a9d26c860fa8184cc3913e13455ae02849e231d446a74fec2c742b6355a31413

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe
Size

313KB
MD5

a5b64d6c222f5be06ee58e70abc41ca4
SHA1

e16a17b33bb195586b06f9eecf222db6c5e61994
SHA256

a9d26c860fa8184cc3913e13455ae02849e231d446a74fec2c742b6355a31413
SHA512

b20bfeccec45402493bbdc4563af641bb7d691954ae2ca8891afc214fe694e0a545383ef2cf0d046111ad2c7583d7c6d5914c0d11228dc7e6950d0cb2eeb28a3
SSDEEP

6144:91OgDPdkBAFZWjadD4sRKB0//X37aDNan0+2UJW3Yxomsin46:91OgLdakXraAn92UJbw646

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
540	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
540	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\ = "Bcool"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234d7-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234d7-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234f0-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234f0-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{A315F7BF-5D15-F366-92C8-D2DE84F98D69}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{A315F7BF-5D15-F366-92C8-D2DE84F98D69}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\ = "Bcool Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\InprocServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 540	5104	a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe	84
PID 5104 wrote to memory of 540	5104	a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe	84
PID 5104 wrote to memory of 540	5104	a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe	84

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A315F7BF-5D15-F366-92C8-D2DE84F98D69} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe

C:\Users\Admin\AppData\Local\Temp\a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a5b64d6c222f5be06ee58e70abc41ca4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
89a32f9c324c9d49f1026b852e4a728b

SHA1
880da43f47ccc651db24523d1d5af129165106ce

SHA256
50726dba11c5690f01caeeccb853fc1d44d09bdc012e4eac9c64abe3158a6625

SHA512
f932a02d33db9d8593b48307b7c5f7ffa7448742921d2ec5e8979ae79ccce0a888d00f0720f98dc47d71e0f33d21ed0b51606bc6fc3d9d221000b5ab0011e1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
13ddbf0018e0b77c455437ba0f9ef1b0

SHA1
cb639c2c7ae8534ab05a4adf7fda67b6a360ebfe

SHA256
54e1d7e8d25fe54d860ccd1a621ae3504be94c4ed7103cd66956d4469d17c853

SHA512
be7362b611c809b22db8b83d8fb244dd47133687c2cb137f7d5130aa5d8b3bf424e88801a8fdbabc05e4d77a160df3222b7d99bfd64470bf2ca4e2f5aa75ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
e95857e767b48467b95f569e3591e46c

SHA1
7aeff0e14b9dc036b3df834fb5832fa246be1e74

SHA256
1fb2f01c95e458fdff64aa67bc9997dd6505281b2d7c765fc27931049bf988c2

SHA512
4d47d97d9b5dcc278a13d8de641e3df734f6c80edd80d09122a9653435b9bd530971cd7d461a3bae3b4b7f8412474a8681e5ee77622a7dae38c972fc11fa0109

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
3ca183c45fcb3b943656b10e005160ec

SHA1
37f9ab79dfc97e7a66fc995d0984d00b45d6a144

SHA256
4c86f23483b2ec31e58e650ac7057e058726b9dcd8bd51fdd1552f7e2645545d

SHA512
c795a59c65138f6803c00940966dbdb1c756a6bc68f681f663dd90e32166a0efee2981c389d2937c7db8c2cfaf9ca6ac9f13dc507eec644ce914a11bbbffac4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
133cc92cf46e53cd0b2c445d2c24ca75

SHA1
b92dde6a96499ecbe7b81268c146e5a1f35b401a

SHA256
aa31f9b3ca1b66246140d1ab65c0bb4ba5449a6de0ef87ba256ba9f4d0a56f9c

SHA512
e4ef704e0c9afd4ff9fd115c9ffbd73a0abd0822aaa1bea9074a944cb1fdf6b3a44270bbdba6e368cf794193d102596db724078b19d654a76022c527bd04312c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
c4edde7db26d0d839773693d0029c77e

SHA1
cdca42b353466c2460d3bc101b45261988633faf

SHA256
1bd474e24eb808f6e6466207fd67ce01a998a45e84e9bf45449759b5710c8285

SHA512
b2e42e5ca331cdcbc5ab0858f858f47f03da1593497f0a2a68999b9269ab88c0a5b6cf5377cfe2ea94f30787fbad7875597136e758ffab07a4117368c303f076

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
5be9ccf391d40c38fd44f063a2c34b73

SHA1
1de840b95ce73357ac53c29e3201819129ca6957

SHA256
c9ac9e33ac6ff8e43688dafcc2f571c006626b9c1c6f28885d6e909df07abaa4

SHA512
526a8693dba9b191023c45ac3cd0c231d92115fd569a8dcee9f9590247e209a63a2b87f49b7ab47183e1ab7fa1c9e130b007e5e3b6aaa07107dfce1edf37e914

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\[email protected]\install.rdf

Filesize
668B

MD5
57f8507d35dd99fe863989fff4a3eb24

SHA1
22eb3ed50500e6fc48b3bb2dde7c384b8421e75a

SHA256
bda2944c342e424d085cf94343d0db6f1c3fdeca2c6de92e51399e468ce5116b

SHA512
580175400c9eeb8a4e93744dc19d180ab2113487eb66386ed933a99e45cf8714f9ef4ce49dfca980eab0a0389bb5cc0071d4a34cdf204a667130b4e6391a539e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\aegicghkffmpdijamlfgokebikmamicd.crx

Filesize
37KB

MD5
68f7bcde4b617fb8f683d40a6cdafc17

SHA1
c34e45f40fe0a8d907be14e4316a5e6fc98fbf87

SHA256
0ce2d1c68fcdb23b6e7069e86ae0ccc56925d5405d7a984434b81a885466cfdb

SHA512
98fd2820184fba7bde49855779d389f97748d6023138a76a4edb167a157e66829247db8e6df3c313d88fa585d129a1f348ba3c8ac5b5b259c20ba704debbbf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\background.html

Filesize
4KB

MD5
39c1e6215917b5502f4f42ffc0725b44

SHA1
47b6da403448dba03cdf79325a65da682cc73b81

SHA256
2b8ff1b6150da5a63e821f61d5b8499ffecc1295a94daf81729d4a8e9bab4108

SHA512
3fa1327a505f5570ce0ffa2bdd01033601e93053e3d7ec9ce462b73bc624d3ab763f005d44863008b41fefb0e3ddf402bc2a1a42c5d61cf1f0d15345e2b8ff3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\content.js

Filesize
387B

MD5
0c94e4376c9d32e0f6141799c1c5da46

SHA1
852645d33d90b2db807aa98f7aa86f438da1cdb3

SHA256
f051a2d0678e2dd651b4b110f9118027d1d52ca6ec2a814584d4e20944c32319

SHA512
2dd46ad735362dfed99e9ddcf0d99fb9b4ad2dd4c2112c8074caecc22b2d90ae8d908f56b5a23784948557e96c9000f17955caca98a37bc2f9cbbece08802ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\settings.ini

Filesize
593B

MD5
d58068873af32c5fdd92ddb2b9fd302c

SHA1
43324254dd41015e393128636b6edc8ed4b6c694

SHA256
cc555fe08dd9bccb63f787ee3b933fc9beda8eba9eb4ed4407c0f96843cb8741

SHA512
13def158c36783a61a2965cecb5b1ba20f0eaca952c95cba99027e913d5fb57e0e1503382b09a09e20c7354e3525b00870529093adaf7f2cd84cb736ebad10fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAC5D.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads