Malware Analysis Report

2025-01-18 22:18

Sample ID 240501-nnn79adg9v
Target 0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118
SHA256 15134c2669b08005bcadfcbcafb9140d23f81954e942a445a452c8aaae217644
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

15134c2669b08005bcadfcbcafb9140d23f81954e942a445a452c8aaae217644

Threat Level: Shows suspicious behavior

The file 0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Drops Chrome extension

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 11:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 11:32

Reported

2024-05-01 11:35

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ = "C:\\Program Files (x86)\\save on\\ap.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\save on\ap.dll C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.dll C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.tlb C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.tlb C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.dat C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.dat C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.x64.dll C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.x64.dll C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\CLSID C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CurVer\ = "save Oan.2.14" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\save on" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\ = "save on" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CLSID C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID\ = "save Oan.2.14" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\VersionIndependentProgID\ = "save Oan" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ = "C:\\Program Files (x86)\\save on\\ap.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.save C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\save on\\ap.dll" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\save C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\ = "save on" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\ = "save on" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe
PID 2968 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2400 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} = "1" C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe

"C:\Users\Admin\AppData\Local\Temp/7d27378a/zws.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\save on\ap.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\save on\ap.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7d27378a\zws.exe

MD5 ef38514253e4dafb6823f236bc47bb5f
SHA1 458a7dcb3c85cbe3c93eb7876fa0e6cd7e07f0f6
SHA256 4c1f4446576780b1d9ebd6f3cb653375aacfe3fd37e542ab4d4f3616db82475e
SHA512 853b8a5467d9c3800334807c0c0d558d4b42d201bb19927d10ab391d1ddad93abbbed8612f8d243362cfa2e0cb53f81610f68040db7ba554886b06fc6befe43f

C:\Users\Admin\AppData\Local\Temp\7d27378a\zws.dat

MD5 d623a28cf4053c890a5c5a325f63bd42
SHA1 c50290b06c840a9ad28c7d6136fea06e6d3fa3b9
SHA256 149b838c22db3a0209c2c4ddf054f0e9a8282963980b14040c22b3d494f48893
SHA512 d2f66012fa3dc605a2f8a88d2c80525dd88e927fe33b03cfc99cea8a7faf09257e659fe9e5e8aaa8a18c62de6d66f4bc0d203fdbf53b6b09e721b1aedeadcfce

C:\Users\Admin\AppData\Local\Temp\7d27378a\lljelibkfmlccbllgfpmemnkmghnfnhm\background.html

MD5 75b801c12bab5de26df78f530b791cb3
SHA1 9875ea1c3777e0195d2e8631b95781521f6d3cc0
SHA256 40b4c8d4df345f4634c7501cbb73e6df059a5193637b7b15a75458c984b52f01
SHA512 485304c6cf8d1927953cf03dfb74ad8171e7dbe59f94147a5eec7aaac316e7b9cb2fc02f615f0c05e7349292343a0ce2345a1bca12cc83c7bea9f1e925800280

C:\Users\Admin\AppData\Local\Temp\7d27378a\lljelibkfmlccbllgfpmemnkmghnfnhm\content.js

MD5 81b46a923bd82599df4daf7ef3fdfcb4
SHA1 edec7e1c2fdeb22bc248467a0d6e06cd45ea6c70
SHA256 f952ad5e8eb4cf0393be1ba87b24268ba9256bb21495a95eeb63f9582b794274
SHA512 f12eda7c9a61290ac31685614574aeb90f589dbbe3e4c2244e94973a3fe2c79d34c1ae63599b82e2d42cfd11d7e3b31156bd02a8a1d9724adc50a2da5a18fa7e

C:\Users\Admin\AppData\Local\Temp\7d27378a\lljelibkfmlccbllgfpmemnkmghnfnhm\lsdb.js

MD5 fbed55d69b8c0d147f612f214274e3cd
SHA1 31a55265ff369c05cd14ba6cef8509a6cd7fc57d
SHA256 b432fb8024353421e9c51b99cb4ef6e982a77647869c61edd6633ced5e713ae4
SHA512 fdfc44a300af06a3d574ad4d235abaf43f90d91ff268044f91e262558fa4a974b56933eb349f27d8ca7788f40f994b31d8659a46ee37ec0147b3e52517eff37a

C:\Users\Admin\AppData\Local\Temp\7d27378a\lljelibkfmlccbllgfpmemnkmghnfnhm\manifest.json

MD5 178bc5fe6436bd0e4d850027845bb646
SHA1 47cf98d85caaf3cb9d8540f5af0ade8898e88fea
SHA256 69c5c18be0c15310e72f219dd57acccdb4d08621b16b636e42b2bf390ba90306
SHA512 309b0c547d89ad603c47250ce1f3bc331f90ba7e70693496c05488914d89178b67a3a198d1f0c2a7e99cc749cb8455cd2bf083d0d7b8a5a082016b5dd81040d0

C:\Users\Admin\AppData\Local\Temp\7d27378a\lljelibkfmlccbllgfpmemnkmghnfnhm\uQxv.js

MD5 159e206df7a2cf984b8a458cdb801e90
SHA1 b906c7057207463f24e98976b65488464ce78680
SHA256 0d9c1cb7396accdab0abbdc7f66aa698bbf421ea5516ae35968745da7e9c0385
SHA512 13a12121ab250b7d8ffbaadf55349e55e532f22ee86d121d7d2941ce04da5fa185913c8806cc2358ea9740ac461ae350e4198accefd79b2130ece3ae726e0661

C:\Users\Admin\AppData\Local\Temp\7d27378a\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\7d27378a\[email protected]\chrome.manifest

MD5 ca3279b1e481c58abc12295c1c971db2
SHA1 de3cf0a538189c57fc91db44b2ccc3f7beb5566a
SHA256 d78d6a3c25429ade8474e43f6fcdf7608f97f6363a7bdb1a999a1c65c3da219d
SHA512 96ab774d18f9f98244d80363dbabe2c418562b219369c1164ec754ba18550813e6e274f1fdc0c84b83eb59951503cc2377f2dba89e2e4f8aaae5919939399523

C:\Users\Admin\AppData\Local\Temp\7d27378a\[email protected]\install.rdf

MD5 2980ffe3ab060d6e7ee8dc50acc3a09e
SHA1 08184459327645a0968896586990cc55f9a82213
SHA256 6b4dfd4393593dbbcaa6a227c86e01d269e90e5da361dc42095223219e72a2cf
SHA512 0325af87fe2705942e59ef304e3ed25677e9253b241a4da3643de647b023400718039a06972e6c8cb5989c5fa5b5f3b2864e590c5a7baa4d1a0eef2c1a8bd93b

C:\Users\Admin\AppData\Local\Temp\7d27378a\[email protected]\content\bg.js

MD5 cb39bd796d730cea2ac9bed15224a0a6
SHA1 28c6d4c771bb409671bb80c973d8adc91d6d43cd
SHA256 0e88c041443be0aaf9a87666c0cd3eb064f585bd63412e29747dbc19cda06c31
SHA512 82581a77b726f0e64f05595f99e058a4fcc62adefa202f9ee2028fd80bcfdb5c4a89423cf935f8122bc0fee21d7ef987290a6245394e31bd8cffd2569ba60c5c

C:\Users\Admin\AppData\Local\Temp\7d27378a\ap.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\7d27378a\ap.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\7d27378a\ap.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 11:32

Reported

2024-05-01 11:35

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ = "C:\\Program Files (x86)\\save on\\ap.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\manifest.json C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\save on\ap.x64.dll C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.dll C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.dll C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.tlb C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.tlb C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.dat C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File opened for modification C:\Program Files (x86)\save on\ap.dat C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
File created C:\Program Files (x86)\save on\ap.x64.dll C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\save C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\CLSID C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\ = "save on" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CurVer\ = "save Oan.2.14" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CurVer C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ = "save on" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\VersionIndependentProgID\ = "save Oan" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ = "C:\\Program Files (x86)\\save on\\ap.dll" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\ = "save on" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\save on" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32\ = "C:\\Program Files (x86)\\save on\\ap.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan\CurVer\ = "save Oan.2.14" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.2.14\CLSID\ = "{8AB03A31-D06A-1FA3-95BF-573795FF62A5}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\ProgID\ = "save Oan.2.14" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\save on\\ap.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Oan.save C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8AB03A31-D06A-1FA3-95BF-573795FF62A5} = "1" C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0bb040d40e7d63cd6ed1364022bc82ab_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe

"C:\Users\Admin\AppData\Local\Temp/201f6a5a/zws.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\save on\ap.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\save on\ap.x64.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.exe

MD5 ef38514253e4dafb6823f236bc47bb5f
SHA1 458a7dcb3c85cbe3c93eb7876fa0e6cd7e07f0f6
SHA256 4c1f4446576780b1d9ebd6f3cb653375aacfe3fd37e542ab4d4f3616db82475e
SHA512 853b8a5467d9c3800334807c0c0d558d4b42d201bb19927d10ab391d1ddad93abbbed8612f8d243362cfa2e0cb53f81610f68040db7ba554886b06fc6befe43f

C:\Users\Admin\AppData\Local\Temp\201f6a5a\zws.dat

MD5 d623a28cf4053c890a5c5a325f63bd42
SHA1 c50290b06c840a9ad28c7d6136fea06e6d3fa3b9
SHA256 149b838c22db3a0209c2c4ddf054f0e9a8282963980b14040c22b3d494f48893
SHA512 d2f66012fa3dc605a2f8a88d2c80525dd88e927fe33b03cfc99cea8a7faf09257e659fe9e5e8aaa8a18c62de6d66f4bc0d203fdbf53b6b09e721b1aedeadcfce

C:\Users\Admin\AppData\Local\Temp\201f6a5a\lljelibkfmlccbllgfpmemnkmghnfnhm\background.html

MD5 75b801c12bab5de26df78f530b791cb3
SHA1 9875ea1c3777e0195d2e8631b95781521f6d3cc0
SHA256 40b4c8d4df345f4634c7501cbb73e6df059a5193637b7b15a75458c984b52f01
SHA512 485304c6cf8d1927953cf03dfb74ad8171e7dbe59f94147a5eec7aaac316e7b9cb2fc02f615f0c05e7349292343a0ce2345a1bca12cc83c7bea9f1e925800280

C:\Users\Admin\AppData\Local\Temp\201f6a5a\lljelibkfmlccbllgfpmemnkmghnfnhm\content.js

MD5 81b46a923bd82599df4daf7ef3fdfcb4
SHA1 edec7e1c2fdeb22bc248467a0d6e06cd45ea6c70
SHA256 f952ad5e8eb4cf0393be1ba87b24268ba9256bb21495a95eeb63f9582b794274
SHA512 f12eda7c9a61290ac31685614574aeb90f589dbbe3e4c2244e94973a3fe2c79d34c1ae63599b82e2d42cfd11d7e3b31156bd02a8a1d9724adc50a2da5a18fa7e

C:\Users\Admin\AppData\Local\Temp\201f6a5a\lljelibkfmlccbllgfpmemnkmghnfnhm\lsdb.js

MD5 fbed55d69b8c0d147f612f214274e3cd
SHA1 31a55265ff369c05cd14ba6cef8509a6cd7fc57d
SHA256 b432fb8024353421e9c51b99cb4ef6e982a77647869c61edd6633ced5e713ae4
SHA512 fdfc44a300af06a3d574ad4d235abaf43f90d91ff268044f91e262558fa4a974b56933eb349f27d8ca7788f40f994b31d8659a46ee37ec0147b3e52517eff37a

C:\Users\Admin\AppData\Local\Temp\201f6a5a\lljelibkfmlccbllgfpmemnkmghnfnhm\manifest.json

MD5 178bc5fe6436bd0e4d850027845bb646
SHA1 47cf98d85caaf3cb9d8540f5af0ade8898e88fea
SHA256 69c5c18be0c15310e72f219dd57acccdb4d08621b16b636e42b2bf390ba90306
SHA512 309b0c547d89ad603c47250ce1f3bc331f90ba7e70693496c05488914d89178b67a3a198d1f0c2a7e99cc749cb8455cd2bf083d0d7b8a5a082016b5dd81040d0

C:\Users\Admin\AppData\Local\Temp\201f6a5a\lljelibkfmlccbllgfpmemnkmghnfnhm\uQxv.js

MD5 159e206df7a2cf984b8a458cdb801e90
SHA1 b906c7057207463f24e98976b65488464ce78680
SHA256 0d9c1cb7396accdab0abbdc7f66aa698bbf421ea5516ae35968745da7e9c0385
SHA512 13a12121ab250b7d8ffbaadf55349e55e532f22ee86d121d7d2941ce04da5fa185913c8806cc2358ea9740ac461ae350e4198accefd79b2130ece3ae726e0661

C:\Users\WDAGUtilityAccount\AppData\Local\Chromatic Browser\User Data\Default\Extensions\lljelibkfmlccbllgfpmemnkmghnfnhm\2.14\uQxv.js

MD5 5cd8d09da210b444c6af1876d565c11d
SHA1 0ea5279d933c7b65162a7bce18a28826bb767905
SHA256 9c3fb421086604330f27f4cd6942b6684768b28024a7a405fbe660c52d817476
SHA512 efcfa433d67eace1ea4101aae60ba70c5c447bc4a4a1e25752525a96b245957c246413865cdb36eacdc5cbfb5bd657267ab78f0fe2bfa54da20e24a8774bffc7

C:\Users\Admin\AppData\Local\Temp\201f6a5a\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\201f6a5a\[email protected]\content\bg.js

MD5 cb39bd796d730cea2ac9bed15224a0a6
SHA1 28c6d4c771bb409671bb80c973d8adc91d6d43cd
SHA256 0e88c041443be0aaf9a87666c0cd3eb064f585bd63412e29747dbc19cda06c31
SHA512 82581a77b726f0e64f05595f99e058a4fcc62adefa202f9ee2028fd80bcfdb5c4a89423cf935f8122bc0fee21d7ef987290a6245394e31bd8cffd2569ba60c5c

C:\Users\Admin\AppData\Local\Temp\201f6a5a\[email protected]\chrome.manifest

MD5 ca3279b1e481c58abc12295c1c971db2
SHA1 de3cf0a538189c57fc91db44b2ccc3f7beb5566a
SHA256 d78d6a3c25429ade8474e43f6fcdf7608f97f6363a7bdb1a999a1c65c3da219d
SHA512 96ab774d18f9f98244d80363dbabe2c418562b219369c1164ec754ba18550813e6e274f1fdc0c84b83eb59951503cc2377f2dba89e2e4f8aaae5919939399523

C:\Users\Admin\AppData\Local\Temp\201f6a5a\[email protected]\install.rdf

MD5 2980ffe3ab060d6e7ee8dc50acc3a09e
SHA1 08184459327645a0968896586990cc55f9a82213
SHA256 6b4dfd4393593dbbcaa6a227c86e01d269e90e5da361dc42095223219e72a2cf
SHA512 0325af87fe2705942e59ef304e3ed25677e9253b241a4da3643de647b023400718039a06972e6c8cb5989c5fa5b5f3b2864e590c5a7baa4d1a0eef2c1a8bd93b

C:\Users\Admin\AppData\Local\Temp\201f6a5a\ap.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\201f6a5a\ap.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\201f6a5a\ap.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434