ccb0b03ff1e3fbf08af1e65a2ffa7ee2705143bd4180abf0fa61e45972fb993d

Analysis

max time kernel
91s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe
Size

313KB
MD5

df95d06dbf91f247107d7f4906534832
SHA1

8ef1279cbb06a94d2ee5f7455018124f1322d633
SHA256

ccb0b03ff1e3fbf08af1e65a2ffa7ee2705143bd4180abf0fa61e45972fb993d
SHA512

97c500d0755dd94785b760232644168e0e3911c5ee4ff9f2a6307bb14f2544b86526b3bec7c0ab4be4bfb75bd1947a08117a06673adaadb9a2a8912c1514f96c
SSDEEP

6144:91OgDPdkBAFZWjadD4sqkKxWX34SpEUOO4JlbqC5Il:91OgLdaP6X5paJ1el

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4168	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4168	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\ = "Bcool"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002347a-30.dat	nsis_installer_1
behavioral2/files/0x000700000002347a-30.dat	nsis_installer_2
behavioral2/files/0x0007000000023494-100.dat	nsis_installer_1
behavioral2/files/0x0007000000023494-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\ = "Bcool Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4168	1800	df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe	86
PID 1800 wrote to memory of 4168	1800	df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe	86
PID 1800 wrote to memory of 4168	1800	df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2C55CF96-80E4-7F38-F6D8-42EBBF1367D2} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df95d06dbf91f247107d7f4906534832_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Bcool\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
4709291b375fe4693b23b15618f4e354

SHA1
9d9a6849ece27450f5198f9e863172241c4470cc

SHA256
d170344a7eb268991454f0237932631e63ada7830cf477536cdb32589d836503

SHA512
342b4e2710a6b688c5d873de05316b8e19f19e60833dcafeb52e943e01e0f1ac952cf9a77e75f43803bc23f11819d0bb897438348201ea2bafd970af16892282

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
d22cee74aeefe3852f1f56803572ec5f

SHA1
6f76d1809e52ae32bcb8287bb1f93b09231d7c4d

SHA256
319f85b5d2285a1655d00743d07501d508806ee74381b423621bbbbb5c108d5a

SHA512
aa356b932b4d69a85be6e44983eaa1563c871e5c6edf56568c15892c990cf0a729d54e48ddc908558fe72274b053cf9c5dba81e931a1408bb70b1bb095bf8622

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
f2439ce6f7ee48455dd1c86229824506

SHA1
d7332c027e487d8ba18474486f3789978f5b89a8

SHA256
b6c99872fdf06395b2b460afd3229e5de2f168da18810cb6da2efa3bb2d356f4

SHA512
ae1edd98e50dd9cff899f0dc490b2a5f5efff9a77482047b1be88bce745156853f890af46d745cf31adedd11fa678a31797460ff976067ea670f498f043b76ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
054a302ce79f11479ee3b1bd0ac78e8c

SHA1
255d6dd43a540be8293c5877439fdc1622876748

SHA256
bba0c35cd96da9c76af52d8dc1a1ace0aaa2cceaa226f19a4527347be7585d40

SHA512
59c29c4342f753d5b1c642fb2bad3f79ab088e21379690f487392f544fc8528fe31e2449f8f481a3bbe4ccd62a57f5127ecd961dea2522e094cd94dac35d7f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
74564bd5b8da8b256db04bc55b3972e1

SHA1
6868071156ae22fd72124f0e5f19c6e0efb2ea0f

SHA256
6a4dcd5b6146f1fca6a6c80369c8aff9556345532186aa051897a5e061f30789

SHA512
6342d94ce3bf483460ac5157f3a38fcdb923968423c20a1b4830230d996ee133069a99590feef829e3813e3845da03e4aaafa5974d317048f10344e72f9b07cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
b3549570540814b7c70ca3001a93c6eb

SHA1
badc23b395517e69fc834dbc7095f65cd5856be3

SHA256
5a75e537f10c0da589f7a52d354df420ec14b06cbad26f1dcc7bf1c6288a0ed3

SHA512
d91fd30b7f76d73fd6d4f90767e5674f63d51d5eae1362726643f9550b78ee69e39d14ec4d2339787fe473251ab6e2c13534b554224d41deb47bf7d0109f17b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
d0b3f29dd70ef6a429ce0e4eb034a144

SHA1
54b1e6563c7d53c4bcb0a904cdf1254df63e99fe

SHA256
ec67aa5c09eb70de3aaeb3967f6e0389bea0fee02d7a1e1eee3519992a145498

SHA512
4d20864aa9ff03ff6684db14c85ce2befba83cbd67aa777cde2c465f500fe7c5d513a45bbf0f8fc89da9b364a8fbf256d172809ba5b0cda0b9063dcc7aa932d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\[email protected]\install.rdf

Filesize
668B

MD5
cd7a147b0e6412713c546994c6760fa7

SHA1
335f45d3689e2fef5f4bc51e0e62fb3edf99bb75

SHA256
cd31230c976d51941677913a1ecdb308e103a13b11461872b28bdb34d3ee5f15

SHA512
f33c4714319f3653bf45e2cb9f5df93e492476497a72e9c06bb13507403170cdda93cbe2293b3aa3c83c8dfddb0dcc197659b8563816e27421900b6e4dbf6c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\background.html

Filesize
4KB

MD5
6ef5618d9e725b14cbe5d6de471df5a9

SHA1
4c2098fcf596161e22ef70b941ad41d279dd7443

SHA256
bf115b0a3461882cb0084784507dcc8056a8700a5657f6fc2053a665818d85b9

SHA512
6439cb3bdf21d7841062879ce302429ea49cf5867c302f50ea2aabcdb1a7b92c730319b1c29e347172867d8ae48e18f5bf3852edeeb8d82abf00a9b7096b8f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\content.js

Filesize
386B

MD5
514523bcafe2381176c811a98083301c

SHA1
e2b8b8bf07cc5331f89495fcf12ce49887d0e14e

SHA256
c82eee1ed3e31122903f43fdc24bdeb10b66cbc88d29508491a09724174a351a

SHA512
84da9ea0158ff11ee9933ad3cdee2d77864affdd2fe4513d2e59e873b587aa4e3c0131793b6ab399e3a76421946d744f7a89d1f70e08b8b3e0e9add3fa481db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\pnmdhhalbjmbicajkbnfbnbjjhbfiafc.crx

Filesize
37KB

MD5
caabcf6db3de60c75a48b17eb89e533b

SHA1
f82d414fcd62526dbaa8792da5cfb664d817dcd7

SHA256
3cc68a0a9800acd84aba1e38617acd4fbb9e3281688c7ea6f2193bffd2f14a0d

SHA512
857e259c8991606978761e2a42b50fa185723691296410859c9cfc4cd90395a329cab6c27973f57ef1ab2d9219a6675fc2d30caf14df8450d8c9a84a5f5201b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\settings.ini

Filesize
592B

MD5
8b507dd46140c307de2372fa5c2c8348

SHA1
2bbf686f6386a835e92ad90b7fe08134c0f6593e

SHA256
9c4b85c73a19725e2e8b0f8e627ff6b939432d194dbd3f243a57da30f141dda6

SHA512
61222d63974289185b25fe3f621c10feae958f10a13c2deb8b3fd625d7c9473b4bdbd62dd02cfa9e7e6e1acb767245db9b96e3840499aa6a5b646bf8ecc856a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSC890.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads