Analysis Overview
SHA256
57f32089d197e9a9a17e5fe0af4c0b08b72496800236c059cda6e3a6a0169b0f
Threat Level: Shows suspicious behavior
The file eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Loads dropped DLL
UPX packed file
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
System policy modification
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 01:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 01:17
Reported
2024-04-15 01:20
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjmbommpjkobmcihmjoflflnooonfagc\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.dll" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID\ = "Zoomex.1" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe
.\50f3c3d27aaa5.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\settings.ini
| MD5 | 2cc873771b2031f702621e2a5ec0b5e6 |
| SHA1 | 287d23b43a7c278d69ef9f6767df31fb5c8b4d22 |
| SHA256 | 3d654179f40c674c941262c5ec44db2fe92ea039be9008bbccd76f40db55cef0 |
| SHA512 | f31d46a085817be6d1d7b91be9dd9656a50cbb2dd0671c77dd0ceccaa8a9cef97b10e34e101e76bf1b60be97369b80034f38c138683b8adb0b68df9279a162c3 |
\Users\Admin\AppData\Local\Temp\nsi3D01.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\bootstrap.js
| MD5 | 020733fb611d55db58c65b3e4fd47338 |
| SHA1 | 58baf0063713510c402078862c1c1926966bda2c |
| SHA256 | 9615e44f017aebaab7d805f920c44649b817d1e1fa6e2821f79081de1f1a47cb |
| SHA512 | 753be88c33265517da911c8463cef1c5c6b7f88df15a16644a8eb706224ac392779fce2a4306be1db07dd65a87af92415948867b1cc37d22ae6d3bfb1af0ff26 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\chrome.manifest
| MD5 | 7560ddd00feeaa9cd9d56d9bc8522714 |
| SHA1 | d79f7d7c919fbe894dd99401815f4684cf5d37aa |
| SHA256 | 88b46a01a60ee44c156d6db447284d20310e84481b7b4dfad9fd7342a2f60690 |
| SHA512 | 126c2a1432b9910ceeb3d62d892e4e35dc0b5441e187aeb636b2b548105f8cff72bdda67cd43660e4391332c1d03f38cf0054517afd81f648a411d4c7a436454 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\install.rdf
| MD5 | 08a0a0c10839f9f4b245f8a28aabca85 |
| SHA1 | d7137540f0423b84ddf951b3e69d4d1920a56cf2 |
| SHA256 | 5fe7d116a6763422a3c3e6e3e3e5c29f01562beed0de240e42614d8210469925 |
| SHA512 | d12e355b405126744d9a83ea50607eae1bc11ce340349f5947fe15dde654958a9fff65cde3874d790c9428e5cd1772cebfc40f5471f9d64bf3d8c750966072aa |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\content\bg.js
| MD5 | 6eff3e9c73aa768f3d6be10cf6c04f44 |
| SHA1 | 6028f8050c2556cb8aa2f8bb100c8f5e10d0ae68 |
| SHA256 | d3f77ef7dc3a45a61d17accfd83ebf24bff05b843050e94d481d8f450b848d0d |
| SHA512 | 1acfd011d7fc9618f954c96d7cf97b1a676a7fb9094d9a8d12a3f3b66f78ba5411335f65b9ce633b950190fe93b4cb7a0cb62bb9b33ef0602af4945d8b08f08a |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\content\zy.xul
| MD5 | 00fe9a65e2e763adf78684f8872d6924 |
| SHA1 | e2c96df68552de3cb19b6fa85d4f2892dea44ee0 |
| SHA256 | f32aa9cc1f450c86e7554d9ecceba8cd417331cd92e3d5b4a74f47ac5f62b1cd |
| SHA512 | dc24a1784d12a135b7011d87aba618e294e3ced2796e6274689e033c7c1f2f60bb75f80a65e081d0af861e35a288e53bbd22a1a0544feb2916ddb2256ba3a76a |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\50f3c3d27a8c92.53134782.js
| MD5 | 6915984817d8d2feef5280871b58b175 |
| SHA1 | 2e2100db6f6ef08c5135470ffcb90502a64a2611 |
| SHA256 | f359a9f23636b1c30e3acce63a7052e32b8a48df677e1e0e47458f2a64799242 |
| SHA512 | b6ec3ef72d79cfe6a7464d764baa100af5beb8ae51f4a46ec43c144a55b393eb77306c6358fefe683f3d45d1937b5f8983f7028513d4a8d2e3b4b664a80d58e6 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\background.html
| MD5 | 60ac4b1f01fd9b324afbed5c62ccd5a7 |
| SHA1 | 143d36b4db2a51f05be093c61eead82675c2e412 |
| SHA256 | b23dcab6f4f05367639069ecb4f91b160794128650ed90e91780110381295cc4 |
| SHA512 | 2efdc0313f1e35ccca294b55a6d95b1509b0d7c825a3e9fe6051e6e0fb5119f82ab16494ff6c21227706743f890cef2425dab437539d0ac588857e3fcdf1a3df |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\manifest.json
| MD5 | 95b6b9aa3a3730d6d373a68eb5b411c9 |
| SHA1 | 05cc71bfa2d2a2a18e169def790cca29f757dd3e |
| SHA256 | 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e |
| SHA512 | 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\sqlite.js
| MD5 | 806222cd51fd3810b6de89ca82dfcb45 |
| SHA1 | 461e562dae14a9caccb884d5d4129f2d60abd9de |
| SHA256 | 28c9ad1dde6a10d27fc7ef4393a510903dcec62621576599bcefd044b5ddfda5 |
| SHA512 | 833bcde7c1ce7f8b7e15f46591f3e826ca01fb70109adc21d181a2cb6c8cfe74ecc93eee91288460b67253582e9b57358f151ae7d1fd321ee54b2d6ec7ddf965 |
\Users\Admin\AppData\Local\Temp\nsi3D01.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aadd.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
memory/2640-79-0x0000000074670000-0x000000007467A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aadd.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\Zoomex\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 01:17
Reported
2024-04-15 01:20
Platform
win10v2004-20240412-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjmbommpjkobmcihmjoflflnooonfagc\1\manifest.json | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID\ = "Zoomex.1" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.dll" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.tlb" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4540 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe |
| PID 4540 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe |
| PID 4540 wrote to memory of 3364 | N/A | C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe
.\50f3c3d27aaa5.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe
| MD5 | b78633fae8aaf5f7e99e9c736f44f9c5 |
| SHA1 | 26fc60e29c459891ac0909470ac6c61a1eca1544 |
| SHA256 | d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22 |
| SHA512 | 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43 |
C:\Users\Admin\AppData\Local\Temp\nso76C7.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\settings.ini
| MD5 | 2cc873771b2031f702621e2a5ec0b5e6 |
| SHA1 | 287d23b43a7c278d69ef9f6767df31fb5c8b4d22 |
| SHA256 | 3d654179f40c674c941262c5ec44db2fe92ea039be9008bbccd76f40db55cef0 |
| SHA512 | f31d46a085817be6d1d7b91be9dd9656a50cbb2dd0671c77dd0ceccaa8a9cef97b10e34e101e76bf1b60be97369b80034f38c138683b8adb0b68df9279a162c3 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\bootstrap.js
| MD5 | 020733fb611d55db58c65b3e4fd47338 |
| SHA1 | 58baf0063713510c402078862c1c1926966bda2c |
| SHA256 | 9615e44f017aebaab7d805f920c44649b817d1e1fa6e2821f79081de1f1a47cb |
| SHA512 | 753be88c33265517da911c8463cef1c5c6b7f88df15a16644a8eb706224ac392779fce2a4306be1db07dd65a87af92415948867b1cc37d22ae6d3bfb1af0ff26 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\chrome.manifest
| MD5 | 7560ddd00feeaa9cd9d56d9bc8522714 |
| SHA1 | d79f7d7c919fbe894dd99401815f4684cf5d37aa |
| SHA256 | 88b46a01a60ee44c156d6db447284d20310e84481b7b4dfad9fd7342a2f60690 |
| SHA512 | 126c2a1432b9910ceeb3d62d892e4e35dc0b5441e187aeb636b2b548105f8cff72bdda67cd43660e4391332c1d03f38cf0054517afd81f648a411d4c7a436454 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\install.rdf
| MD5 | 08a0a0c10839f9f4b245f8a28aabca85 |
| SHA1 | d7137540f0423b84ddf951b3e69d4d1920a56cf2 |
| SHA256 | 5fe7d116a6763422a3c3e6e3e3e5c29f01562beed0de240e42614d8210469925 |
| SHA512 | d12e355b405126744d9a83ea50607eae1bc11ce340349f5947fe15dde654958a9fff65cde3874d790c9428e5cd1772cebfc40f5471f9d64bf3d8c750966072aa |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\content\bg.js
| MD5 | 6eff3e9c73aa768f3d6be10cf6c04f44 |
| SHA1 | 6028f8050c2556cb8aa2f8bb100c8f5e10d0ae68 |
| SHA256 | d3f77ef7dc3a45a61d17accfd83ebf24bff05b843050e94d481d8f450b848d0d |
| SHA512 | 1acfd011d7fc9618f954c96d7cf97b1a676a7fb9094d9a8d12a3f3b66f78ba5411335f65b9ce633b950190fe93b4cb7a0cb62bb9b33ef0602af4945d8b08f08a |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\content\zy.xul
| MD5 | 00fe9a65e2e763adf78684f8872d6924 |
| SHA1 | e2c96df68552de3cb19b6fa85d4f2892dea44ee0 |
| SHA256 | f32aa9cc1f450c86e7554d9ecceba8cd417331cd92e3d5b4a74f47ac5f62b1cd |
| SHA512 | dc24a1784d12a135b7011d87aba618e294e3ced2796e6274689e033c7c1f2f60bb75f80a65e081d0af861e35a288e53bbd22a1a0544feb2916ddb2256ba3a76a |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\manifest.json
| MD5 | 95b6b9aa3a3730d6d373a68eb5b411c9 |
| SHA1 | 05cc71bfa2d2a2a18e169def790cca29f757dd3e |
| SHA256 | 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e |
| SHA512 | 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\lsdb.js
| MD5 | 209b7ae0b6d8c3f9687c979d03b08089 |
| SHA1 | 6449f8bff917115eef4e7488fae61942a869200f |
| SHA256 | e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704 |
| SHA512 | 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\content.js
| MD5 | 5f9891607f65f433b0690bae7088b2c1 |
| SHA1 | b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de |
| SHA256 | fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b |
| SHA512 | 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\background.html
| MD5 | 60ac4b1f01fd9b324afbed5c62ccd5a7 |
| SHA1 | 143d36b4db2a51f05be093c61eead82675c2e412 |
| SHA256 | b23dcab6f4f05367639069ecb4f91b160794128650ed90e91780110381295cc4 |
| SHA512 | 2efdc0313f1e35ccca294b55a6d95b1509b0d7c825a3e9fe6051e6e0fb5119f82ab16494ff6c21227706743f890cef2425dab437539d0ac588857e3fcdf1a3df |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\50f3c3d27a8c92.53134782.js
| MD5 | 6915984817d8d2feef5280871b58b175 |
| SHA1 | 2e2100db6f6ef08c5135470ffcb90502a64a2611 |
| SHA256 | f359a9f23636b1c30e3acce63a7052e32b8a48df677e1e0e47458f2a64799242 |
| SHA512 | b6ec3ef72d79cfe6a7464d764baa100af5beb8ae51f4a46ec43c144a55b393eb77306c6358fefe683f3d45d1937b5f8983f7028513d4a8d2e3b4b664a80d58e6 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\sqlite.js
| MD5 | 806222cd51fd3810b6de89ca82dfcb45 |
| SHA1 | 461e562dae14a9caccb884d5d4129f2d60abd9de |
| SHA256 | 28c9ad1dde6a10d27fc7ef4393a510903dcec62621576599bcefd044b5ddfda5 |
| SHA512 | 833bcde7c1ce7f8b7e15f46591f3e826ca01fb70109adc21d181a2cb6c8cfe74ecc93eee91288460b67253582e9b57358f151ae7d1fd321ee54b2d6ec7ddf965 |
memory/3364-79-0x00000000743A0000-0x00000000743AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso76C7.tmp\nsJSON.dll
| MD5 | b9cd1b0fd3af89892348e5cc3108dce7 |
| SHA1 | f7bc59bf631303facfc970c0da67a73568e1dca6 |
| SHA256 | 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384 |
| SHA512 | fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90 |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aadd.dll
| MD5 | da161da8bcb9b8032908cc303602f2ee |
| SHA1 | 8a2d5e5b32376a40f33d6c9881001425ec025205 |
| SHA256 | 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e |
| SHA512 | 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c |
C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aadd.tlb
| MD5 | 1f14de44d0d63a79f91d3fe90badb5fc |
| SHA1 | 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e |
| SHA256 | bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c |
| SHA512 | 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c |
C:\ProgramData\Zoomex\uninstall.exe
| MD5 | f3c79bda3fdf7c5dd24d60400a57cadb |
| SHA1 | 1adb606aaeedb246a371c8877c737f0f8c798625 |
| SHA256 | a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b |
| SHA512 | c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935 |