6d25fe56c46b5b6be61ae6b77b7b3bc950f465ff4a8aa624f40e9444ddd5ee02

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe
Size

313KB
MD5

cfda45bbe3162bc692425e630e9b2d51
SHA1

e2d39bc8cc568cb905dff230c2644cfe3d83e4b5
SHA256

6d25fe56c46b5b6be61ae6b77b7b3bc950f465ff4a8aa624f40e9444ddd5ee02
SHA512

236df69c04b4d88bce13500f6f73cc4844183e8a851b6fb2ef0c03dc1ad0f7f1de764ceac6d912ce1bec89c5d85d7c965a31b77294197f3fad0b2160f2ba6374
SSDEEP

6144:91OgDPdkBAFZWjadD4siGAgN+brq2bq7zUypXO9MxLYkbza:91OgLdaqAgNkpm3FXOmYkPa

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4844	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4844	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\ = "Bcool"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023460-31.dat	nsis_installer_1
behavioral2/files/0x0007000000023460-31.dat	nsis_installer_2
behavioral2/files/0x0007000000023479-100.dat	nsis_installer_1
behavioral2/files/0x0007000000023479-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{691FE46E-26E7-D005-42BE-D0820F5A4D1B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\ = "Bcool Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{691FE46E-26E7-D005-42BE-D0820F5A4D1B}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4844	3688	cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe	83
PID 3688 wrote to memory of 4844	3688	cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe	83
PID 3688 wrote to memory of 4844	3688	cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe	83

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{691FE46E-26E7-D005-42BE-D0820F5A4D1B} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfda45bbe3162bc692425e630e9b2d51_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
deda7af33b39d0946d4573f16d73aebe

SHA1
16e79f5830a73bd0aaca4b3a6166aaa3fa8cf042

SHA256
f11aa37e9c7576290050357521e69163abfa40b544b48a5141c5401f33498df0

SHA512
f7154bdfc8abafef3907f57ed8f69553b8763bfc1ff234b5f898264ba9c87a87f5bf233f4ee99d743c474410348d38eaf74bc7dc37675e0bcf45049be1595050

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
383f141878bb16490d4af2bbf6ec58fd

SHA1
9a07234952aa1df64d74010eeca8b568bcd071f2

SHA256
370fb1b06ed521db06cea604329531783a95ec8f7189916626f2855aec433a62

SHA512
65205be543cb3d11481474f161f06eb32bffe226d963608c65c27b92de608c455f391f792f692b0a013b2fcc76dd844fbe2454c560b64fdb7b3ee3459eca3c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
38b3f8e2931e11e78dfef09470507c1b

SHA1
eccb5b7869699ab4d3f2802303e10db0302de98d

SHA256
df4b5719e27941684653e7e94ac5db2438619294ffd07eff57412ee01c727844

SHA512
4372ed2aed75624f329ca714f5decfe0a6102a20c7ae9c73f5ea4336d7679d418efa174b044b13502cee8d746885703a81ee9002de34db1f689513c192b2b985

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
2f3d0116889cc3d4d37b36a872c55ceb

SHA1
7b99a4325ab02d1c8ab9858089c1ac2fc6f8fdbe

SHA256
ac599e8eecc0b8f64bd422270ae2cac44ac9552e266a40498bb63076f9ba6cd6

SHA512
febe17e4ff508d35cc138de031d27d16f676028b6f12b3e61942562c8dbae67e40b1a8258ce1e7dd692415a5144c08cc01d6efb74f1dff94aaec8bd9faf4c2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
18ce753041be46cc09b43c2ac94a3e22

SHA1
1c52a4171646a739b534a537f8859bf598140cb0

SHA256
6d308402cac99d929c275ce8f0e28cd89e8ada49fe40b9db2e08202f1dd0f11b

SHA512
fc98a543cf0fd2bb60dcb77452040b4555488538dd4a61eb7df7157eb91b33c9d7db92769681bab0e71f790f50eeaf00fb1590e7a7c4ba831a6c16ffde0a5200

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
293db38369bf081f81502ba2e7f1fd0e

SHA1
80c42e9a6bd319f1877c8773c895125f61ac0716

SHA256
b35a9fd364ed8aaaaf23b09a535f811fee4a19b4f73113813a58d5a76f274346

SHA512
773e1d858065458f977f0d82cc6b6a50c4363b74b418ac17558f4f6d49306c3425baed76eae12dab494b017292d58b2e4450d2053bc280a1a1acb82a0cab77c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
f02a6419c670b80f9f365b7829f50609

SHA1
2a6690e05c9ec69c106808be6e771d7c9cf36f8c

SHA256
4a8790d4d0689fe4e80834e02700ae7de50cd050f1b4df8544d9a3faaaf6dcc1

SHA512
41eece5de47fd2306aa243153784b36900a3ddbd8a5054168fc539fc76ca6cbf82d6af643a586b14ac6ec714b5e6219587398911e602acdfa83e980c738ebaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\[email protected]\install.rdf

Filesize
668B

MD5
75e44582a46ede1ed1833e83435464ae

SHA1
cf74921a40c7be391d4bc24fb646fd1065f896c0

SHA256
fc4020cf4b1d9d5849afe04537a565135210c6a788f1ee690d78b3d0a6f1dd8c

SHA512
fdebf48181728ee905cbc225dec599d220ea90f31684899165361260326319e93a147f0a93eaa604a5e2fd0c0d6eb710e350b3deb8309c25ceaa6d93fc6cc769

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\background.html

Filesize
4KB

MD5
c378e0312fce782c35a9fa6e0fadd037

SHA1
efabb1487faf0dd0ed8dbd55c120182d966336ac

SHA256
20874a512bc254ac989e7195776983e1c70bbe5647d510cdd694482c64805f26

SHA512
a6282105e2fcbac325255990444944d7839111472152d3bb3dbbb70b325f0354ee677bce755f6eb9460ecf5874ecaa672dfab8378ae086cfc571c13d6dc42ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\content.js

Filesize
386B

MD5
38400aa01cb74e4189cbf6c4d111e6f3

SHA1
f63fdc214713534c152151fab131023c76e77ab8

SHA256
12362d3c44e70c1124d23bdd542f87f28fbec892986e3fc7179c166b5ea0b991

SHA512
2f13ecee279425d70481c2e4b8e57f49303fe7f47b4e6d01c68a9e693606718ddb54d43226951d5494bb883a3411ca744b08bea555662bd828e941920f046b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\knhkbacfppcfgbkecfklnglfpbbnppcg.crx

Filesize
37KB

MD5
263353a932b27a20a752175e0f882d60

SHA1
023097657f4ae298c02168766aa4ad10186ea53e

SHA256
49db2cce10991dff1f4977e00c4b89dfdf9e0b788b02a827e4e0edc0161925d2

SHA512
f4377f514759a6502e6062ffe59feb688c39254e4f2f45a85253cde6103c3293d6fed63090e81a8e11da39bd7a44e41da7fc0681f634e16dd00e6705a241d46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\settings.ini

Filesize
592B

MD5
3caab8c61fddc19bf5449de8d142089d

SHA1
5277f01e791c4297f3398bb660c07edb70b4b0e5

SHA256
92a7f26063b2624c33473cfe2f67e98516ab03997e95094baf8fbd6d6b5848ff

SHA512
38fa4f4175b2cb6d5d09800d731bfcdf68ce5622101feb9f67b723424c5c06d4371fcdcac21df005a08e31974e224c6b8a8fd567a5b102b8862fcb7ae5775b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9BC3.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads