5bcecf25f19b35ee9d84e32f9ada58120ea341631d7d93b95d4a77ace705324b

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe
Size

313KB
MD5

438df52e9f0c62e640f6e43573aeb8be
SHA1

401462c094f402102e35766914e4b5888509443c
SHA256

5bcecf25f19b35ee9d84e32f9ada58120ea341631d7d93b95d4a77ace705324b
SHA512

6d69af7fa2514582e1ae0c72d0e26ef33665ee025de74675c3d0e55914ae552cc4d708a996c3b7c4bcf0478fc54777ca1fa99a4874b2e503fe5c388164298c4c
SSDEEP

6144:91OgDPdkBAFZWjadD4s39PaqxoY6Hw2ZP:91OgLda0wg2ZP

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1032	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1032	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7117D3CA-7CC0-1D53-F048-182977477CBB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7117D3CA-7CC0-1D53-F048-182977477CBB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7117D3CA-7CC0-1D53-F048-182977477CBB}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7117D3CA-7CC0-1D53-F048-182977477CBB}\NoExplorer = "1"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023427-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023427-31.dat	nsis_installer_2
behavioral2/files/0x0007000000023441-100.dat	nsis_installer_1
behavioral2/files/0x0007000000023441-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\ = "wxDfast Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{7117D3CA-7CC0-1D53-F048-182977477CBB}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{7117D3CA-7CC0-1D53-F048-182977477CBB}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 1032	3636	438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe	83
PID 3636 wrote to memory of 1032	3636	438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe	83
PID 3636 wrote to memory of 1032	3636	438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe	83

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{7117D3CA-7CC0-1D53-F048-182977477CBB} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\438df52e9f0c62e640f6e43573aeb8be_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
e179def3adc1698e10db4f5c070bb620

SHA1
73d740731745c747d125329794b9635ae4070e50

SHA256
59f1cc65dcb5036626b9a3e037cbbc8b509874b0600a55a7d9615ccd40ded633

SHA512
43d029b70033916f6dbb507840070cee396d5bf576b18e82e37563b3878690c031a9cc46ac98f227179616210e9efe78abcfeba6a3cbc409b975a0f4d33fb98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
a8cd6309d1a279629a6b8cc853d5dc04

SHA1
ddd4b2cca840f7c8ae54c0e6d33e366896e73cae

SHA256
32f2ef5869952877d256964c460f2f704c021bdb1b835ce678b917dd59a0a09a

SHA512
2e3042411582f3d0b8e511896b2aea270bea15cdc3dd31f0108704c6b349d85ec9ce2967dcdf2c4460d000c5294709c23b66b2b0bcf38e3578082319e9c5b29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
e1294b1ddce471b3c3b0f91483aa03ed

SHA1
739026f6693194a550b5e82d993409d86a391b6d

SHA256
9b044ee624f9afdc4a623f1e6601b38d0785733958de149f256778009b15d54c

SHA512
7a4b4910fc58c4da8b10ebe2283d92705b86737d672f67491633b45769921c68e91bef7455047d2f0406249d0021111a6efd7fc746b8426754a14ecdf3a70838

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
aa7325587309de633ab463b2d14126ed

SHA1
de437221bfa64ad9453b4e1e8d4e240e2dc420b1

SHA256
ea755f592dffa30ae7149ff03734a1a3984f6de89966e76a5f7772883f4787af

SHA512
4ea77e87ae397d7105907971a09e218de1526c9745f299e1d4ec7d4c34452b1330ca6cf2089e3ebe1e9cc0e8b8e5b74862eef0fea092fb8a357caa9f80800c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
f128e8b370200b754b8dcd6e5a6cd984

SHA1
7c1eb03f28dbe14d55d5815bd9680a935de4ab55

SHA256
78e3952f670f3ebad9391453cc04043e5a01182d4dbc6b21ea662f620e165d34

SHA512
e4c8d4915ecb28fc899b18cf74211eb5d517b80aa283cf6e38b175d244b901c1f7393d714dace0a4fb5bef086120a1adcbdbe2b64bdbff86db09b26d2b9e9a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
1eeaaadfb0a73f2512f829b543b5f384

SHA1
165e42e063b7795dd53e39bf6cdbfc2fdce00bb7

SHA256
72827aa76f76175043f35219c03e6851aa4e5ea4e87ec0c270c802a151b22cd8

SHA512
ec7dd473b34999750155a687e25001c0c48b356dd7fd0743416b6b84ed7047365547e08ab3c99c428ba8d57e85a17892143671697aed02e94449412ce13ac618

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
3c759be9ac10f70b973b4883f31cf77e

SHA1
53456fe339632c191a7183313cb284e20eede863

SHA256
aead8038d90fe92ded3549fce315277c8d98519070430ce99de7104a892488e3

SHA512
d99f4d273b7864150cb83ee1643fb221d4907a6a798797db2f3e5ae45bae42387f224b7809eff18cbf19a9dc817a5487090f894ea25fe9c07c4c841ce433dc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\[email protected]\install.rdf

Filesize
677B

MD5
e8e31bd9bf4cb1175c2b29489ec13b0a

SHA1
97166f262e2b2f51d11b502e0639a89a7d8fe644

SHA256
02d6025b6470325d66daa24053a4b6e70af6a649daf63c34b524b8de37760bfb

SHA512
261925484cae1482b48753a51d3b61287a69a508a001a9e4b328d406a94800c0a423125e7a6c8769aa680c92f468608e6de9b03c5653a0d60f94366aa3e614f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\background.html

Filesize
4KB

MD5
0cd5d8562f2592c1c91121370ad05d83

SHA1
076a6198565085711c239a3aea5402829959ebae

SHA256
6ad8757f67f2332080d01d3013ea5659d1e063762bd21edc511ee454d149f62a

SHA512
da629c71f5bc517f4716071e2dd76578d4fc30337174cbe4524c8fa0babe8a7abca3ef051a7403e198de8394adb841a212d90065bfd2c957fd9539c47a57aa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\content.js

Filesize
385B

MD5
e5f6e3036a1823858c56688645578c3d

SHA1
41350e7bfb9beeed6446a9641536f9bccb35d581

SHA256
3a60704218d0596690017a34e7dc068cdbdcb62ef48937d26188185fad53360b

SHA512
9256c29395e51fbbfa7d7c821c903beff5b3f59da6a779dc22be67ce2d8fa53b023d1e51315cb82bdc0811e9c034f18f9090e308980a2bb9a5b2dd3aa2bb8349

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\kdgbkdkpkfcaddncebfaffnfbildkgdf.crx

Filesize
37KB

MD5
1a7d8f319cbcef55d3b0d4161fba40da

SHA1
ee60d20cb0184e9c66d102db26e58a2567f1a688

SHA256
f8cfc9c0ae14cf2b0f0ba95a0d3a12b1795e690e45824e26c31d532dca88f604

SHA512
730ab3e80fecb37f241fd66fa8a492451c950f2d523990a14adcaa56a82e070fb02f24042b709d048c81d0867ed0cde9ff7f2b23185b901b7b5e3bec6cdcd04f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\settings.ini

Filesize
599B

MD5
06d4255afa7d017e20f5637268f0030d

SHA1
5d454b476825c0d9d671342e26a4cbc718b35039

SHA256
eb22070a308614032505c274fd77f2ffe6455e42317635ccd0372739821f6dcb

SHA512
dc6ec155aafd089c074855c6b5666b81cc876b0df4509d3a12767ba660454da42237b00cf14675a25334be8ec5f517822b47c136665fa1fbb1000950481a2e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7CF0.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads