8c552d197224d407566c44eed62bc42fbc98d0dabe2b8807f942982c9b8f3e69

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe
Size

315KB
MD5

d2ce41875f31fbcaa45a785ebb5e7ac1
SHA1

ae3c38670290a9d785706cb97057074ef88aaa64
SHA256

8c552d197224d407566c44eed62bc42fbc98d0dabe2b8807f942982c9b8f3e69
SHA512

c9283e4bac7144327f6577c26895cb662a6fd10fe254089f7bb237fff662cf170c0956aaa9e22f879ff7d864b143b8ffe5655552ba98d2a7f0df5d071c4ce185
SSDEEP

6144:91OgDPdkBAFZWjadD4sNxj7y6b7ks2hqEhIfSet2zrbJ1KSv1q:91OgLdaypdbgs2hqeoZt8b/q

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe
2736	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\NoExplorer = "1"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{32128423-93CC-22BA-77D5-BE7257BB5D0A}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{32128423-93CC-22BA-77D5-BE7257BB5D0A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\ = "wxDfast"	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001a42d-30.dat	nsis_installer_1
behavioral1/files/0x000500000001a42d-30.dat	nsis_installer_2
behavioral1/files/0x000500000001a4d3-107.dat	nsis_installer_1
behavioral1/files/0x000500000001a4d3-107.dat	nsis_installer_2

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\VersionIndependentProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\VersionIndependentProgID\ = "bhoclass.bho"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\Programmable	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\ = "wxDfast Class"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{32128423-93CC-22BA-77D5-BE7257BB5D0A}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\ProgID\ = "bhoclass.bho.1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\ProgID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{32128423-93CC-22BA-77D5-BE7257BB5D0A}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31
PID 2684 wrote to memory of 2736	2684	d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{32128423-93CC-22BA-77D5-BE7257BB5D0A} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2ce41875f31fbcaa45a785ebb5e7ac1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\setup.exe
  .\setup.exe /s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - System policy modification
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxDfast\bhoclass.dll

Filesize
139KB

MD5
4b35f6c1f932f52fa9901fbc47b432df

SHA1
8e842bf068b04f36475a3bf86c5ea6a9839bbb5e

SHA256
2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196

SHA512
8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99

Download Submit
C:\ProgramData\wxDfast\settings.ini

Filesize
660B

MD5
dc3aca3e95c4f6f3211b2635abdd7ed1

SHA1
90ff492bace751738591ab31002f9a1bbd9d2115

SHA256
e12dd83700862e3bd56b690a1c380e828143e27a20b0cbf361752c914f2d1030

SHA512
4213d4a4352d3b8a4d52b9734776a5ca5c306e8eef798967c6abb61b49ef054e665967ccbc411bb8ff84fff7f1f645e77a191f7e4f7e71914c1196f379dfb019

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\chrome.manifest

Filesize
114B

MD5
65fbee0b1415f247b3b7cdec3d417f92

SHA1
6298a5cd14806a2686b32264bc51568e67dd86b5

SHA256
7ed7dc9b523dd68a87bbacfb60d1d87e3bf4a28db4412b8199ba9198abe7e694

SHA512
c6e717703f8651f05e744d85e56410516d55ef47ca24f37d01e06ef247ffb8fb82bc44bdedef145101969332c4b459ad5587b01e0effaeae9b37efeac94256d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\indexeddb.js

Filesize
1KB

MD5
5de87056a1eb52622d90a2820051294b

SHA1
994fe31e7fc65afeabe41d84e1997a92db0bdd95

SHA256
0fad6377437272f3c6d685682ec448fbb8710b1cb907993cfae10a168e4c1d27

SHA512
57005aa5ea2a6a71f29544fe456af1470c334b27e99dcabe8b43d0ee310b938256952dc04babfd729d0dca21e25a8cd13af3d5ad0a1ac8bb3ade7f83b012f799

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\jquery.js

Filesize
91KB

MD5
4bab8348a52d17428f684ad1ec3a427e

SHA1
56c912a8c8561070aee7b9808c5f3b2abec40063

SHA256
3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23

SHA512
a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\jsext.js

Filesize
6KB

MD5
1f9ec49ddf832cb830fc582d95aa32ba

SHA1
d0f40879614e182db1faa2b9a6783639221f3619

SHA256
03bf3b92ce75d71c5883dd02d288d5e5ac73f2e47afa8cb2a55650cc314363f4

SHA512
89f65a2a3066eaa3b7096b86dd6c6cb67cd921d9e49740151aed33a2b1ce341a52030bccafe56b9afc2186384794e1031afbba432e33123182ada67308dbf439

