a80173abd7fffd1b48169d0c4168abbfd24ebabe35aa9876cb2fc235c52231e3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe
Size

313KB
MD5

a887b3d46a8a8b2c0d78818928273dac
SHA1

036eb79a388e668fb870bea97373707e0b7c0dfc
SHA256

a80173abd7fffd1b48169d0c4168abbfd24ebabe35aa9876cb2fc235c52231e3
SHA512

2609ddadfffae9cc5c5e39d593ff067881092cde21394c366f03c371891d80e17f35099deb10ab837df014ac279565e4d330a2aea21804b45041bce0fde06a30
SSDEEP

6144:91OgDPdkBAFZWjadD4sgk68Pxwtu8XjnErZRQCrzlZT7vgjR9:91OgLdawH8zENRQCrzjT7ez

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4848	setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4848	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5B92D00-69B5-4A34-3389-3E67489F020E}\ = "wxDfast"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5B92D00-69B5-4A34-3389-3E67489F020E}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5B92D00-69B5-4A34-3389-3E67489F020E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5B92D00-69B5-4A34-3389-3E67489F020E}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234c4-31.dat	nsis_installer_1
behavioral2/files/0x00070000000234c4-31.dat	nsis_installer_2
behavioral2/files/0x00070000000234dd-100.dat	nsis_installer_1
behavioral2/files/0x00070000000234dd-100.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\ProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\ = "wxDfast Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{A5B92D00-69B5-4A34-3389-3E67489F020E}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\Programmable	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{A5B92D00-69B5-4A34-3389-3E67489F020E}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4848	1224	a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe	86
PID 1224 wrote to memory of 4848	1224	a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe	86
PID 1224 wrote to memory of 4848	1224	a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A5B92D00-69B5-4A34-3389-3E67489F020E} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a887b3d46a8a8b2c0d78818928273dac_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
f686c08da9056c9b6899820ab5d3921b

SHA1
078e8f56300e6b24e315c288d9df86b208f00e4d

SHA256
abac591d67a5065c37451413e37ddc7bb65fde4db14c9dd051737ffb33f2055a

SHA512
5796bf1e987b200695b7b61e4208bd907852a35c7a788644b5a2b2ffc8c54fcd8d46d4829395cb782a4d5eb34b36050bca34e07407a160ce074afac20da67ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
9d166a4b78de1776b6c4d9d523fe007b

SHA1
49e3f72df3228894bb8343737a3b65a80d0ce7bb

SHA256
5cc9dc4ab8467d7a5631ebbf57feb85f4513f0c35a4cfce7b3750e3d3a0eaac5

SHA512
7f82b4d1f960ae4299a1cc8b85babd840e5165217190af6c6f2c74112ef65d08f8b883ec9ba57d3f02efad6187870f7ba2bd90b7c7acd16c55c291703fa57800

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
dfa7985b0c5516df0733cf10c47352dc

SHA1
6efed3abdd4bf76ce721c945299ca3544f5780b2

SHA256
c3f1f00b6eb814ca669705f809f4d3b1a028f7306eafec3091ad418feadbdff1

SHA512
dd89a52a485419590640f672df2021ec2d6b33e19c5a644e06fa325ce9579865c27a5ca646b0da2cf67ce9dbbd6ef7422cccee2b800188c0a46af1a88ac5ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
a0dea731e7ae56e0d553c525ff6c683a

SHA1
884c653849a781248db9ae5619751881700cff2f

SHA256
5dc500722ce8e2b03f0ac11d1ff71e36d661072476f1c07637f1472c3f465782

SHA512
23a5eb1584feb722ffa00103b74953199437351efcf6d6375182a60a49214868882685b6e76087ad4d1c1ac848101018b72675eceeee9137c44161dbaf682cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
5ef77f0c61be0b30af876db456c2003c

SHA1
40fcabdfb55d1cc1fe269173e78668d2d6220daa

SHA256
297af51200939b558b13ef3e27a7615b14dd4a30429acfe2e442defb94aebea2

SHA512
463ccb356edb5526ecc257d6ad3892cf4af617524d644325f6c35d4fa3473e1a1eaf44598f9d73b4b229cf0becc9f24cdcfa47497c06ed9908029af058cbd19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
9819faa4bb08011dffd5df1ee3f945ac

SHA1
0f545405b8d0b671e1f5a3cfd8bbd56cc506f9c0

SHA256
d56447953bc9455da62b9107401cbc3293bc0120786cfba926f66272a7407189

SHA512
a786a8162f59d833fdba7ef3f1c3e80e3974d6001ad9591c50f57ad488a93b49631d82186df243e7c700071461ce30078d15244f9d84646147b0e762e03c81fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
683544f5fff573ea2bad58e087a9e3d5

SHA1
e784278301b667d364ecc9186223dfa83035dce0

SHA256
25a975061668c8e530341f7484b1c5af3a9b30e05537755b1f775975cf629cb7

SHA512
d07742df9663e21ad73541412dcc137d4b0734543a797de31cd1d59f30d9ae63324efb642092cd2a396ba6db04f44ca456f0a9e4b4ef2781a44c40699b88041d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\[email protected]\install.rdf

Filesize
677B

MD5
6db190dcb8448b6882843da0a1d9e04e

SHA1
93a5d6ef878e7fee992681141626b8f6d692292f

SHA256
e715cc250310eb3c105944245db49cee2a2f667440f5ed5e9b091e41a18247a7

SHA512
6a68bf0ab6d260bc07ae7d09ad33ba9b4df95ebaa359a0edc2c5a1ed2cfd592f3e4cc0101dc6b20f53fdf0f9e1ca1e6c89b1c6ecdc7f74c3e3235cc30ca18223

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\background.html

Filesize
4KB

MD5
106be662069e1034e73ecbda8ec9c8a6

SHA1
774cf09baf4ad88a80275266ae002c03a91b498d

SHA256
4e62dbf921d3e094f3720b8b1dcca058e6cb0492bde3482164c0fdf869ac71d6

SHA512
3f17478a5bbb9bd7102ac453f12113f229b01c91bde01a60a65c96a02cc0ade66572744451513b046427c3a4e34ae931205fbaecc52c8573bf312ef6dd58f8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\bhoclass.dll

Filesize
137KB

MD5
ac13c733379328f86568f6e514c2f7f8

SHA1
338901240fedcef4e3892fd4c723c89154f4de05

SHA256
7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562

SHA512
35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\content.js

Filesize
386B

MD5
94ef341cf914eb72f434933a1a00da94

SHA1
3c89ea77c252c8f591fafbcd958b745904449475

SHA256
81fbcf64084ded46ace66166ae7239468983767b6d1f95f0e84779f26def2bc4

SHA512
2f2c111e116b2976ce83d0261aaea21ed16ee71da016eda6ab3792dec06dfef15a644428f6760999beb8f1740f29c7fe89602656e28ec93087dc0944c2955fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\ikoeigalafdjkamfhfhdokocbmpbpjam.crx

Filesize
37KB

MD5
8615cb9e4546ee9a803c592a9b79171c

SHA1
59115fda6a79c38c881c8d3d93971173a8c633df

SHA256
6121c18d539c28fba49948c311330488789adff9443ddb059580f226f11ff8a0

SHA512
93b9e4468a31b1454a081858f44402d9b4cf6922ee5bf9af8d0d5b9837be0d9a071aa096cdac4058857f4f47f7c9c1271931919b70a79e45dba7f6235fec0004

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\settings.ini

Filesize
599B

MD5
287bb1a46c992de564469debb8a6ff2a

SHA1
4fab0c0acdca459b34a781a00d40ad0895e4349f

SHA256
0891c3539e2e7ee9b496bd8784d4ee6e015a7f7cf851d47f196dad1d160cae4e

SHA512
77eb4cb9df368249529ec37fee89a0ac6ef46a7ea0d09b279d02e7ddd48d6835bdfbb46c9b94494df4cf805201ea1162e69418f1b304237d6691b3aba0b2db61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS83D6.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads