cf9ed7e1103d893382780404ba6d41b9fbf230052940abb4bfd3ac7d733824e4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe
Size

313KB
MD5

87dac88409ceedd67359ab7a541a3d29
SHA1

f30fbb5e4f576619366971f00ac9688bda021e61
SHA256

cf9ed7e1103d893382780404ba6d41b9fbf230052940abb4bfd3ac7d733824e4
SHA512

603bf5da964586fcaa9c22b7a78b14a9393bcba249798eddc2ac17cc4c119a92c3c19ce5bfafd78ed06d735900e4b4399a28d2ef69989b586413478c7ee8daed
SSDEEP

6144:91OgDPdkBAFZWjadD4sOOyp0w4fGpQNx7JBMNbG/H/4:91OgLdanPlpQNxFBMNSX4

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1352	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\ = "TheBflix"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023491-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023491-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234ab-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234ab-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\TheBflix"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\ProgID\ = "bhoclass.bho.5.2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.5.2"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "TheBflix"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\ = "TheBflix Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\ = "TheBflix"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2\CLSID\ = "{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\InprocServer32\ = "C:\\ProgramData\\TheBflix\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.5.2	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 1352	4604	87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe	85
PID 4604 wrote to memory of 1352	4604	87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe	85
PID 4604 wrote to memory of 1352	4604	87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{56A7C9CA-1470-F9BC-E1FC-95104FE6F8EC} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87dac88409ceedd67359ab7a541a3d29_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TheBflix\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
b8009fc9a869dd1be7b0f57959bb237d

SHA1
82e64751a4bbb0d4992144411adfeaac05101476

SHA256
b3c61f66bbaafbe6641f7c66f37e71d6c680fefebe04e4abdd14c81c3c9493e9

SHA512
a9937d48b2eeaeb550b4eb7da625db588c6398bb6632c3fcfad14b3702739ec02d8b24a9ee24d0650b9d9cd846f2dd349498707242516f81ccb76ca7417b1ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
4385e32cea52afc6683c90dadb760a10

SHA1
1234ea7dcfa5262404ae7262c233ffa5bf4d2c49

SHA256
9eb455374aa90d68fb34f4d91cd7be2b9ac52d1f34a8afaa3d5944479643b73f

SHA512
dcd1724868d330d22f7e15508e07e6bc1111745baa77a72b9986caeb7fc18a48023c54f9184c4e3ebcbad3c82f2816be23d2102bd9d94be7eb73345ebd4a7ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
2f2c5d7c525501d68845a66add2c158e

SHA1
3e9d4435665ab78af9a71d2586bcc526c1219a0a

SHA256
243db57756278159b8139a3b3bf168d2c5250e71e3e0e67d441b6c693b71b7bd

SHA512
3497425f66a0830ffdd11230317e50e6a5a650f86c6d12620960413d868d07e00c7cbc67ea889689097d83c4d4a9004b7ceac210b8463d5c16051ac666f2ceef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
d63b5d45820b61cfb52df63adafc0097

SHA1
f86e9095052cdaf0f73e3b0051542b5a175ed000

SHA256
63be097b433f7c254748fc4efbd4ca1c38af4c503c32eaa8bcd1c00d03a55fe3

SHA512
caa4c98dbb0c24188a73c5fcbadab23a588a5a652c8193a456cb6c814d7f6fa72d84682c20d93391c371d1b007796940273ace795f4b1746929f4c65eda89643

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
972a0974a1957ec101c68aa32e05e502

SHA1
dd1162f29ab660e094166e8f219a29108b961476

SHA256
b290276cb08375a794833f5589aa90c8448e943f467a8c0ee545fe8d91c03ce5

SHA512
7d94cce148f087f7bd46acd9153ed3f7a647d49b8dcbfa143f71d2ac60f770e8682fdfbf1a57d7bdaa66fe40d0ae165d2123e54d70432e109684549e01b6ad7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
26ad74a7fbb8121afb52a33516a7eb9c

SHA1
395ae572d324b7698ca065e7f98c0a178d961b34

SHA256
7bfc6d2573ad720093a083a114db855975ad2cda91c3f6bf62d31b5178f8c538

SHA512
b76554fa99b61a2628a66f0d692325e19b6423f15d411956d71ed9cf2d453517285ca0415902799698cbb8f9be9492da5d781bd29d7a5c6eff955d5630a89b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
5f6f0689dffa811620baaa27d962d4a9

SHA1
3525876586608056be10392195176526abdf3988

SHA256
2570fb70e81bb9706bdc03a5e067142151fd203c2357dfa5d310e4179cda4463

SHA512
1a6d8bfe0d71f07b697cc6805a60db1ff34c734ea41053e3bb7230dfce048be3ce7c8964bb4598bf9ac4ca2b77f3e4bc074ef7e57fe504fae67d0ba53348570c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\[email protected]\install.rdf

Filesize
694B

MD5
ab345be76e33b949a699df4916cb2416

SHA1
59234a8e92c6a42caef7796f6e8d436a121564b3

SHA256
86d659a144c0baca1a6f2a148423247635f86aac6beed325b942bc7e038236b7

SHA512
05cf8f37e4e8c948bb8f99c04ce8aad7f48e648b5c6a59543ef4e155b5f66dfbd7d6f8a4c9eedfd50d0c5fa291ae5ba3210fd7fb23dcc97b9f73072ffd08b733

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\background.html

Filesize
5KB

MD5
fd719857d8ed233216ab67c63ae61f4e

SHA1
2a6e7b3eb8f166eb104c78c4f021ab4df8d93a00

SHA256
d4b83e15737993ce1134f96381854ad5d1cf8c0f3ee62d3004a6e2494d5ccafd

SHA512
df557e62d7633141344fe85653300c70c0ed563c37d0f31bb05276fa34b703de291558add79dffad70016dd0a14cc0637efec8640a0bcdec2bfd5107567e300c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\content.js

Filesize
395B

MD5
247d1846fea12a2cb3cd1b47481704b7

SHA1
aca91dc1e6335cc363fe9ecda5601733e2cf935a

SHA256
f95085c83151f46fd628ee59b1d0e202dfcd2436577b3a6c727aaace81f10b11

SHA512
889151c359a20a4b1506267a02ef4590215d149bb2c409ba2465cd54339f2810e3007081a713d808a29d69f9432c1f9cedaabc5abc900b73165e2e6caca88bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\fjhbpdlnpbnjkclkalnfllanhmchcebo.crx

Filesize
37KB

MD5
173dcb5caafdf680e618bf4be7495a9c

SHA1
a5860216d6b2c1ba4622b9f4de2084152fdcae6f

SHA256
abbae2e73aa7b893c31d2a3ab7ca62b160e09ea652289685288d0972fc965b97

SHA512
2a565979665cc99cc803a654092a8c73de2602e7bf93235da4de8e3b110a29cf8fd12e65b7e0e849e10e7b1686b86b88e1aa8dd3c076d5a57c5d27b3eee129ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\settings.ini

Filesize
599B

MD5
048037f6fa50bf2d2cedf8b86905bb0e

SHA1
45ddcfe852553be101bc11b6d9f6fbb036c30969

SHA256
4f5802434929c94154d097a001b37f6e8d9d0ea1552f2cec6064a150974d1efe

SHA512
c31dc8207ac73b3f50e7392fe328c5d180879923ff486bba934a93d84407b12ffb1b2a559810bb9c4e80682dcc55414dbc0ea14157ffb1ab40a9f66c5c5ce523

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC4B7.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads