Malware Analysis Report

2025-01-18 22:14

Sample ID 240429-3dphlade66
Target 087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118
SHA256 203fe7d0d3e6b6c4d986da6a02e55a9f8cb6f874d47008edc8fa187b23545c66
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

203fe7d0d3e6b6c4d986da6a02e55a9f8cb6f874d47008edc8fa187b23545c66

Threat Level: Shows suspicious behavior

The file 087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Registers COM server for autorun

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops Chrome extension

Drops file in Program Files directory

Unsigned PE

Modifies registry class

System policy modification

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-29 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 23:24

Reported

2024-04-29 23:26

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.dll" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.dll" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2052 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2780 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2192 wrote to memory of 1976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/ATDuUO.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe

MD5 926838555c7e13f295fda017b3fa3ea9
SHA1 f8947d5c9be8b66e0aa99696bfcee097f1a55403
SHA256 67b6ba841d56bef371d7e8c7382df39d2c76f828d6ea7669a6b1099835aaa08d
SHA512 409e818552f78ca17720bef89d20c50a402bcedaf8084a8a10c6fb8933a07b7c25acdb21e0b22bb544c9287eb792de1fdbd3ad38e3e29a303049bb472b224be7

C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.dat

MD5 32853cf2595f2504042f1473853b4b89
SHA1 174580acda0c9b20791ca8be29f132f976dd52df
SHA256 5300ca9a380237b9b07da25510a48633043ede0e0caf98aee30a3b4f3b565ebb
SHA512 714e0e3f22d54b1f7083ca9bd4d91a00589f7ddfa7957c2c383652b8ec440c90bcb9b68a29967fee0f7a3b850d2faa244a7d829829e0cfb1b64709280ac8743f

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\content.js

MD5 0654917402505bc71a231599d02e09a2
SHA1 e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA256 9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA512 3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\background.html

MD5 ce3522e275541cf294e32b91b24c1c77
SHA1 7bc9b2a0bace141154fc02d2a6b7ae1ad7bdddee
SHA256 7794dd05153e8b081a2bf6b61e9a37549270feb93f1a630640f665a7c9f8d8d7
SHA512 4764defc4597ab05c76de4ecd323d6dc6a1739767f4ba7d1c68bd12db67f07387cd5f52052b61ed14f039cda4c7ee6a32a3bb76b2ae2b278e2b7d40e79af7ef3

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\Y7wtR4u.js

MD5 9bc8559daa104a1ab99f635c8dee4e68
SHA1 82cc485a6bc8d67de1706e7c7b22e214d23d9564
SHA256 44a39ea63e06b290eac47b86c8de8c402dff5ad2a06bb013e44f1344e4356b8b
SHA512 6b6ad295e8ebe3a6635bff4bc243d04ec18232dc7ee8083bdf96dcc92c02403f7e0230815c19c5209010ef9d6d2f3bab9828d91cc93aed39e942b0c09dfba062

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\lsdb.js

MD5 36d98318ab2b3b2585a30984db328afb
SHA1 f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256 ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA512 6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 4ad224c752c56e0b82d452325c80dfd3
SHA1 e685fa7cb3a46d805416fd1f72f3b4522df9c56c
SHA256 07bf01362953947b2dc34a780c89b75b9f7452a121b3a0e91715a95eee23815e
SHA512 944289f554eeed2779236c4406b899ead223c4e5e09b4439aefb061e8fc55fc226489980b126300343f1b59771d169ac4045436cbe98310f4f68775d4858b9a0

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 43d766520c63334f014e473600fb01c8
SHA1 b32b379e5254b4014fa7b80bdf3e8bc14699926e
SHA256 99d226daccc91d0c7c6d86fb6a3f09664f03be983ef31c7ee0e0790e93f370b2
SHA512 d0e376a5564c4d435ce0648b5e6eb232e49256cccdee2fbc0e16fd180a466ca79f06b23fc813f9127e3bfab29a89484ccae165965fa45e860a107e96063931b4

