b24834a3a56c7d3e0e63504159f3dbcb26d91abe61225913f1400c4f5b7eedf2

Analysis

max time kernel
133s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 09:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe
Size

313KB
MD5

c89441ecd70c5e22d22301ca3dd6da6b
SHA1

bf438a02930799de22019153705360f89f37bde1
SHA256

b24834a3a56c7d3e0e63504159f3dbcb26d91abe61225913f1400c4f5b7eedf2
SHA512

eb646d1f65a97f310932e968fdee640faea242b51c125ce58ddd6eeb9c1e001290a8d9ba638156f628f88147f499a4e16a5488819dc25e7155540a4bc96e2768
SSDEEP

6144:91OgDPdkBAFZWjadD4szMPaBLiNrQ5J0ZVULnSsE2X8/FlHWp:91OgLdaWMiBCQ5Jj7SsECUm

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9584C513-D3A5-1967-49B4-2A79882E721F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9584C513-D3A5-1967-49B4-2A79882E721F}\ = "ADDICT-THING"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9584C513-D3A5-1967-49B4-2A79882E721F}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9584C513-D3A5-1967-49B4-2A79882E721F}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234f5-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234f5-31.dat	nsis_installer_2
behavioral2/files/0x000700000002350e-100.dat	nsis_installer_1
behavioral2/files/0x000700000002350e-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\ = "ADDICT-THING Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{9584C513-D3A5-1967-49B4-2A79882E721F}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{9584C513-D3A5-1967-49B4-2A79882E721F}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 3020	2828	c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe	84
PID 2828 wrote to memory of 3020	2828	c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe	84
PID 2828 wrote to memory of 3020	2828	c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9584C513-D3A5-1967-49B4-2A79882E721F} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c89441ecd70c5e22d22301ca3dd6da6b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ADDICT-THING\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
cd0f23e0b04106b11926082563270d48

SHA1
c2c876be2f2f9de8315f42bf6ba0a5e0810127e4

SHA256
96d730d8e9d7f6f74e9fb85c8513ee8339bea95e6d06b8f2abab5de0288b7da9

SHA512
2d02e58336ab53590787f1a48e6a3d59fc8ede66dfd9b6c46d000af3737284d58c61f9fc30a8581631369f664ecdc8d7546a0ad6167a5d9bd743edae0536f490

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
2972346c0d60a780a5ef82df8aee0034

SHA1
4813a0d3b6df2b12ca7e9472b2ebb27236c06a85

SHA256
b4417361251efea06cf279c61f08636c5732bad9ca492f5e7e0de8755c9d8b12

SHA512
d0983aa275a3b01a6f7f46c7cf80389512b5a58f945831290a487bf918c0364e5a976ff2653a2c9df09d0a025aa6d989ab9086e35df9d42e24f665b15b11d924

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
5cecc4182a6b2bce07f094e68c686fee

SHA1
9df1065ff686736d822077febcce935092691a12

SHA256
4c098af63061dc3e767ed2473ede3a44d8cc4306e6a0600341ae7fb7ecb58580

SHA512
0328f366eca8eb21fd3a5adcfffc4825668bd233228eec6a25dbee835e81d56077438caf030ac247c9de735dac6258942235bef5577a66c900481dd029e8d456

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
cb71a8b9fcc36763360fd7b8418c51a5

SHA1
00e0dab4a54ee1fd857efdc1368f5e54a6c28bb8

SHA256
4fe643e7f77e700d67989b2d1228ea9a78f63cf19ab3ddf6cc45ab0ca21cbc32

SHA512
8810248ecee693ab756ef4439e910a7f645b0ab02591677851a038617555b916a4f57ffd9ca7ef2a0ec21059566acde420c9bbe4ba3bf89875d8e9f1b1a6282f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
7fbdc3a46130b335a59a87fd2a842186

SHA1
81ed1815238eb37d3be132a86044064302bb98a8

SHA256
c447c405d3ff3c35fdf7d9932dd62980ddb9221c45d9940f2a68bf97b3da706e

SHA512
5cf175c20a25152003b6762267a2cd8f1d256804857e403380005a9f297172d485f5431c4bab104e13da0963b9b0d8622fdfbb675a166e3532dc4f1ae6c3a53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
2883b69542ddb95630f21c478cd89942

SHA1
08e30e2d84e4879d90686086c1363bc654710eb7

SHA256
b28d173ce9581850d79a1cee57b30cd1a7854447359f8db4a6663f81c651204b

SHA512
55a90611896b8551cbe02d4fc3ce3d5de9faac52c66b108ba6abc3ab04cbcc5f2e2a9617d9a0fa895dc4cda5ed7add7f728dd4234a457976a0295c15e6d855d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
1d55fee98fb20c451711b483b1c18411

SHA1
de0474acffa760f7b51213de8b09d215f31ace49

SHA256
9a7aeb45dc12c5d123b5d1af5775fad12e31e66ac74a9ed0dc82bf82a33a8c9d

SHA512
4de49ce015d595ed46c41137abb00a3fb8dbcc8d7316729edf78c991a1211ee598166520ca09e017ffbfb4ae9d8accf16caca8c062d5150dc1382de624fb1f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\[email protected]\install.rdf

Filesize
677B

MD5
cc74a65753f241a5a933d405470f2e84

SHA1
19a07d85abf11b198aadbca89e12c772550c4815

SHA256
57626188e02923d24768208a107a7337ec9a04ef01dfba9ecc8eabead99ed483

SHA512
99109c50210ba9a3c1082b4f38b8279aca2812db5243e13402be9927cd219d4c2997c048f191abdd4f95cd18eea56fb0fd0b9d0fcde84610634f2194ca5b045d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\background.html

Filesize
4KB

MD5
b184ccdd73c64f5e4e4c9ff0560dc4b5

SHA1
fb34da84a8d24f1174023b44755a3039de456743

SHA256
89c00f66915bf00e854310dcbaf966951a0b365919de6f7438d459db5afc740d

SHA512
25013449e9cc81ee5fd262d4b4d6c1c02f85747f96b679f7ea52752759f78fb68f184957a16e4046d366fecbbfcefc26ed0728f24639aeebb341103fdb1b0ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\content.js

Filesize
387B

MD5
689e93343cbc9ce86d70bebe4b1c5511

SHA1
feb1f356fb4b34f68bc225ecdac2e763ce714437

SHA256
892a5599aa41669101e41ac2510812c55af10180b9e6af7185a41a49349c65d5

SHA512
24478c321e3a2ae5d0d18c99e7657e44c9259a3d678b1b2d07aae7e54bbdb2bd674bb0e7172ff94af99bb594dde140aec64bd765832bfba9cd3b9836bb0152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\nofkckbeehlnebncgkodpgpmemocpbgd.crx

Filesize
37KB

MD5
989db4a6b7a19327b29f1fc48fce1a69

SHA1
16b329807dde0ad686c4f23015b11d052ccb219d

SHA256
9b689f2885bb2c6f205415d0ed23e535c0f33fbdc58289dbf84f34fb7704c5df

SHA512
a9fb0afdc7e88c04c3b305bb267bcb624a4632bff720b16bb1cd1361fa185c7799ed3f8ec681d46f51dc3d5bd77c18e61d879e5493c3f2bac7e27e30f2aef924

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\settings.ini

Filesize
610B

MD5
b96909af6e19ed1cc66c2393d21132d3

SHA1
a9b1a744d89d60787025b002b3c0dbe057087606

SHA256
34aae19de0b878444446c488ffe393f2a779c661c3e70a35ac681121f4ea1c09

SHA512
6d1ef3a71f1ee0cf825118dc193e646e315425c0159d4d6b4cec88743aff8a6f0b8f88b3466ee57e7fa629310f5e1d0eeef8a2372c814ffaef631904f46f2940

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS950C.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads