513f82aa2764aab872eb0d72d2228ac651cc964a26be4726bb3679591d2ed638

Analysis

max time kernel
138s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe
Size

315KB
MD5

8728369662c31d6b151e9778cb952d20
SHA1

7c4c847ab947b97fdd7bd038c5f8314280921667
SHA256

513f82aa2764aab872eb0d72d2228ac651cc964a26be4726bb3679591d2ed638
SHA512

0a92aa2db613ebee85d757f3307a7dd6dce4456a3bd7988465498df8c2150d7bf4d45e694c63940f963422ce98e476a525910e03b854e76c2189fc7880117493
SSDEEP

6144:91OgDPdkBAFZWjadD4sMyCwuphHJ3WNQaXA7IBcF9A+82h7q5Wcw1:91OgLdavyxuHHJiQ7g09FlB1

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2240	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{548349D1-8C20-8908-83E4-6858A2F7265D}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{548349D1-8C20-8908-83E4-6858A2F7265D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{548349D1-8C20-8908-83E4-6858A2F7265D}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{548349D1-8C20-8908-83E4-6858A2F7265D}\ = "Bcool"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234a6-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234a6-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234c0-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234c0-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\ = "Bcool Class"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{548349D1-8C20-8908-83E4-6858A2F7265D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{548349D1-8C20-8908-83E4-6858A2F7265D}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D}\ProgID\ = "bhoclass.bho.1.0"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2240	4788	8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe	84
PID 4788 wrote to memory of 2240	4788	8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe	84
PID 4788 wrote to memory of 2240	4788	8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{548349D1-8C20-8908-83E4-6858A2F7265D} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8728369662c31d6b151e9778cb952d20_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
876ff00b6313e9f7b99e04f7404be0ab

SHA1
f561fc3374de35c5ac2644d7bc4bee3b9e488075

SHA256
e2c23d87da2672d3e22ef390e239ee2f3c56abd1a1e19667ba0b082fceb9845b

SHA512
5672ec9d39312d59045fe48a5fe0a5c4d033b7d9bbad8ce2ca9b21c7f569861512bc9e3e7b42754163005f29c5bf5ee70a76dd3f2201213aebc9eb17fcc22b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
b5893606d2278607a38ae26a976b3f91

SHA1
5cd29e3e0f10b120dcb6b0166c846460164ed774

SHA256
841bd3cf2c71d8ca3cb6ed17a4813a1bfaf6c77cac3e21d672845ba422dc76a5

SHA512
7744b4896253c7891d1ca8b382001068b8fd93abcbec2a5b7846465da52e6144311afc02888e72bde448f5855cd15831711668d42aae8682e6967828b9b9b514

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
aa7eefac846a2597275aadb70f11e04a

SHA1
9c16d530ccd8e6177ef107913d1026e9bde6b31a

SHA256
7252c79fde9a9c2ea4d0bdea2d7a087b126e67fb21b7988b380f84c913fb2f34

SHA512
f10e07562d5def33c1b3faf713433accfed0340d4004f9a3d17110cb65ab6bfdfb1adf26fa81759e26ef271c6e4fb3cf394cae13552bc73e45fe6f77171102fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
3e1656cbe58fefeefc152b59a3f8ca21

SHA1
8a02fd6ae6025c4e131ef9cecc31293a53c89c83

SHA256
61cb5547e16d94ffee7dc11743bd8140d1285446baba8a1c0ed8a654603d4cab

SHA512
c35d43c5638914e8e2473548fb9d3a05e65135722d701ed5dbc6f7cf6ff0249c1243003b750e05571564abab53a7009bf58e86d9d5192b0a21d2f4da3ef3adac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
232cf6e6dc043ee04f8e73b567d9f213

SHA1
c3db446e4a26d1d4b93998718011af8186192c2b

SHA256
0fdc0e276217be5b20a789e0d6a65222e796f17241f2970d4bc23c9e383f0001

SHA512
342fd4eecc720e412a31219dcdfff3311b9f4e1f719b143a5b6f00ca9f5626a0321f1bf3e8ccf6c491e16c3cb1452e4e1eda9eee1afbdda4679bc371416efa44

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
20257edee77251beb559d4dbf04953ba

SHA1
4199d03980b53db88a598f0248a731af4d5d867f

SHA256
6b05ee31e282d8c8faacec9fe5ec73929f363b82614310b599da8c7f87f3d29d

SHA512
20e9e78a911a2d46a1fdf5afb9709acf386e1e568fa8e0fb8846f1ed906713b2e689d93b73691a67dcb8a8c4adf5ef19d2b04fe5a5e73564bcdf181162f483c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
8fabc89789c1123c70ed08874e237f1f

SHA1
aef9a03ff00a077ac66e6151f2df95e3428a172f

SHA256
ff9c18184aca28018da68893208532f7ac62379e0296573f09daa36293e6ad4c

SHA512
29f982cb211d18e68037f2d068120f4a2bbf84dfd001364f450334aff2f7c062982a2574858f4fc87ca93e0e6b65d2b64a4ef48ba2d5c11ff7e5e27b2c3be231

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\[email protected]\install.rdf

Filesize
668B

MD5
f7dd0e45ab065f240ffb3ea2654da0ad

SHA1
2c9c57b73ad6d45bd9b12c68ad30feab039d0792

SHA256
0e723b9a4250d2a6e7b04ce39bb6a6b8c0a4dfb797c86e3d2053a3328c88e0a2

SHA512
d673a0bf9dfbde234cfdf925e1197f674f8910a538285f4983052bbd0074a3f50f535ea4b8b099066f6326c771d5b614f4664e3715dde469a9d3e9030dafae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\background.html

Filesize
5KB

MD5
3614e8f871d38a3d7fb696f9234a3b2c

SHA1
8cb58aa4f2e772a2e93d89093372aef88d761dcb

SHA256
98ef2050ed630aa91a43283bfb7a68abb3c3f31d9084b368f4df798176d9f6c8

SHA512
24201055336289d3d3c32f3cde95ebd5f1e42888e869cf89277bc581ed5131f3ad21b46137bfb4de72843eaca414645954f7e367e9c4c77454b66a811e53371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\content.js

Filesize
386B

MD5
38400aa01cb74e4189cbf6c4d111e6f3

SHA1
f63fdc214713534c152151fab131023c76e77ab8

SHA256
12362d3c44e70c1124d23bdd542f87f28fbec892986e3fc7179c166b5ea0b991

SHA512
2f13ecee279425d70481c2e4b8e57f49303fe7f47b4e6d01c68a9e693606718ddb54d43226951d5494bb883a3411ca744b08bea555662bd828e941920f046b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\hgnmepngcgiklcpkdpcebhgdkoepgkon.crx

Filesize
37KB

MD5
77b4811588662642431fc14971f09457

SHA1
83426fded162b5cabbed86cef6934a16c67dcecb

SHA256
f6d3c5f9f92811441f2d3a0165a0b865ab004de4f07d307bf2973155a21dfcf7

SHA512
17454c88f52419cf34a335737ebd39fc9589a8576cbe6a8127cd00bc0923ddbbe9665302b8b88aa64d979071ebc9ffe4e6c361ab6cf127944ef90b23360171dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\settings.ini

Filesize
592B

MD5
8b75bf54da694308cec6890e0f40a86b

SHA1
b3229e48cd8c1fecc6502a9294262aae20da7ca2

SHA256
efd683862b6be81882b616b4d124409fe217bd7f2d766e276c72bf938f6d5352

SHA512
e4308c2a910e3791cab6fe2a71985fd0c2112b860bf8cdb1bd6983585af37162efd8d702df430e64a8c58073ead98f2024f9238d343fac0d9711666c1aac13f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7B79.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads