e1dc6e25ea6d4b4b

SHA1
c83d0b601e5712c6498770ee507322815a5ad262

SHA256
f516a90251223caa0f48aa92e38fe05e87b0614d8c36f6feb5859a6ea6932769

SHA512
c2decd742696cdef80f2280605911ca4082b0bf9518e1c48c13089e7522f6e7805e559d70e9a7b4f62270d18ddc76867391df838c8f12d2346fe52ab652192ca

Download Submit
\Users\Admin\AppData\Local\Temp\7zS1036.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads