Malware Analysis Report

2025-01-18 21:40

Sample ID 240415-l2cehaea7x
Target f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118
SHA256 442ed9cc339b9fdc08e5a94c63a0448f1fcc66a94d91102a29cbef03ffcf6b87
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

442ed9cc339b9fdc08e5a94c63a0448f1fcc66a94d91102a29cbef03ffcf6b87

Threat Level: Shows suspicious behavior

The file f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Installs/modifies Browser Helper Object

Drops Chrome extension

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 10:01

Reported

2024-04-15 10:03

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eifdahbihjkckaogeoggalbobklkhjlm\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.dll" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID\ = "wxDownload.1" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.tlb" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDownload" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} = "1" C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe

.\50fa5ff325cda.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zSE05.tmp\50fa5ff325cda.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\settings.ini

MD5 855c6b5c73a00d8cec64cd5919067ed5
SHA1 7cb1d326222dc9e641bb107306c675b18f0a62db
SHA256 c252e7daab3136b210af78c0b5e6642e20f221b388a3c388ccc1d5d5fadd9726
SHA512 2cd7195f07636de6e9becd90364ddf13c8b3677a2e6cd53feb8c4e5984b47a260835bcfba0e48306b9f9123f8574722776e26a8c90ebf4fa0ff9112e6cef0537

\Users\Admin\AppData\Local\Temp\nstE54.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\bootstrap.js

MD5 987b5bca5f3ec3dbfb7aaed43b935212
SHA1 e10f77dfab4c219a26d764221a44be94c1a352f7
SHA256 3bdd7bc4da8918219ae607c7c4512b2c1c4b41d289a273c1986987d1ff30475e
SHA512 b1822a79af812aec1d126e648b10f0439a077c7d7b170425be6ace39844002596c05f419797e2acb6059901ea23ee8b09ef99144e008aba9477fce7a7ef294ce

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\chrome.manifest

MD5 a8e8c2c03902912d3419b10941879892
SHA1 84c401315c68c54be957ee87d1f22153b60e6283
SHA256 fe04d2d8eef290a82fcbcf3e9d066b752fcd6e16007c74b0207a343e9713643e
SHA512 9bf5194b8a7e2df886a8894b220e4dcf2042c4239e0de7496011fe49fc01bcda5f072ff4c94b4da5cdff44cd1ccf624ef62512d95fa015227ddafd9b3eb184c0

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\install.rdf

MD5 69eb4405d3b08890aba7d67a65ab155e
SHA1 93cb69717520fded52906cff7d8b2b693b33161a
SHA256 49635a68903beeb0ce00d78a1f564d1d32ddd560967b5b376b3df7e31cf780c6
SHA512 19fd9849633dd6dbaf994c03995ebd1738b1367a21c10b1f9e269dfffd5a9b59fd7b820cbbf51770ce1fac85b2ff0ac2d2842044f9332be9d9dd0ee8d32974d6

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\content\bg.js

MD5 5cca3662526f927f9d2b75e7a8e673dd
SHA1 6f3ccce2088999f3245798e657fa7386bdf7b8e5
SHA256 0450acd9edfb9018d6b214241682e33e9666b704f5719ba779aa02229011ad7e
SHA512 6baac0f67a76d211af50e169ffc8e1e4ba88488e0522ee0de30f933b97cd15987385fb134a2401ade1f65d78977d47a8a57c9022b32fb2983b8692cb459540af

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\[email protected]\content\zy.xul

MD5 9099258a309085bc65125ceced2a41ef
SHA1 405453efba0510833b86a76811072b3cebc3b464
SHA256 a785892a61cb6dee39d17b7860f417bb2539c0a474eaf7fd6cfbe1579405962a
SHA512 7341e50f2c5c4094317c7619c51b9289d5867ad66b2be90ee104c3278a86200f47c3fae187a8e2219c566b46ad58019c7fac66934207e860866da8b4de9da5f4

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\50fa5ff325ae94.47095869.js

MD5 1470a6eb8ed3821d395788cca74cf282
SHA1 d35b4dced55a0ac2e325bd97e6dbbffc808c7b02
SHA256 485a055233a8493681ae279437126d5338bb431d49202ee1bde1f270df9693e2
SHA512 3e6f1d8da5be07d2a73d5929061f44fb6976911882f0e93b50b2d759374136c6947d6d4ff401b5ed82c09b7a5fea96ab827b7c9544608e30b35259cf30ebbf02

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\background.html

MD5 11ac65fa679ada1bb63fa9b7192ed446
SHA1 5a8404b83ebab6c002ef0fd5cb6bce19eec2b767
SHA256 7cd0d5a98e06b99c5e68b5d56b8bf8132fe47aec943ab512359e13c37edccc60
SHA512 7dc50ebfbb3576ad9c8e2eeeea5282efce97a5c980bf2fd1945beda2fadf6b8cf00e82c4b06e826000237f0b3865a3ee91e81d6a010b5856cea8e6fb2418fae0

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\manifest.json

MD5 4fc1d698abe902d55e60be1d3e32724a
SHA1 07da8fda75df08b6ba2494246ba1e6d1d4873810
SHA256 4c4b5ed58b428b592b4d5dc264cc0064a55754ef21a8c0173dcbe91d832efef1
SHA512 482e1b5bb4a01394d4c8664aca1240d548234c114be3efbb4cb958f37bf6339bec9bd3babaf3f718fa4fe199cbe644fee0321bad769a175830eb3426d9ddd447

C:\Users\Admin\AppData\Local\Temp\7zSE05.tmp\eifdahbihjkckaogeoggalbobklkhjlm\sqlite.js

MD5 c3c5b302c01b2994206ff5d399b07fc6
SHA1 e84fd9986a6350e0a0e11d7fb117ad65a58ddca3
SHA256 6c1f67bbe1086f70ce08454582086a7dbbe715948f0b04a7696d276f1eae49d0
SHA512 64964659818c8c93ecf91e41305b427258f2ffbe76ebfff53e62003837d2d5f89a608f5755494629f088636e1f5b9ffb5a7e8eef5e4ec5e5a82d746584942f1e

\Users\Admin\AppData\Local\Temp\nstE54.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

C:\ProgramData\wxDownload\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935

C:\ProgramData\wxDownload\50fa5ff325d13.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\wxDownload\50fa5ff325d13.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

memory/2664-87-0x0000000074D40000-0x0000000074D4A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 10:01

Reported

2024-04-15 10:03

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eifdahbihjkckaogeoggalbobklkhjlm\1\manifest.json C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.tlb" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID\ = "wxDownload.1" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\InProcServer32\ = "C:\\ProgramData\\wxDownload\\50fa5ff325d13.dll" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDownload" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C}\ = "wxDownload" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE663836-8AD6-7873-5B47-AEEE81B6F10C} = "1" C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0caffbe3f2f8feb9c72630e8ac51d6c_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe

.\50fa5ff325cda.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325cda.exe

MD5 b78633fae8aaf5f7e99e9c736f44f9c5
SHA1 26fc60e29c459891ac0909470ac6c61a1eca1544
SHA256 d205693516dbaf34cfbd216e825190de4de1412e861bc9cb30ce863907b30d22
SHA512 3885b609269b26918ccfcd9069181168c12f4271b6bdfcc51afe176b2dd242d4c0953ac1a4ddaf25abcfaf28a0b694a6269d96ae39bb7b2db2f0140d2d60cd43

C:\Users\Admin\AppData\Local\Temp\nsu3809.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\settings.ini

MD5 855c6b5c73a00d8cec64cd5919067ed5
SHA1 7cb1d326222dc9e641bb107306c675b18f0a62db
SHA256 c252e7daab3136b210af78c0b5e6642e20f221b388a3c388ccc1d5d5fadd9726
SHA512 2cd7195f07636de6e9becd90364ddf13c8b3677a2e6cd53feb8c4e5984b47a260835bcfba0e48306b9f9123f8574722776e26a8c90ebf4fa0ff9112e6cef0537

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\bootstrap.js

MD5 987b5bca5f3ec3dbfb7aaed43b935212
SHA1 e10f77dfab4c219a26d764221a44be94c1a352f7
SHA256 3bdd7bc4da8918219ae607c7c4512b2c1c4b41d289a273c1986987d1ff30475e
SHA512 b1822a79af812aec1d126e648b10f0439a077c7d7b170425be6ace39844002596c05f419797e2acb6059901ea23ee8b09ef99144e008aba9477fce7a7ef294ce

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\chrome.manifest

MD5 a8e8c2c03902912d3419b10941879892
SHA1 84c401315c68c54be957ee87d1f22153b60e6283
SHA256 fe04d2d8eef290a82fcbcf3e9d066b752fcd6e16007c74b0207a343e9713643e
SHA512 9bf5194b8a7e2df886a8894b220e4dcf2042c4239e0de7496011fe49fc01bcda5f072ff4c94b4da5cdff44cd1ccf624ef62512d95fa015227ddafd9b3eb184c0

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\install.rdf

MD5 69eb4405d3b08890aba7d67a65ab155e
SHA1 93cb69717520fded52906cff7d8b2b693b33161a
SHA256 49635a68903beeb0ce00d78a1f564d1d32ddd560967b5b376b3df7e31cf780c6
SHA512 19fd9849633dd6dbaf994c03995ebd1738b1367a21c10b1f9e269dfffd5a9b59fd7b820cbbf51770ce1fac85b2ff0ac2d2842044f9332be9d9dd0ee8d32974d6

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\content\bg.js

MD5 5cca3662526f927f9d2b75e7a8e673dd
SHA1 6f3ccce2088999f3245798e657fa7386bdf7b8e5
SHA256 0450acd9edfb9018d6b214241682e33e9666b704f5719ba779aa02229011ad7e
SHA512 6baac0f67a76d211af50e169ffc8e1e4ba88488e0522ee0de30f933b97cd15987385fb134a2401ade1f65d78977d47a8a57c9022b32fb2983b8692cb459540af

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\[email protected]\content\zy.xul

MD5 9099258a309085bc65125ceced2a41ef
SHA1 405453efba0510833b86a76811072b3cebc3b464
SHA256 a785892a61cb6dee39d17b7860f417bb2539c0a474eaf7fd6cfbe1579405962a
SHA512 7341e50f2c5c4094317c7619c51b9289d5867ad66b2be90ee104c3278a86200f47c3fae187a8e2219c566b46ad58019c7fac66934207e860866da8b4de9da5f4

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\50fa5ff325ae94.47095869.js

MD5 1470a6eb8ed3821d395788cca74cf282
SHA1 d35b4dced55a0ac2e325bd97e6dbbffc808c7b02
SHA256 485a055233a8493681ae279437126d5338bb431d49202ee1bde1f270df9693e2
SHA512 3e6f1d8da5be07d2a73d5929061f44fb6976911882f0e93b50b2d759374136c6947d6d4ff401b5ed82c09b7a5fea96ab827b7c9544608e30b35259cf30ebbf02

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\background.html

MD5 11ac65fa679ada1bb63fa9b7192ed446
SHA1 5a8404b83ebab6c002ef0fd5cb6bce19eec2b767
SHA256 7cd0d5a98e06b99c5e68b5d56b8bf8132fe47aec943ab512359e13c37edccc60
SHA512 7dc50ebfbb3576ad9c8e2eeeea5282efce97a5c980bf2fd1945beda2fadf6b8cf00e82c4b06e826000237f0b3865a3ee91e81d6a010b5856cea8e6fb2418fae0

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\manifest.json

MD5 4fc1d698abe902d55e60be1d3e32724a
SHA1 07da8fda75df08b6ba2494246ba1e6d1d4873810
SHA256 4c4b5ed58b428b592b4d5dc264cc0064a55754ef21a8c0173dcbe91d832efef1
SHA512 482e1b5bb4a01394d4c8664aca1240d548234c114be3efbb4cb958f37bf6339bec9bd3babaf3f718fa4fe199cbe644fee0321bad769a175830eb3426d9ddd447

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\eifdahbihjkckaogeoggalbobklkhjlm\sqlite.js

MD5 c3c5b302c01b2994206ff5d399b07fc6
SHA1 e84fd9986a6350e0a0e11d7fb117ad65a58ddca3
SHA256 6c1f67bbe1086f70ce08454582086a7dbbe715948f0b04a7696d276f1eae49d0
SHA512 64964659818c8c93ecf91e41305b427258f2ffbe76ebfff53e62003837d2d5f89a608f5755494629f088636e1f5b9ffb5a7e8eef5e4ec5e5a82d746584942f1e

C:\Users\Admin\AppData\Local\Temp\nsu3809.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2992-79-0x0000000073E80000-0x0000000073E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325d13.dll

MD5 da161da8bcb9b8032908cc303602f2ee
SHA1 8a2d5e5b32376a40f33d6c9881001425ec025205
SHA256 0648d564b30e13a0819f28e00a9af39a6686a4d29ccd265c7d81548e4fe0f67e
SHA512 39e882a371dbce2484324811bffdd7ae7655b57401d07bf264aced6b5dac0ae326bd1945c536f05d8ab3b92ca03ff056c5a7baf54f7eb477b45fc405ec54052c

C:\Users\Admin\AppData\Local\Temp\7zS371D.tmp\50fa5ff325d13.tlb

MD5 1f14de44d0d63a79f91d3fe90badb5fc
SHA1 7fcc921608d2cf40e81cdd9a98e1a15a6ba1f57e
SHA256 bd3d85c0136a66b2af79d4d91c1c5700c8931937b7e554d5ece946760ef4a99c
SHA512 86eb6ebf9eccf1dcb601db827797ac603c0ebe01b6d73318986275c29bd034c8df5f7c79ddf0b19536faf24bdb11e09ac95ea43e8fe75b0ed3dde76dd139883c

C:\ProgramData\wxDownload\uninstall.exe

MD5 f3c79bda3fdf7c5dd24d60400a57cadb
SHA1 1adb606aaeedb246a371c8877c737f0f8c798625
SHA256 a76272ed3bbf23308782a308d428ee805ec77fbb622a830af26cb0ddbbf7377b
SHA512 c43cb957bdea357bd016fe03a8004a48d8117a12106f62876394feba05ad01a321ff6017ffb7b926cc77712f5ab63ea2e4b169a419c444c8f62aa4933f289935