Malware Analysis Report

2025-01-18 21:46

Sample ID 240415-bnk5dade3w
Target eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118
SHA256 57f32089d197e9a9a17e5fe0af4c0b08b72496800236c059cda6e3a6a0169b0f
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

57f32089d197e9a9a17e5fe0af4c0b08b72496800236c059cda6e3a6a0169b0f

Threat Level: Shows suspicious behavior

The file eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 01:17

Reported

2024-04-15 01:20

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjmbommpjkobmcihmjoflflnooonfagc\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.dll" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID\ = "Zoomex.1" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.tlb" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} = "1" C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe

.\50f3c3d27aaa5.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aaa5.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\settings.ini

MD5 2cc873771b2031f702621e2a5ec0b5e6
SHA1 287d23b43a7c278d69ef9f6767df31fb5c8b4d22
SHA256 3d654179f40c674c941262c5ec44db2fe92ea039be9008bbccd76f40db55cef0
SHA512 f31d46a085817be6d1d7b91be9dd9656a50cbb2dd0671c77dd0ceccaa8a9cef97b10e34e101e76bf1b60be97369b80034f38c138683b8adb0b68df9279a162c3

\Users\Admin\AppData\Local\Temp\nsi3D01.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\bootstrap.js

MD5 020733fb611d55db58c65b3e4fd47338
SHA1 58baf0063713510c402078862c1c1926966bda2c
SHA256 9615e44f017aebaab7d805f920c44649b817d1e1fa6e2821f79081de1f1a47cb
SHA512 753be88c33265517da911c8463cef1c5c6b7f88df15a16644a8eb706224ac392779fce2a4306be1db07dd65a87af92415948867b1cc37d22ae6d3bfb1af0ff26

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\chrome.manifest

MD5 7560ddd00feeaa9cd9d56d9bc8522714
SHA1 d79f7d7c919fbe894dd99401815f4684cf5d37aa
SHA256 88b46a01a60ee44c156d6db447284d20310e84481b7b4dfad9fd7342a2f60690
SHA512 126c2a1432b9910ceeb3d62d892e4e35dc0b5441e187aeb636b2b548105f8cff72bdda67cd43660e4391332c1d03f38cf0054517afd81f648a411d4c7a436454

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\install.rdf

MD5 08a0a0c10839f9f4b245f8a28aabca85
SHA1 d7137540f0423b84ddf951b3e69d4d1920a56cf2
SHA256 5fe7d116a6763422a3c3e6e3e3e5c29f01562beed0de240e42614d8210469925
SHA512 d12e355b405126744d9a83ea50607eae1bc11ce340349f5947fe15dde654958a9fff65cde3874d790c9428e5cd1772cebfc40f5471f9d64bf3d8c750966072aa

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\content\bg.js

MD5 6eff3e9c73aa768f3d6be10cf6c04f44
SHA1 6028f8050c2556cb8aa2f8bb100c8f5e10d0ae68
SHA256 d3f77ef7dc3a45a61d17accfd83ebf24bff05b843050e94d481d8f450b848d0d
SHA512 1acfd011d7fc9618f954c96d7cf97b1a676a7fb9094d9a8d12a3f3b66f78ba5411335f65b9ce633b950190fe93b4cb7a0cb62bb9b33ef0602af4945d8b08f08a

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\[email protected]\content\zy.xul

MD5 00fe9a65e2e763adf78684f8872d6924
SHA1 e2c96df68552de3cb19b6fa85d4f2892dea44ee0
SHA256 f32aa9cc1f450c86e7554d9ecceba8cd417331cd92e3d5b4a74f47ac5f62b1cd
SHA512 dc24a1784d12a135b7011d87aba618e294e3ced2796e6274689e033c7c1f2f60bb75f80a65e081d0af861e35a288e53bbd22a1a0544feb2916ddb2256ba3a76a

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\50f3c3d27a8c92.53134782.js

MD5 6915984817d8d2feef5280871b58b175
SHA1 2e2100db6f6ef08c5135470ffcb90502a64a2611
SHA256 f359a9f23636b1c30e3acce63a7052e32b8a48df677e1e0e47458f2a64799242
SHA512 b6ec3ef72d79cfe6a7464d764baa100af5beb8ae51f4a46ec43c144a55b393eb77306c6358fefe683f3d45d1937b5f8983f7028513d4a8d2e3b4b664a80d58e6

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\background.html

MD5 60ac4b1f01fd9b324afbed5c62ccd5a7
SHA1 143d36b4db2a51f05be093c61eead82675c2e412
SHA256 b23dcab6f4f05367639069ecb4f91b160794128650ed90e91780110381295cc4
SHA512 2efdc0313f1e35ccca294b55a6d95b1509b0d7c825a3e9fe6051e6e0fb5119f82ab16494ff6c21227706743f890cef2425dab437539d0ac588857e3fcdf1a3df

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\manifest.json

MD5 95b6b9aa3a3730d6d373a68eb5b411c9
SHA1 05cc71bfa2d2a2a18e169def790cca29f757dd3e
SHA256 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e
SHA512 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\pjmbommpjkobmcihmjoflflnooonfagc\sqlite.js

MD5 806222cd51fd3810b6de89ca82dfcb45
SHA1 461e562dae14a9caccb884d5d4129f2d60abd9de
SHA256 28c9ad1dde6a10d27fc7ef4393a510903dcec62621576599bcefd044b5ddfda5
SHA512 833bcde7c1ce7f8b7e15f46591f3e826ca01fb70109adc21d181a2cb6c8cfe74ecc93eee91288460b67253582e9b57358f151ae7d1fd321ee54b2d6ec7ddf965

\Users\Admin\AppData\Local\Temp\nsi3D01.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aadd.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

memory/2640-79-0x0000000074670000-0x000000007467A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS3B5B.tmp\50f3c3d27aadd.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\Zoomex\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 01:17

Reported

2024-04-15 01:20

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjmbommpjkobmcihmjoflflnooonfagc\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID\ = "Zoomex.1" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ = "Zoomex" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.dll" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Zoomex\\50f3c3d27aadd.tlb" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4F79DC17-1FDB-85E7-1491-3A66A936B179} = "1" C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eff5ddb3bb017518f0a6b9db3ca85a0b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe

.\50f3c3d27aaa5.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aaa5.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\nso76C7.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\settings.ini

MD5 2cc873771b2031f702621e2a5ec0b5e6
SHA1 287d23b43a7c278d69ef9f6767df31fb5c8b4d22
SHA256 3d654179f40c674c941262c5ec44db2fe92ea039be9008bbccd76f40db55cef0
SHA512 f31d46a085817be6d1d7b91be9dd9656a50cbb2dd0671c77dd0ceccaa8a9cef97b10e34e101e76bf1b60be97369b80034f38c138683b8adb0b68df9279a162c3

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\bootstrap.js

MD5 020733fb611d55db58c65b3e4fd47338
SHA1 58baf0063713510c402078862c1c1926966bda2c
SHA256 9615e44f017aebaab7d805f920c44649b817d1e1fa6e2821f79081de1f1a47cb
SHA512 753be88c33265517da911c8463cef1c5c6b7f88df15a16644a8eb706224ac392779fce2a4306be1db07dd65a87af92415948867b1cc37d22ae6d3bfb1af0ff26

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\chrome.manifest

MD5 7560ddd00feeaa9cd9d56d9bc8522714
SHA1 d79f7d7c919fbe894dd99401815f4684cf5d37aa
SHA256 88b46a01a60ee44c156d6db447284d20310e84481b7b4dfad9fd7342a2f60690
SHA512 126c2a1432b9910ceeb3d62d892e4e35dc0b5441e187aeb636b2b548105f8cff72bdda67cd43660e4391332c1d03f38cf0054517afd81f648a411d4c7a436454

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\install.rdf

MD5 08a0a0c10839f9f4b245f8a28aabca85
SHA1 d7137540f0423b84ddf951b3e69d4d1920a56cf2
SHA256 5fe7d116a6763422a3c3e6e3e3e5c29f01562beed0de240e42614d8210469925
SHA512 d12e355b405126744d9a83ea50607eae1bc11ce340349f5947fe15dde654958a9fff65cde3874d790c9428e5cd1772cebfc40f5471f9d64bf3d8c750966072aa

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\content\bg.js

MD5 6eff3e9c73aa768f3d6be10cf6c04f44
SHA1 6028f8050c2556cb8aa2f8bb100c8f5e10d0ae68
SHA256 d3f77ef7dc3a45a61d17accfd83ebf24bff05b843050e94d481d8f450b848d0d
SHA512 1acfd011d7fc9618f954c96d7cf97b1a676a7fb9094d9a8d12a3f3b66f78ba5411335f65b9ce633b950190fe93b4cb7a0cb62bb9b33ef0602af4945d8b08f08a

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\[email protected]\content\zy.xul

MD5 00fe9a65e2e763adf78684f8872d6924
SHA1 e2c96df68552de3cb19b6fa85d4f2892dea44ee0
SHA256 f32aa9cc1f450c86e7554d9ecceba8cd417331cd92e3d5b4a74f47ac5f62b1cd
SHA512 dc24a1784d12a135b7011d87aba618e294e3ced2796e6274689e033c7c1f2f60bb75f80a65e081d0af861e35a288e53bbd22a1a0544feb2916ddb2256ba3a76a

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\manifest.json

MD5 95b6b9aa3a3730d6d373a68eb5b411c9
SHA1 05cc71bfa2d2a2a18e169def790cca29f757dd3e
SHA256 5ac43caaa60d48d2c5bc8059dc845eb344b31c088207c8da714f7a36d500c69e
SHA512 5a178056071d0c94d2cfdf72a60403fbf9703cc28abe560f1f04fc2e073188f595c6bb3b687c7e2654899e103a229fe123c41af8aebbe189c9854ed71d8c672e

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\background.html

MD5 60ac4b1f01fd9b324afbed5c62ccd5a7
SHA1 143d36b4db2a51f05be093c61eead82675c2e412
SHA256 b23dcab6f4f05367639069ecb4f91b160794128650ed90e91780110381295cc4
SHA512 2efdc0313f1e35ccca294b55a6d95b1509b0d7c825a3e9fe6051e6e0fb5119f82ab16494ff6c21227706743f890cef2425dab437539d0ac588857e3fcdf1a3df

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\50f3c3d27a8c92.53134782.js

MD5 6915984817d8d2feef5280871b58b175
SHA1 2e2100db6f6ef08c5135470ffcb90502a64a2611
SHA256 f359a9f23636b1c30e3acce63a7052e32b8a48df677e1e0e47458f2a64799242
SHA512 b6ec3ef72d79cfe6a7464d764baa100af5beb8ae51f4a46ec43c144a55b393eb77306c6358fefe683f3d45d1937b5f8983f7028513d4a8d2e3b4b664a80d58e6

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\pjmbommpjkobmcihmjoflflnooonfagc\sqlite.js

MD5 806222cd51fd3810b6de89ca82dfcb45
SHA1 461e562dae14a9caccb884d5d4129f2d60abd9de
SHA256 28c9ad1dde6a10d27fc7ef4393a510903dcec62621576599bcefd044b5ddfda5
SHA512 833bcde7c1ce7f8b7e15f46591f3e826ca01fb70109adc21d181a2cb6c8cfe74ecc93eee91288460b67253582e9b57358f151ae7d1fd321ee54b2d6ec7ddf965

memory/3364-79-0x00000000743A0000-0x00000000743AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso76C7.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aadd.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zS7511.tmp\50f3c3d27aadd.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\Zoomex\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935