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 ba0b3179a6f36758ab2e1aa82afc6361
SHA1 87b9408fc373da37d73cf9b3f8a52c3233b54c92
SHA256 8b4dd533d9571d566df8b4f1ae82a272d59881d9fe086002dbc626f4850eca49
SHA512 ccfb3d66730bceb86ffd19c59b3fd9ba1dc850e0e1fb98b8d06ce2de71e9f2b51c15131c69eb01eb4cee45b2b71415c145fb9bf31b4297dde1edd88d439bff0a

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.tlb

MD5 0467b2a94e53b5faedf0848d0c2f5d26
SHA1 6cf5b04d6bf174f6dc8c370e4daad1bc2a477d81
SHA256 6df3477717486828c6bc5928d65be112e55d3259a76a9b2e6302e61e771b1d94
SHA512 2ab17e6066f8f942f1329ff8fa3945d423a70d83495ed85a447586f18f96a0ee3cf927c51d937221ac28dc82e1005d128588b227d0dbfe9b0c60e967f97ef687

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.dll

MD5 34bc1e9d673cfdf64391674c763cdd77
SHA1 77e23698847852036381b4e638b5030f6ed6dfea
SHA256 349518efa626aa4094c0f00cd06fdd4ca7ce4a4c1e098a9543dd6dd6dfcbefb7
SHA512 bd1f39dfd305118ca111e75c9315e1565273ec201ebe8483e3e041a0d614cc223e7fbeae036275559170850f7a3b2bbf5c9c3feb327472f21ad31ae8bd24e737

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.x64.dll

MD5 86caa44adb45c7bb76f01b62d76fed67
SHA1 382d2f766a932c0a19b18d305f336f670530d167
SHA256 710648d005d01670952b1fabcc9ded81f2bf1d8cd828ad67e6658ab9ab5beb05
SHA512 9b305f023d7d7d82758593581d141abe3040b5d3464e40dd5ff2984cb845c973b61d99aae24279c2cac9256d624204e7a5c174932df3946903d712f0176a1497

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 23:24

Reported

2024-04-29 23:26

Platform

win10v2004-20240419-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.tlb C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.dat C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\V2UKJ.dll" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{FF8E81E4-1D22-42E2-0976-743412A75EFF}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FF8E81E4-1D22-42E2-0976-743412A75EFF} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\087ad2e6ca33b8c587dbc2884a034c6e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/ATDuUO.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\V2UKJ.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.exe

MD5 926838555c7e13f295fda017b3fa3ea9
SHA1 f8947d5c9be8b66e0aa99696bfcee097f1a55403
SHA256 67b6ba841d56bef371d7e8c7382df39d2c76f828d6ea7669a6b1099835aaa08d
SHA512 409e818552f78ca17720bef89d20c50a402bcedaf8084a8a10c6fb8933a07b7c25acdb21e0b22bb544c9287eb792de1fdbd3ad38e3e29a303049bb472b224be7

C:\Users\Admin\AppData\Local\Temp\00294823\ATDuUO.dat

MD5 32853cf2595f2504042f1473853b4b89
SHA1 174580acda0c9b20791ca8be29f132f976dd52df
SHA256 5300ca9a380237b9b07da25510a48633043ede0e0caf98aee30a3b4f3b565ebb
SHA512 714e0e3f22d54b1f7083ca9bd4d91a00589f7ddfa7957c2c383652b8ec440c90bcb9b68a29967fee0f7a3b850d2faa244a7d829829e0cfb1b64709280ac8743f

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\background.html

MD5 ce3522e275541cf294e32b91b24c1c77
SHA1 7bc9b2a0bace141154fc02d2a6b7ae1ad7bdddee
SHA256 7794dd05153e8b081a2bf6b61e9a37549270feb93f1a630640f665a7c9f8d8d7
SHA512 4764defc4597ab05c76de4ecd323d6dc6a1739767f4ba7d1c68bd12db67f07387cd5f52052b61ed14f039cda4c7ee6a32a3bb76b2ae2b278e2b7d40e79af7ef3

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\content.js

MD5 0654917402505bc71a231599d02e09a2
SHA1 e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA256 9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA512 3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\lsdb.js

MD5 36d98318ab2b3b2585a30984db328afb
SHA1 f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256 ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA512 6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\boldfmnniepmbkbhbjkomnmnkomlhaod\Y7wtR4u.js

MD5 9bc8559daa104a1ab99f635c8dee4e68
SHA1 82cc485a6bc8d67de1706e7c7b22e214d23d9564
SHA256 44a39ea63e06b290eac47b86c8de8c402dff5ad2a06bb013e44f1344e4356b8b
SHA512 6b6ad295e8ebe3a6635bff4bc243d04ec18232dc7ee8083bdf96dcc92c02403f7e0230815c19c5209010ef9d6d2f3bab9828d91cc93aed39e942b0c09dfba062

C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\boldfmnniepmbkbhbjkomnmnkomlhaod\1.0\lsdb.js

MD5 b6d7dcc66dbb3f6fc3e112b2c1bee01a
SHA1 c453ff9aeffed75ba68729fb40c291c887da5007
SHA256 6b4168e801cbc6e12c67eb1227bacd8b3e3d1c75177d617caf53e0e3db8ec297
SHA512 cc2579fc863128db86c349586b3c32ebcf5c52b534359b5933a95075e13179c5e644176258903f955bbbff40bc4860895958635d41c766959dc47197613e6c53

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 ba0b3179a6f36758ab2e1aa82afc6361
SHA1 87b9408fc373da37d73cf9b3f8a52c3233b54c92
SHA256 8b4dd533d9571d566df8b4f1ae82a272d59881d9fe086002dbc626f4850eca49
SHA512 ccfb3d66730bceb86ffd19c59b3fd9ba1dc850e0e1fb98b8d06ce2de71e9f2b51c15131c69eb01eb4cee45b2b71415c145fb9bf31b4297dde1edd88d439bff0a

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 43d766520c63334f014e473600fb01c8
SHA1 b32b379e5254b4014fa7b80bdf3e8bc14699926e
SHA256 99d226daccc91d0c7c6d86fb6a3f09664f03be983ef31c7ee0e0790e93f370b2
SHA512 d0e376a5564c4d435ce0648b5e6eb232e49256cccdee2fbc0e16fd180a466ca79f06b23fc813f9127e3bfab29a89484ccae165965fa45e860a107e96063931b4

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 4ad224c752c56e0b82d452325c80dfd3
SHA1 e685fa7cb3a46d805416fd1f72f3b4522df9c56c
SHA256 07bf01362953947b2dc34a780c89b75b9f7452a121b3a0e91715a95eee23815e
SHA512 944289f554eeed2779236c4406b899ead223c4e5e09b4439aefb061e8fc55fc226489980b126300343f1b59771d169ac4045436cbe98310f4f68775d4858b9a0

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.dll

MD5 34bc1e9d673cfdf64391674c763cdd77
SHA1 77e23698847852036381b4e638b5030f6ed6dfea
SHA256 349518efa626aa4094c0f00cd06fdd4ca7ce4a4c1e098a9543dd6dd6dfcbefb7
SHA512 bd1f39dfd305118ca111e75c9315e1565273ec201ebe8483e3e041a0d614cc223e7fbeae036275559170850f7a3b2bbf5c9c3feb327472f21ad31ae8bd24e737

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.tlb

MD5 0467b2a94e53b5faedf0848d0c2f5d26
SHA1 6cf5b04d6bf174f6dc8c370e4daad1bc2a477d81
SHA256 6df3477717486828c6bc5928d65be112e55d3259a76a9b2e6302e61e771b1d94
SHA512 2ab17e6066f8f942f1329ff8fa3945d423a70d83495ed85a447586f18f96a0ee3cf927c51d937221ac28dc82e1005d128588b227d0dbfe9b0c60e967f97ef687

C:\Users\Admin\AppData\Local\Temp\00294823\V2UKJ.x64.dll

MD5 86caa44adb45c7bb76f01b62d76fed67
SHA1 382d2f766a932c0a19b18d305f336f670530d167
SHA256 710648d005d01670952b1fabcc9ded81f2bf1d8cd828ad67e6658ab9ab5beb05
SHA512 9b305f023d7d7d82758593581d141abe3040b5d3464e40dd5ff2984cb845c973b61d99aae24279c2cac9256d624204e7a5c174932df3946903d712f0176a1497