282e11acf13460c40f7cf480f62d48fe98965edbeabfc424f0d32136941758c2

Analysis

max time kernel
142s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe
Size

313KB
MD5

61f1e6c3581a9497d9569fe091dc0900
SHA1

01b4c9ab2cdacbf602236db29a5707c3cad990c5
SHA256

282e11acf13460c40f7cf480f62d48fe98965edbeabfc424f0d32136941758c2
SHA512

66408310979db9bb02dc70afac5817e8f92a56d60f4484f0aefab00d994363afb5eb1bd3fe5e998e464bd78da0bc0c32013a15dc0e1dc577b6bc34ae79e079df
SSDEEP

6144:91OgDPdkBAFZWjadD4sSeyYxNH1ofOWtDxxMhpBqRu3E6+u9t:91OgLda9eyKLo3NxxMlx06bt

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
60	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
60	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023495-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023495-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234ae-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234ae-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 60	3424	61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe	84
PID 3424 wrote to memory of 60	3424	61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe	84
PID 3424 wrote to memory of 60	3424	61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{6CBE3BF7-DC7F-B16C-3C40-C0D7D8C6FEC8} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61f1e6c3581a9497d9569fe091dc0900_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  - System policy modification
  PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
1be648b4b63dd73efe481070d2b9f290

SHA1
491d1b15c2f2694da38544fc0b1a8aa24af9d67a

SHA256
0d592bb6fefa40a889fb47fc8839b9efaac9f062d8eb86a5db737d156f0c5a0c

SHA512
9c3ddeb9b21309d87869a2bfcd660b6be036617097de476e6f0e15032f87833f930b648d062e345c8955e84df375788068b089fbe43c9d7b8221aa20c2e66705

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
1c2bb79438de86efe19750081bfe4cad

SHA1
8d56ddb3511f6dde5a98b1b2460538d815210830

SHA256
6f2e710c6c72e2bace0c7b5f3124528eaa20f7b1fde4b27a6211cb36c08586db

SHA512
311c9f9f848c08bb69894930370df806daf7c010479d606eeb518acb3ae1f4e9e1cd29a2858a6d808cf6c326892a641d808189dcde460c8ba19a8e790244704d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
af65b3150d798ff1bdb7bea04a197968

SHA1
c32aa846c7a54900270d6cb89de4737cb489d8b8

SHA256
4c24a31dd64bf0aa80e67e3ccfb588cfa66ab7c5046d9ba68aa4ee5563e54a00

SHA512
ae4d5f1870bee9630f0e1f3a578bbcae4445b1510d8c2c0ecff2c0ed40f225a7203cd48c827ae7c39c25b70bb8520de2791506c88caaa226f10e6ad44866a338

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
d3e490a35ec41bb6096c55a06833165b

SHA1
e0110c879829b20584a0d73fdb056e66dfddd412

SHA256
27c27dea84129116c76c8017d46d9f1e1a3d329bb3a947545aef320467cc6b8b

SHA512
87de37f3e65221f4880d5a2602d92e979c1750914b50ddef50b98e4a1d1a7d0dde8b0ed565bee4bc11be76b1ef0aaac90c02d4d0fc2ee5dc9857be9bd50441f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
2153d02a6c961fca1a3060a4955cea1d

SHA1
38cd07ddaf1d79732db24b6ab22e6a75de4aebed

SHA256
20be4f8db876ae62290ca1bd3c23b28c6f7223348475e09c0c0ab1327c0754f4

SHA512
6b1549645bf2b1508e9da19dd961b3155d7838f872131a83a4c047057606dd6a62f5354defea2be7d32217eba89da2aa01cb772ff38c43ced3cc8731dbd1822f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
2e11bc7e0abe6d3c5971bf6447fce474

SHA1
e5b451eb610f87cb6fbd6b3dadc47085c966e4d6

SHA256
81e332ede4c58e86203e293d89b3a2cbf855f84ceb11961624b34bbd9dc584ca

SHA512
faaa1321096abf427d7ecdcd493d143f6263282b6b0b26b77580efcbb75a9c60d4a5c65f07c3e83e5b3cbdc15cb5b6af39c2517b661eaa4bc2fe17108bd462c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
61cfe28f743b424b7b92487436ef555e

SHA1
26a6a62d4f1b0c6f422595e9a18e4c6a3384c154

SHA256
16f856eac3deae247014d2f46de4c4252feb79c3355bbc4f88b57b16643128c9

SHA512
4c00617e7529454cee18d101024db09e094759a8f8e8467d685e5067a4dd98f200410a955fe1a8055c33c534a802b874de3b6a921195fcbb5ce58fd89b1fff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\[email protected]\install.rdf

Filesize
677B

MD5
48ffb93f54fc7971a438c9d2d5974697

SHA1
f429457b2e80538af02a90e5895429c0ce8223fe

SHA256
3daddea1b6c6c8b4c7258dcacac45c9f7197823de818195efdd66c877601fbe6

SHA512
64270d8a111ad9c8ccea0908f92f50978f588edc3b34b735ec8345a044cadc49e2b1beba894e4a1dbf9cfe5af9200da2b2fb1b4fccfd3c18f0434efc43bb02aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\background.html

Filesize
4KB

MD5
4772e972ab21a91441f3602e46245ee9

SHA1
f830545bf2a7c12c56253de5b5abcb8048c9cf7a

SHA256
d9491a07101f843f3c2d9557e199ed9713558fa504fdb0439630d663d47a66c2

SHA512
413d523794687f386ca64a635c2dc6660e1cfd6c6e7c7b958deba27fb8484275df4170ab712d3ce61af9a988db9254c5ac9bcb48de4432c72ebba29eb5d04d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\content.js

Filesize
386B

MD5
2505f62682af7ce55d64622bab009b82

SHA1
166cee38ab415f398f916a245bfc5fdfe932fd0d

SHA256
fe6d73012db7e35a840e5cc4087886f8c9df9b03983c0d7498c1a4d4a9fe6811

SHA512
90ced13b6f7c2596a13e289dc712da373c5355903de2e176555e07f2df353fe8f4a534086b997788945e4757ed8f1e72d4e777a0337c91a95b3925a14226dd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\ondmnlfeaojblpnlcjjgepfpolgegjmf.crx

Filesize
37KB

MD5
54477680e4d75a554464993c83ad80ba

SHA1
06707c1763cbec687679b4fdf247abad7cf77d38

SHA256
ab3354582c1e04300d1697f5f58e82ac8d8bf339e1bf2770309cc24e88d28b81

SHA512
9cb73980f12719e35a88f044a299124cb4bb21829c181189a33771fb1560fc089463878cac3151bd272b21ad845d4d8b7f4c11226867f4f237f83e658841fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\settings.ini

Filesize
599B

MD5
375745c05a48209d3e0f0848cd8ce7a2

SHA1
a30217517c8baec56cc03482c4314c8dd5439147

SHA256
ad65cf9ae8ce8cb2a5d1a2052eacbd36d22d56de83c661270b038fb417c9268c

SHA512
e1effb4468c884000856922c2d50c45b0fc7c2ec3358e423991e97fd5cf993819cfbf02897b0c7e4a38e3a36a6a58fdc5d803e40434586d00cc163d206c8c114

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9DC6.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads