1c27e0c57f1cc8ab0c157b6226cd58a6529569fbb37d64cca7a6839d8999a0f0

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe
Size

315KB
MD5

b364bbcec480ce18d9dce05ee40fcab6
SHA1

8b0cb78c486b8f2289de3d4dac9ed52d8615cb0b
SHA256

1c27e0c57f1cc8ab0c157b6226cd58a6529569fbb37d64cca7a6839d8999a0f0
SHA512

0ec9ddd45b5b7c38f03ff38dc498969864e0268fcd3c4a1121c66c43017db8580348f9c78583b354122897a59564d78c06c7c2577241626b5d06c807e46f00de
SSDEEP

6144:91OgDPdkBAFZWjadD4sBzPiPQOkXcMKtKrjvbe3nJq3AI8+DqX4Bzb:91OgLdaEzP8QlsbtKfTe5qc+DqXWzb

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1856	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
1856	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBF48481-F6CE-6150-62C5-90A064224CDB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBF48481-F6CE-6150-62C5-90A064224CDB}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBF48481-F6CE-6150-62C5-90A064224CDB}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBF48481-F6CE-6150-62C5-90A064224CDB}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234ac-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234ac-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234c5-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234c5-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{BBF48481-F6CE-6150-62C5-90A064224CDB}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{BBF48481-F6CE-6150-62C5-90A064224CDB}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1856	556	b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe	86
PID 556 wrote to memory of 1856	556	b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe	86
PID 556 wrote to memory of 1856	556	b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{BBF48481-F6CE-6150-62C5-90A064224CDB} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b364bbcec480ce18d9dce05ee40fcab6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
052a9051947b3ea68a0891fd5f0a051d

SHA1
6b00e22d4c738bbf5a60780e4daa79a03a4d94b7

SHA256
13c266246d0d722f2a6a26e9b0a764f8f38bc534b434158134a24f660b65aaa0

SHA512
c9906ae0227996fb01f6ab19a85f433117fe480885ac39d3a57c811f62875b1bc511bfc06b6bf857cc1257193dc0e6f4f4e5fdb56d99829514c50dae945fb139

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
4436ddfeb7188e86dd02495ba50ee5b0

SHA1
6f76b788d000b403be4da5f76d21e24eebf06987

SHA256
e33956fce3eb10d16e83718f99a5da19b78fe82b5591878e1d1c2bc02ca48458

SHA512
858d67e4ac9b573a5d1beba0d87a2345e52a227b843baa0e1d30677b0f0e5e9bd4b9c9bfc49dc5320154a20bd9a07c593a4a5901120c78e16e54dcead741d949

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
62814282af83da5938946ec7eff199c8

SHA1
975e77e8ed4ec04ce4227290c75d9926abeed0a9

SHA256
8939a53358761920640d0cf9c033d72c0e9360cc0841b85ca4c0fb99c5dd858a

SHA512
89acfd7ccdcdbc9ebc6118a3506b19fbff16a06f80ef3ffde636511e7e7cbaacce8e4c93d9181709430d15d3e78d13365864f407711539def6547c3372e67ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
0d09e390f170de0d0cdba8d5dd0d8f7c

SHA1
300594b9723885f199ca353d1794de1c05f2424e

SHA256
9465849c6db579fa035d89874bc9063656b4880c143fe8ba837c7bffa3a9403b

SHA512
ecacbc6704e99399c2aaeec7c1a4f4bb6fb662b52401711a5fe54468705e87e904f85433a53f04cd997f5e4471df6c51a33e8fe4b0110a288441b5f8f1c7aa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
0fbcc007fbea48d2eab513c52933a8a8

SHA1
f79571934d6cc69b24662c12e31ab2f6b64edd6e

SHA256
f5d5eea1989de7377e200de4189bc017ded0ddecf4c6be59dbdc47e521d58be8

SHA512
6a6032251d3a3ba9a5b10b5e229b269ef676df21ce288404a4c0564729b6e251721bbe675ccc58b117647dc4a03f8e62f2518b8d8dd4717c96864aedd340781f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
62bf56ec6ad776f427aa09328c7af98b

SHA1
ecff31aff9a70a52c44d85b9c3546bd7dbc67b84

SHA256
0a739204419d56a6cf743389c294731f68b6c8e0a6792d33b91b1821e2bd3a1b

SHA512
f028041d2eee73ef9fe7b69b995bcaedf1985b049131c292c036e5babae266162b7ff61281aed68962263fc03b9f9b0148ba42c01ef4b0ea7385a158b1f2414b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
1081c4294a6348e93ea2f0b7b1c8661c

SHA1
a777f596339b123158272d7df5a6623038ca5446

SHA256
7fef9228f108685f1519c57b7f0534f8f88ccb4f57d24e6d2286587604756feb

SHA512
7791ae03382f6600b9f95f949cc416655dc778b42b6e921ae337362c329620ef414364d415fade9fd80ee3f803034689f7ac1940586700550be3e0e99e8a3913

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\[email protected]\install.rdf

Filesize
677B

MD5
96e60a646916fd8f543e21717008f387

SHA1
77a8676eb12d582f7738da362c1cda40193c3c0c

SHA256
6f987258edafb514aea990a469540432c13e0ebe93d743138c3616dd1f8ee9a6

SHA512
5251af760696cd7b3e0a263da8098080e8f2f0437347b5c50033bdb1205048e86849f2165e29751920cc324a758ca0de3d6298d7418f66c94851c904d21a5d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\background.html

Filesize
5KB

MD5
6f86b9e378206b8bbcacf75b5ef0478e

SHA1
5e6c4b44699cae82228953aacc88c529fb4a6778

SHA256
e627f7e0d8986901b872cbc619c7528e64b88eac8fd1568a0d86df69aa6a5dc0

SHA512
b81302afe2f29a73c18fecc6d436e1db46de5d1e4c26f4212599bcf1fe6e38cf339c321dfb05de5fc4738f3a7c0d36c1e67d27f21b18efef5b36f4e63455121d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\content.js

Filesize
389B

MD5
c3fff6033272857735bc1cc9b848bd76

SHA1
e74b57fff0b986ea9753f411bcd9534d59235715

SHA256
cb274fd8801c35481d9f670652902c86e598a2dd63d21ffcb18b0a877e8ac4b6

SHA512
3d713682f970fac3a3367f00f88ee93ebb8290ac24ef0654981da3756fa014bb7f43b6d70be4612f8210d74ecb9296519d608cba9c4efdcac71691dc42e99dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\faakfabchochndafekchcbbieajnfimk.crx

Filesize
37KB

MD5
db02f015fdab05b68b205ff589648a3c

SHA1
de3a12a5a7c29120f087fc320fb37534b8f31b64

SHA256
79f5026fbc1f789709af94c3375761890f123e71aa6d46177997ec062b83b1d2

SHA512
4e6732eb5c5536f78282f1b0c5d4b6b45c0bcc22c19db4e43b4d778af2d34e150d97f547ff169af54ded69478e62abeaf96523069ac4e0925301a6759bed9744

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\settings.ini

Filesize
603B

MD5
63bb6690c7afab4dd0953d7fad1e5c70

SHA1
2e96b7a6d54c998547043b2ea7f657c330fb0192

SHA256
409461559abf35b23845c4b0ac517d6163a9555f37ae6b6bdb553da3cc659cd5

SHA512
0cabb2790b5f07660ad6ccf88351e769b424eea88411ceec088bc4500778530b31ee517183102f66701988bf3e8d25d13bba3606351e1fb3387ad80e86048c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC5F0.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads