Malware Analysis Report

2025-01-18 21:32

Sample ID 240414-31jwmahb46
Target efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118
SHA256 36a9766d3a046fce6fe99e1dd44d47c139e122e81c820861bf875e29f8c48283
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36a9766d3a046fce6fe99e1dd44d47c139e122e81c820861bf875e29f8c48283

Threat Level: Shows suspicious behavior

The file efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Drops Chrome extension

Installs/modifies Browser Helper Object

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 23:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 23:58

Reported

2024-04-15 00:01

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pojanldgniankjbdaokompnocadfddoh\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.dll" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID\ = "SaveSale.1" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\SaveSale" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.tlb" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} = "1" C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe

.\50f966319574b.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f966319574b.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\settings.ini

MD5 83e13cf909711be62910a2f76d635ce1
SHA1 0de9542b2b41720220b5a8c9d024097a5cb5b30f
SHA256 d15d6c301d3f71ebd9b8432849c87c571d48d4fe4244ee17ced53f368876f7f2
SHA512 3fed61f36f72ef3bb8f8b02b49edad3954b2651a5034acc378c988b6abdab68d7f42bb99addf148559e2016f214dacfdf887e2ad8bd8841fb3aab28ae1b7a538

\Users\Admin\AppData\Local\Temp\nsy5DF9.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\chrome.manifest

MD5 62d2e7d87e4c96fa899fb5189046ef24
SHA1 77347b5d444b1ea89333450020104ef7653ef4fc
SHA256 562c75fb95007baacfb43f809d00c3c3a44bbe5f6d36ee552bcbb33f2b9b6fb4
SHA512 cafbca9ce42659996ddb9eabc022176e2c5f15a8662fad505c74cb0304305900c092d3a10e7044480a5a7c99b6c99f8e028f6593b4fdf39916041036e90aa5c0

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\bootstrap.js

MD5 1f888fc620ec8111471c9344ef8c0896
SHA1 d72a0a1d33e66ec1759a0b94c78cebb7578c01de
SHA256 d15cc8ad247aafa73e9cf28e6b2a380906ad72c9fdd80226a0a6922b109250fe
SHA512 e7462f8c0a1fb3f6f90dc33711700876ec29c4f2e0c6aa87fa0487955ef5755aa1aa31c076e8e46b48f51935d78295797b8ca0e6fc81122c48704777cfdaf0e1

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\install.rdf

MD5 0cda931073cd2995ef23812f5205ec52
SHA1 d36e25347164f3c0e3569486502251fc845a3318
SHA256 5e1233f272872ec1ce234f04353d8fbf7aaf17f893c7deb5fd3366dcbe79b80e
SHA512 b2033a80f0b04e9cdbfc6d3640e2ba7fed0af75bbe286f6ccfc4f45ee40c2024a609507908ad607ceff1d0407cd7e71c389bf030a17ee196c5f99e5d6c47fddd

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\content\bg.js

MD5 9e5854b698a3573be17795abd100c275
SHA1 f5963bb76f7d10411fa35862c360f6ba7520dff1
SHA256 e17678ce8754f88ad079727ac420af9f0dcf990d41d0038939595eb502cfea7a
SHA512 664c647aef02948b1225e9a7ab3fb7103a8dcd5000fb3ade5a36b1a229be45a945125627a639f886555eefd38fefb6cf19ed03e2d889793b8996a883d75cd876

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\[email protected]\content\zy.xul

MD5 990a13b857dcd3608f7843a11e95c5b7
SHA1 cf151703c75f40679a4ea26ea8827305925acaa4
SHA256 f904b005baf4e7ba33d01399ed73adb744b0a0c4ff0314587d3af14a320eccb8
SHA512 d8a38f347b0ed26207f7c2af22ee7cebf16911762a01d757b7fc10e2eb06e213fb2ba9047a171cb05564b8193f1a172f16735ad48c9bab38524a98bc7ea83636

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\50f96631955797.13618994.js

MD5 33adf0a56be978372efb8e0d83146929
SHA1 aa363355ed005361f5bca651f8f057e86a01cb9e
SHA256 1d4224726fbca8654712e0b8eb45bc0e380783aa4c90fa42969cdf9c9f5229b5
SHA512 5d3e8608b1e2d7cfec36952224c7cd4e95f4ddcf98d60a2defd4298ac47b8b3993f60163ce53944c5e069ecae86a2f84e2b090c46d2431f53d6620772c3b5bc7

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\background.html

MD5 5876994e5c97bc42f7ec17fecd2b6dcc
SHA1 409853654c6e8266ede70cf74d033523f373dc99
SHA256 579b9faa35ffeab00d843cceb0b7c3f78b7b6dcaf92ab56a0c63597cc05ffb8c
SHA512 a59d18ba94bd261ed0ccd016feee1fe65302ee59f04c332612ad8f377521a9763d8610c417c041d75a2706ee41530d3e36ab0d936ced2fb7846bafeae7e733f1

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\manifest.json

MD5 f91cd42bdfe41bcc97d2eb37eafd8bd2
SHA1 c0dd02c8f7959b84bf6583d62ecd308651c37b6d
SHA256 6805fc1de5ccc99d653689693aeb3a390116b024eedc26b0ca00a7296ec422a5
SHA512 8a043a54c40787174c0f167c0083899757803b06100189a9a485d86ebadfa791b83af0e8a502fd34c2b8b20ad9b4c82cf1c302234db69006cf089e0b7179ab2f

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\pojanldgniankjbdaokompnocadfddoh\sqlite.js

MD5 95d18c0759e713521b35ad403c644c51
SHA1 e93e5398d4d8dad423053d0a24210e05fe6515cd
SHA256 5adad0541b1225eb081161c56d4d02167cab4da7590e454f9073e34dfde5b249
SHA512 9c8939c4012cda49b6ddaa918314d1776f5e89aff486faf2157d0f351a695a9b0c8d77904cb87f8b48e20f32769bf4982dbd5a119529959c7b19d876cb5fae0c

\Users\Admin\AppData\Local\Temp\nsy5DF9.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2876-80-0x0000000075120000-0x000000007512A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f9663195781.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zS5CD0.tmp\50f9663195781.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\SaveSale\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 23:58

Reported

2024-04-15 00:01

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pojanldgniankjbdaokompnocadfddoh\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A672506D-4C63-645C-544E-9AF97E804288}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ = "SaveSale" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\ProgID\ = "SaveSale.1" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.dll" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\SaveSale" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A672506D-4C63-645C-544E-9AF97E804288}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\SaveSale\\50f9663195781.tlb" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{A672506D-4C63-645C-544E-9AF97E804288} = "1" C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\efd14c06021c0ff6ebb75aec4cc9a2f7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe

.\50f966319574b.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f966319574b.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\settings.ini

MD5 83e13cf909711be62910a2f76d635ce1
SHA1 0de9542b2b41720220b5a8c9d024097a5cb5b30f
SHA256 d15d6c301d3f71ebd9b8432849c87c571d48d4fe4244ee17ced53f368876f7f2
SHA512 3fed61f36f72ef3bb8f8b02b49edad3954b2651a5034acc378c988b6abdab68d7f42bb99addf148559e2016f214dacfdf887e2ad8bd8841fb3aab28ae1b7a538

C:\Users\Admin\AppData\Local\Temp\nsnF30C.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\bootstrap.js

MD5 1f888fc620ec8111471c9344ef8c0896
SHA1 d72a0a1d33e66ec1759a0b94c78cebb7578c01de
SHA256 d15cc8ad247aafa73e9cf28e6b2a380906ad72c9fdd80226a0a6922b109250fe
SHA512 e7462f8c0a1fb3f6f90dc33711700876ec29c4f2e0c6aa87fa0487955ef5755aa1aa31c076e8e46b48f51935d78295797b8ca0e6fc81122c48704777cfdaf0e1

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\chrome.manifest

MD5 62d2e7d87e4c96fa899fb5189046ef24
SHA1 77347b5d444b1ea89333450020104ef7653ef4fc
SHA256 562c75fb95007baacfb43f809d00c3c3a44bbe5f6d36ee552bcbb33f2b9b6fb4
SHA512 cafbca9ce42659996ddb9eabc022176e2c5f15a8662fad505c74cb0304305900c092d3a10e7044480a5a7c99b6c99f8e028f6593b4fdf39916041036e90aa5c0

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\install.rdf

MD5 0cda931073cd2995ef23812f5205ec52
SHA1 d36e25347164f3c0e3569486502251fc845a3318
SHA256 5e1233f272872ec1ce234f04353d8fbf7aaf17f893c7deb5fd3366dcbe79b80e
SHA512 b2033a80f0b04e9cdbfc6d3640e2ba7fed0af75bbe286f6ccfc4f45ee40c2024a609507908ad607ceff1d0407cd7e71c389bf030a17ee196c5f99e5d6c47fddd

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\content\bg.js

MD5 9e5854b698a3573be17795abd100c275
SHA1 f5963bb76f7d10411fa35862c360f6ba7520dff1
SHA256 e17678ce8754f88ad079727ac420af9f0dcf990d41d0038939595eb502cfea7a
SHA512 664c647aef02948b1225e9a7ab3fb7103a8dcd5000fb3ade5a36b1a229be45a945125627a639f886555eefd38fefb6cf19ed03e2d889793b8996a883d75cd876

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\[email protected]\content\zy.xul

MD5 990a13b857dcd3608f7843a11e95c5b7
SHA1 cf151703c75f40679a4ea26ea8827305925acaa4
SHA256 f904b005baf4e7ba33d01399ed73adb744b0a0c4ff0314587d3af14a320eccb8
SHA512 d8a38f347b0ed26207f7c2af22ee7cebf16911762a01d757b7fc10e2eb06e213fb2ba9047a171cb05564b8193f1a172f16735ad48c9bab38524a98bc7ea83636

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\50f96631955797.13618994.js

MD5 33adf0a56be978372efb8e0d83146929
SHA1 aa363355ed005361f5bca651f8f057e86a01cb9e
SHA256 1d4224726fbca8654712e0b8eb45bc0e380783aa4c90fa42969cdf9c9f5229b5
SHA512 5d3e8608b1e2d7cfec36952224c7cd4e95f4ddcf98d60a2defd4298ac47b8b3993f60163ce53944c5e069ecae86a2f84e2b090c46d2431f53d6620772c3b5bc7

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\background.html

MD5 5876994e5c97bc42f7ec17fecd2b6dcc
SHA1 409853654c6e8266ede70cf74d033523f373dc99
SHA256 579b9faa35ffeab00d843cceb0b7c3f78b7b6dcaf92ab56a0c63597cc05ffb8c
SHA512 a59d18ba94bd261ed0ccd016feee1fe65302ee59f04c332612ad8f377521a9763d8610c417c041d75a2706ee41530d3e36ab0d936ced2fb7846bafeae7e733f1

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\manifest.json

MD5 f91cd42bdfe41bcc97d2eb37eafd8bd2
SHA1 c0dd02c8f7959b84bf6583d62ecd308651c37b6d
SHA256 6805fc1de5ccc99d653689693aeb3a390116b024eedc26b0ca00a7296ec422a5
SHA512 8a043a54c40787174c0f167c0083899757803b06100189a9a485d86ebadfa791b83af0e8a502fd34c2b8b20ad9b4c82cf1c302234db69006cf089e0b7179ab2f

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\pojanldgniankjbdaokompnocadfddoh\sqlite.js

MD5 95d18c0759e713521b35ad403c644c51
SHA1 e93e5398d4d8dad423053d0a24210e05fe6515cd
SHA256 5adad0541b1225eb081161c56d4d02167cab4da7590e454f9073e34dfde5b249
SHA512 9c8939c4012cda49b6ddaa918314d1776f5e89aff486faf2157d0f351a695a9b0c8d77904cb87f8b48e20f32769bf4982dbd5a119529959c7b19d876cb5fae0c

C:\Users\Admin\AppData\Local\Temp\nsnF30C.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/4648-78-0x0000000074CD0000-0x0000000074CDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f9663195781.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zSE157.tmp\50f9663195781.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\SaveSale\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935