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\lsdb.js

Filesize
1KB

MD5
fcd5bfe3a5d42cee2ddfeca71f33f832

SHA1
9317e978a82b8e960ca83968be070422f502fcf2

SHA256
5bb72ad0ab0832ff9b55afe1dd30ad178cc2d784a1c8dc3f43f9e4791846b913

SHA512
8d95126f619312ac04ab95893e8fb1bdb19935e778f6c5874145c70196a648dd3c4ae66571b0b2e75475a4fde2ad822aed48e5335856d5ff0c8c35d393f18b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\prfdb.js

Filesize
1KB

MD5
e0b3a6ebd05ebb3f9ba3efe78e718fb6

SHA1
b6bc476128750e4e850fea4e0ff37013ebf05bd5

SHA256
5e85398c5c73781241ffc8c9a007cc2977277f01c895c07a32fdb62d07feffb8

SHA512
67a91ab40d7a9af87d6d05978824389cb737645defda0b54f3870f615c92d4d905360480e14909600e0e1d3056e6e097d041d9f23f88cbff1b001c1aff66fd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\sqlite.js

Filesize
1KB

MD5
d517e10a598573c29e10adbde6c200fc

SHA1
d6514584b6e22620b400196265a14c070fb244cc

SHA256
c8fe8a93a6ba525545eac674ddc2d674e165471903b6227f426c28bb3d379eaa

SHA512
c23f391dca2c7289b6b1b510ecc859746547aaf902010224afe221971ae31ff38d2868cc4c1fd59571802659a85b19ef8baae064b0b6d00e9bcb0fd80fc6e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\content\wx.xul

Filesize
228B

MD5
67aaf65900e6dd0418844e48b14bc5d3

SHA1
3cafc2912e8d40516cc8e29397f1533d59ab6801

SHA256
d514c1e138f2d6fb0abd3055885f9586bd6aa66d1620c568f0f6186b55911f2f

SHA512
49f2425d01238dbfd5dd9d982ca4747d5a9be6978ef274ae08b35429e496d9fc9182f9bb360db6b00c80f10d201a0a07bfa9a5887b4da2f62e8561bf1c0c832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\[email protected]\install.rdf

Filesize
677B

MD5
4eb68089349b1745f5addb1036fb43be

SHA1
cd31fcfc6f9f6e930fbc3c4a246bb0d0d258b458

SHA256
bf366b065a185f03046b259bcf311b670d6d53b46af9668857282dd25d75d05c

SHA512
f7ca253eefe4cc8b5b0174f007a4e8300f66e76916831e9c6d03efd6d0a67200e836fdc613c00d92788d950d5916df6c5dc7b657d2869e44b5b71227b8647ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\background.html

Filesize
5KB

MD5
d7b39ab04f9296b59e5a267c4c7bdb1b

SHA1
ad9cff1ba8a53c60d5256bae8bfe279db1d191d4

SHA256
e7285f92bfd5fb7f1d9ddf079263915e8fed9a6da77532f67bdc7af9ae03af39

SHA512
e963cec586ca6446ef5940a12e7039bbe8bdaeb3ffc1ecf0a7b1439bfc8f0b5592c0280f74b39d5cf0bdd41fce561b6a196b449223b62d8dbef8b8070299c4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\content.js

Filesize
389B

MD5
08f4cc39f1c774a3a633a0b712333a17

SHA1
506f470eb59396ee3b8b684c220227ecd11c5700

SHA256
406605fc1f4e1167e550a8dfbed6df99bd0b604163bf0bcaac1b603c67d1d9a7

SHA512
df680bdd2af0f0450ef5db978438b7aa2c09f8aaee5a547421d2a704d441098e99a9253650436c1cabc8c00650779f01531ccc0cee19757c4bc0009e8b8bf5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\hopggmdocjllgmnaficblpdfgngggffi.crx

Filesize
37KB

MD5
552ca3205dbf2993ce1c0e2462c1561b

SHA1
1766c7b3386ea651c536e4c1b6b816267ced0b84

SHA256
294d5008aea6a7e61fda7fe3ee3c3b80fc6748bb972b4c17711fbed543436f6e

SHA512
feed48cc168c6449e88752f62660cd1dbe7c271a019448a8668293bb2b96156930480fa78a1b64e14fdff86e04dee18df7b60f39d9e00bf8a0ac93ae43e0e04f

Download Submit
\ProgramData\wxDfast\uninstall.exe

Filesize
46KB

MD5
2628f4240552cc3b2ba04ee51078ae0c

SHA1
5b0cca662149240d1fd4354beac1338e97e334ea

SHA256
03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6

SHA512
6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCE57.tmp\setup.exe

Filesize
61KB

MD5
201d2311011ffdf6c762fd46cdeb52ab

SHA1
65c474ca42a337745e288be0e21f43ceaafd5efe

SHA256
15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa

SHA512
235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads