Malware Analysis Report

2025-01-18 21:48

Sample ID 240415-d52vkadf35
Target f036d34d02675b14fdac1483e0c4af10_JaffaCakes118
SHA256 aa869c1b87d0d8d65a4e434ed5970774678bdc501f4fe9bc72111b4d0670a8df
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

aa869c1b87d0d8d65a4e434ed5970774678bdc501f4fe9bc72111b4d0670a8df

Threat Level: Shows suspicious behavior

The file f036d34d02675b14fdac1483e0c4af10_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

Executes dropped EXE

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

UPX packed file

Installs/modifies Browser Helper Object

Drops Chrome extension

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 03:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 03:36

Reported

2024-04-15 03:38

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljaclggiendncccjnigjlpeiggplckgp\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ = "Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32\ = "C:\\ProgramData\\Braowwsee2save\\5156d02da04bb.dll" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Braowwsee2save\\5156d02da04bb.tlb" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ = "Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ProgID\ = "Braowwsee2save.1" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} = "1" C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe

.\5156d02da0482.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da0482.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\settings.ini

MD5 2f00e9cb0deee76b44124d47b86fd5a1
SHA1 1c753674cb7753cd0cea08b1425a9316788acd9f
SHA256 3721a936e0361f4b639255228b44b76f747d8312cef1b333f9ec0bccdc46a3f5
SHA512 2a1b0af15bc1a4bbadf604a7263aee9adebb46ae97d271de86f39b5f97d4e6a199f6d2ee1c6b7ae4dfe105c00387d9319e36a9ea9d273818c60bddc2094802c4

\Users\Admin\AppData\Local\Temp\nst394A.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\[email protected]\bootstrap.js

MD5 25a67d41066a16e412c814a67f9e03c7
SHA1 a522d4b55e09bdb4598e9328d5c8aebe662a0cce
SHA256 0224a0f4ffd6fc4005f779c4cfd4983441a4d6d370972c7e3740ca2fc9dfe74f
SHA512 31d519b4bddb79ae3b2b2842fa8157e3ec0a9ea61e0ceaa453b174435aa66235f3b7dcce26a8750ec874d47904b9fd34cc9625ace19bacad16086c2f638d45a8

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\[email protected]\install.rdf

MD5 a12eedf2095089752b16d9c590e2042b
SHA1 8e5922e725fe9e831a47a3cdd6e050040e2c4dfe
SHA256 5ef2c2cc5a2246fa1d977fd7bc3906bb3d1e2504b128b1a025a5db18e8b7446b
SHA512 aa767d48fddbe28350f95d4c341c62aee1745697d298f91bd5466caaf146fa4d0b023eb2be7871bb2717cc55ab5523c41c9670686eb4d9c865e5ce566928c9f8

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\[email protected]\chrome.manifest

MD5 fc3405cab8f781a34fa5ecec1b2fd81c
SHA1 187d0608998101ea7e2fc89f440094b280e264f4
SHA256 584917d8f5032b0875e28443eb3ef3469c7c6ca1ce5a382e9cf2a32785c99d16
SHA512 08cc8529917d952366b0781e289a66ef889b856b775b1e5babb14acf17dc6549680f88e053a6562b7b78d0c7127b606d55233571e47a9d5fa3d913810c89d612

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\[email protected]\content\bg.js

MD5 3472fa52f0ac1437666f0147bf5a4dc7
SHA1 9dc0b1f3b1742ca01d6ad309ab43b2923751da0d
SHA256 034d4af7ddb402adfd4cc40f1251211ea982e915d20d99bc0c091e3fd45d8072
SHA512 99fbf03b1fd330ffd18c8cb1d2ff521a3f0da628f028f3977f41ecc2a6a8750b80d286d0f4c3239ec55bbdd01a984bbc1d3e0078bacd6930dd510db878b0db27

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\[email protected]\content\zy.xul

MD5 20cca8b942a17348276e9f5f24224940
SHA1 3e5cdc0d7208564e0d5fb37cc5c392a90d9ceb9f
SHA256 d9a2c715f6f5c0e7f588aacee63205e824435354474fa02d07add0d4d01555fe
SHA512 52006d23ac6a23fe175fb9ce6b54bfdbe6877076ea718b9448bbb7eb8066984b8ff6308e526a1c6aae7c80a907801c3c85928016ab248bbd7716bf66d405f91b

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\5156d02da027c6.04216095.js

MD5 a5672c6a4414e0fb736fad981a13d8c8
SHA1 ffa2b33dfd42eeb5ba91f1150787d640f12cb91d
SHA256 fedc42833945e41dd73e6d943466ba8a94414ed61e8e796a177f76baa2da772e
SHA512 8209572c999e3a44d0fa507d5c946ce8f169df807b22e155e0095b71af77fb8504e029ed50d80e0388ba8b9141e52375c5fb16310a3e0acf0636384bb197c9da

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\background.html

MD5 7976ed58f92c20bc511631b6e12a52bc
SHA1 d94d1498fd2e72e460345b62aa4713bfdc01cebb
SHA256 5e4c66450d3bf1a11bec0563982e59523d4da3921f262e4953508b43aed76253
SHA512 fe514ab4da9668d91e87659d409e862d656ef0c582bc52e23008afa8f19a02c9c6b2410111c8a8e11325044053bd4c3f6eff85b8ceed2fe74dbd74f1175f7c0a

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\manifest.json

MD5 8eb5e9c026d1534fe8d62f43b01fc12a
SHA1 5888a07806ee2484c6bee45bbeb8ce25aa2f1632
SHA256 439560cfedbd78378500fed349ffb8cbee20ba841d77256afcefb170e53b780f
SHA512 87683ec5c8825eb5bbb72c12f9c101f2e333c3e0d54a0923b9b27b5e36fb7455928fbfd647792cbd26178698a3498efffe3bddaf2af160b5ae91df95ecd42549

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\ljaclggiendncccjnigjlpeiggplckgp\sqlite.js

MD5 38ac016b7e0fdc9972910679d340fc5d
SHA1 8dd8a9b57ca6ac323fcc523838d2a10941af715c
SHA256 afe024c7feb93207e3484eb1a11598b22dbd7758995ed4b8a6c658d815c3408e
SHA512 fc996972702cb5b4dfe10e1cf4168971bb11486db29e385b946ebd6ccb4092762636b2c810f9dc94d024ae32e5bce196f471b24ed09f99cc020e037dfa78ff83

memory/1716-80-0x0000000074E60000-0x0000000074E6A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst394A.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da04bb.tlb

MD5 d5980ff8eb0ef4276fad96fba8fc5018
SHA1 2cb05f8b43aa3ae2f5492f590997eec6ff808fe2
SHA256 ac3a1daa32b1c489f9c2f4413ab35c4fc90b54a52ede0fb53276666e6eeef16f
SHA512 30404f467dd727a7de132fb08cd3c88abf5fb2e7ef18f24af5371b63fd106d6d5757061ec55c7b54daf9844100280670bf2b22a71c89b160048552b5eec12d0c

C:\Users\Admin\AppData\Local\Temp\7zS3775.tmp\5156d02da04bb.dll

MD5 00ce3831a16a62c6d7ea4b21049e4b22
SHA1 3e48c8d25b196d67722ed20cd36bf3448a4c9136
SHA256 d4bb7937b36973cbf3b12c9500c25ed34103944a69bad9162f3b98f39474529c
SHA512 7633071b26d802aae1250111baa40e5158fb1a1639d76098f2ecd6263adf0e6371d5e9a70d9005b267cb907da84235f4e361f8c8a75b8adbd19a049ab1227619

C:\ProgramData\Braowwsee2save\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 03:36

Reported

2024-04-15 03:38

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljaclggiendncccjnigjlpeiggplckgp\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ = "Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Braowwsee2save\\5156d02da04bb.tlb" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ProgID\ = "Braowwsee2save.1" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32\ = "C:\\ProgramData\\Braowwsee2save\\5156d02da04bb.dll" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802}\ = "Braowwsee2save" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{BB8D9E7E-17B7-4A58-D772-F58D632DB802} = "1" C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f036d34d02675b14fdac1483e0c4af10_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe

.\5156d02da0482.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
BE 2.17.197.240:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da0482.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\settings.ini

MD5 2f00e9cb0deee76b44124d47b86fd5a1
SHA1 1c753674cb7753cd0cea08b1425a9316788acd9f
SHA256 3721a936e0361f4b639255228b44b76f747d8312cef1b333f9ec0bccdc46a3f5
SHA512 2a1b0af15bc1a4bbadf604a7263aee9adebb46ae97d271de86f39b5f97d4e6a199f6d2ee1c6b7ae4dfe105c00387d9319e36a9ea9d273818c60bddc2094802c4

C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\[email protected]\bootstrap.js

MD5 25a67d41066a16e412c814a67f9e03c7
SHA1 a522d4b55e09bdb4598e9328d5c8aebe662a0cce
SHA256 0224a0f4ffd6fc4005f779c4cfd4983441a4d6d370972c7e3740ca2fc9dfe74f
SHA512 31d519b4bddb79ae3b2b2842fa8157e3ec0a9ea61e0ceaa453b174435aa66235f3b7dcce26a8750ec874d47904b9fd34cc9625ace19bacad16086c2f638d45a8

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\[email protected]\chrome.manifest

MD5 fc3405cab8f781a34fa5ecec1b2fd81c
SHA1 187d0608998101ea7e2fc89f440094b280e264f4
SHA256 584917d8f5032b0875e28443eb3ef3469c7c6ca1ce5a382e9cf2a32785c99d16
SHA512 08cc8529917d952366b0781e289a66ef889b856b775b1e5babb14acf17dc6549680f88e053a6562b7b78d0c7127b606d55233571e47a9d5fa3d913810c89d612

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\[email protected]\install.rdf

MD5 a12eedf2095089752b16d9c590e2042b
SHA1 8e5922e725fe9e831a47a3cdd6e050040e2c4dfe
SHA256 5ef2c2cc5a2246fa1d977fd7bc3906bb3d1e2504b128b1a025a5db18e8b7446b
SHA512 aa767d48fddbe28350f95d4c341c62aee1745697d298f91bd5466caaf146fa4d0b023eb2be7871bb2717cc55ab5523c41c9670686eb4d9c865e5ce566928c9f8

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\[email protected]\content\bg.js

MD5 3472fa52f0ac1437666f0147bf5a4dc7
SHA1 9dc0b1f3b1742ca01d6ad309ab43b2923751da0d
SHA256 034d4af7ddb402adfd4cc40f1251211ea982e915d20d99bc0c091e3fd45d8072
SHA512 99fbf03b1fd330ffd18c8cb1d2ff521a3f0da628f028f3977f41ecc2a6a8750b80d286d0f4c3239ec55bbdd01a984bbc1d3e0078bacd6930dd510db878b0db27

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\[email protected]\content\zy.xul

MD5 20cca8b942a17348276e9f5f24224940
SHA1 3e5cdc0d7208564e0d5fb37cc5c392a90d9ceb9f
SHA256 d9a2c715f6f5c0e7f588aacee63205e824435354474fa02d07add0d4d01555fe
SHA512 52006d23ac6a23fe175fb9ce6b54bfdbe6877076ea718b9448bbb7eb8066984b8ff6308e526a1c6aae7c80a907801c3c85928016ab248bbd7716bf66d405f91b

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\5156d02da027c6.04216095.js

MD5 a5672c6a4414e0fb736fad981a13d8c8
SHA1 ffa2b33dfd42eeb5ba91f1150787d640f12cb91d
SHA256 fedc42833945e41dd73e6d943466ba8a94414ed61e8e796a177f76baa2da772e
SHA512 8209572c999e3a44d0fa507d5c946ce8f169df807b22e155e0095b71af77fb8504e029ed50d80e0388ba8b9141e52375c5fb16310a3e0acf0636384bb197c9da

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\background.html

MD5 7976ed58f92c20bc511631b6e12a52bc
SHA1 d94d1498fd2e72e460345b62aa4713bfdc01cebb
SHA256 5e4c66450d3bf1a11bec0563982e59523d4da3921f262e4953508b43aed76253
SHA512 fe514ab4da9668d91e87659d409e862d656ef0c582bc52e23008afa8f19a02c9c6b2410111c8a8e11325044053bd4c3f6eff85b8ceed2fe74dbd74f1175f7c0a

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\manifest.json

MD5 8eb5e9c026d1534fe8d62f43b01fc12a
SHA1 5888a07806ee2484c6bee45bbeb8ce25aa2f1632
SHA256 439560cfedbd78378500fed349ffb8cbee20ba841d77256afcefb170e53b780f
SHA512 87683ec5c8825eb5bbb72c12f9c101f2e333c3e0d54a0923b9b27b5e36fb7455928fbfd647792cbd26178698a3498efffe3bddaf2af160b5ae91df95ecd42549

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\ljaclggiendncccjnigjlpeiggplckgp\sqlite.js

MD5 38ac016b7e0fdc9972910679d340fc5d
SHA1 8dd8a9b57ca6ac323fcc523838d2a10941af715c
SHA256 afe024c7feb93207e3484eb1a11598b22dbd7758995ed4b8a6c658d815c3408e
SHA512 fc996972702cb5b4dfe10e1cf4168971bb11486db29e385b946ebd6ccb4092762636b2c810f9dc94d024ae32e5bce196f471b24ed09f99cc020e037dfa78ff83

C:\Users\Admin\AppData\Local\Temp\nso6A15.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/4676-79-0x00000000741F0000-0x00000000741FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da04bb.dll

MD5 00ce3831a16a62c6d7ea4b21049e4b22
SHA1 3e48c8d25b196d67722ed20cd36bf3448a4c9136
SHA256 d4bb7937b36973cbf3b12c9500c25ed34103944a69bad9162f3b98f39474529c
SHA512 7633071b26d802aae1250111baa40e5158fb1a1639d76098f2ecd6263adf0e6371d5e9a70d9005b267cb907da84235f4e361f8c8a75b8adbd19a049ab1227619

C:\Users\Admin\AppData\Local\Temp\7zS6949.tmp\5156d02da04bb.tlb

MD5 d5980ff8eb0ef4276fad96fba8fc5018
SHA1 2cb05f8b43aa3ae2f5492f590997eec6ff808fe2
SHA256 ac3a1daa32b1c489f9c2f4413ab35c4fc90b54a52ede0fb53276666e6eeef16f
SHA512 30404f467dd727a7de132fb08cd3c88abf5fb2e7ef18f24af5371b63fd106d6d5757061ec55c7b54daf9844100280670bf2b22a71c89b160048552b5eec12d0c

C:\ProgramData\Braowwsee2save\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935