f038c84a688c7223f3a4855737be5e82064e6f3cdcf74fe676eac58be3e878cc

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe
Size

281KB
MD5

cfece8f4a2e4243e228f5a64012e60a2
SHA1

20d327f9bad756f6dbde1fe3e289466300b1003d
SHA256

f038c84a688c7223f3a4855737be5e82064e6f3cdcf74fe676eac58be3e878cc
SHA512

85d435e9ffe1e9f9ef551421e9506b9bf3de5bb1f92fbe35ac7b4bb0c6037ab9d70894967b4a47794e26d7dc1d91e0e759161644656d51743eb58dd0b8dc774b
SSDEEP

6144:91OgDPdkBAFZWjadD4s2VN9gx+2BMBsf2be5BT7tvPseaR:91OgLda9k+wGo2bgThvg

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5076	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
5076	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d1-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234d1-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234ea-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234ea-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 5076	3192	cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe	85
PID 3192 wrote to memory of 5076	3192	cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe	85
PID 3192 wrote to memory of 5076	3192	cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9A9F0276-5559-F3F0-A9B5-5FD5BCB63AD6} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfece8f4a2e4243e228f5a64012e60a2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
814059aff4b2ad1d6fd9e90007069772

SHA1
fb664647bc0a5ab29b5a9966212027f1d6cbb7cd

SHA256
b563b2e7c3e67ab7026ee953b7d7398fb0bd5e341c419b09a7f803800ada3827

SHA512
6dc6cf0ae6d6f1b77f99752098adca868d214bd87215dad1e3d4aaa621c84ac973f871c94cbbe30b10496a2403f8cfa47ffb7a4db522003323b6eabd8efcf766

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
704d93952914dd49aee234e6dee83ec8

SHA1
5f58d76422bb98a1c4ca78b249ff619aa59dd14c

SHA256
0eb5524abcd1c5547be07c9262848c9278c583eee4a6b80a6ff3daf85c134955

SHA512
ca006c5d1131339d45946274c081714f97ab18ae4a05b865bc573519736c9201a4c7087267baf51ef29a4183575023e3dde4f7acb248f3d88bc59dd12be94117

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
9bbf55598335ff78719ffe798b22966a

SHA1
d4b943e4d4c5cc1b5c9425866a8ba72d5377bc5b

SHA256
2330734c78380bbf4287e851dfa167e03afcc2dcdc0449ab06c22a0297466701

SHA512
79d3d200e121eae571dc33d32c43d7a94d0e0970dd754a65f1bd7870da24e7e2d24543a64e48692c24fb3a0dec9e5b75976d0dfebb9dfd68173313d2c16a3752

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
15815cd0dc1b26e26bbdcb3ff34595cb

SHA1
484b4f80e208e50925d09dafc0c9a325b1db85d1

SHA256
f71074159c73829fc339f5f9d7db38ce3718b17e9fb28e831ec3fa86dec94a0c

SHA512
5fc6ae909f5a0e5baaf258507c969ff090777ab07df45756bb6baf7e04a82c0ad0496391d5488fd78f7c82a9761511456fcde26da7314b4f5e8740e0be5be2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
dbdc5db171caaa05b1a2a0901b95f021

SHA1
bdc908169244eaba64dcc7f401a7da3f2e8aa608

SHA256
fbb337e0502b7938975814a7337d1dda9c987057d112386a3063d49554bc6194

SHA512
0568c42ea6abebaa0a8e1e4b2e63953fc6fc2861c2d8988f737bbe65533bcd108de28030161916a4eb069c72a05fb742efdcc6f8ed638da6b4a7196c77587fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
554e01c7cf33d6ce104de1660f7311a6

SHA1
1798190ee24cb2dc63fb8381e6bb319c0b94c6ac

SHA256
39d0132f9c7a853da79484fe07ee9eb17e5efb3f79ec3c1e0f3d8b14f8b5128d

SHA512
63ec3deaca8dba421af4bbe8406707e3aacee1edff057c0e48dec0dcec6dd2c898e4855f0fbfac9db17f2a81f0d4386b764c6e439f2e7dd2994a08c42c3da55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
7ae268aec13cdf89d6ee157721940754

SHA1
ab3d9286d0441f2e7f65257bb55b5d8920b7e243

SHA256
7978eea8a8625cd934357247cf88ce289108e0e65af34b15b21176aeec7da307

SHA512
1276b771d710f0f3de6eea30e3fcdf33ee2a0c5731ec64bc08a3efb1f03209de2afc5a50a459f996551034691464ef87d294642f8ce69fa0836f941e54c66046

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\[email protected]\install.rdf

Filesize
677B

MD5
d2a9c4d42045d082985312c11ec234d0

SHA1
dc7b64ef9c4171b0bec43d241767c4d032f39be7

SHA256
8c909df1feba0085225459366bb0dca63887eebb5a61fe64b55185e4942611da

SHA512
5522fa2dd2ebeef97d466a5594b0c3b1c1944394b047bbbec7c9f53af5f80445c25509947249ddec0a8df140453167ef78d31e53d83922de900b70029c6a4ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\background.html

Filesize
5KB

MD5
6b9de963d78f86541a8d7fa5b641b340

SHA1
8551a0e5c31f9e10cdca19035e8ad755f638f76a

SHA256
77c90e3a497ce482817092ec6c46d976d468d944ce86a41d016ace6ba2f2ab46

SHA512
9a3281f9ba37795d70fcf89d9087b24bbc135361d049e90e7516c3c34e52bdddf674d626ad502819c6535f10219f4671f13c05c6b26b2d1722dc93671cfbe5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\content.js

Filesize
385B

MD5
38360e682c0db7869f98fbe4efc834cd

SHA1
659b275f4ac330b3ec7f5ea2f0e1cb130bad8729

SHA256
f9e7492030a54e6cdb5ea1a1fc0039974709ac540ca56009f943a0f1be2b5e47

SHA512
9c8fe44d2d564096231c68aa7acfdd430287024321a2973c8f5dd1f8745f93641aa6394853681685dac93c6f0f6d6fb5c26f86d0a6a069d67662ab2221b7c751

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\ikipfnfmpcdfkilkeakhacpaikpecphj.crx

Filesize
3KB

MD5
eea5cae9deae59cfb6b776a150b0c7fd

SHA1
a1374f806277fdeb7cb138e552f5738a80356075

SHA256
350680e4264fdf92b50f5e4b000fc599a9e7341748ca7c3e5570551c13fa17f8

SHA512
5f04305e9eb5f44520389b72b6bff95a801970e064ca57fb341e372be524161705c28c5fd0b14a471adea36c1f08a6624d5f3d947533d39d25d2b8d84fa375be

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\settings.ini

Filesize
656B

MD5
53ced72930f178b133824a91a5ab654e

SHA1
621fe839f3ef9e6b711d1f257ab86f7ef876582d

SHA256
c65d8a998b4af9d2c65bdc9c44d137befdda08e15751d1a03ccaf8e753eea26f

SHA512
3a1461f00d3021952418cf7003496e7fcb458ce3aee32f19b149bb20d439efd7e24174c780e0b28557f1ff9387596318da3575c7b3783f699167374bb4fe4aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSB42D.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads