Analysis Overview
SHA256
75844352a2491b79eb4abc87a0af2ce3081bd4657bb1e60ba665b7f52a95890c
Threat Level: Shows suspicious behavior
The file 101ac22637a089c983009d18273276f9_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Registers COM server for autorun
Drops Chrome extension
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Unsigned PE
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 08:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 08:39
Reported
2024-05-03 08:41
Platform
win7-20240221-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\101ac22637a089c983009d18273276f9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ = "C:\\Program Files (x86)\\saave oen\\Z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.dll | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.dll | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.tlb | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.tlb | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.dat | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.dat | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saave oen\\Z4.dll" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Programmable | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\CLSID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ = "C:\\Program Files (x86)\\saave oen\\Z4.dll" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Programmable | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID\ = "sauve On" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saave oen\\Z4.tlb" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\sauve | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\CLSID\ = "{C94963EC-961B-34CC-9B76-E90E5446EE70}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ = "C:\\Program Files (x86)\\saave oen\\Z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.sauve | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\CLSID\ = "{C94963EC-961B-34CC-9B76-E90E5446EE70}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID\ = "sauve On.2.14" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14 | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} = "1" | C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\101ac22637a089c983009d18273276f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\101ac22637a089c983009d18273276f9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe
"C:\Users\Admin\AppData\Local\Temp/7bc35711/6f7.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\saave oen\Z4.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\saave oen\Z4.x64.dll"
Network
Files
\Users\Admin\AppData\Local\Temp\7bc35711\6f7.exe
| MD5 | 074fdbec16dcf4bc211b27f64c3512ae |
| SHA1 | 56d02cbacbe50e3d87dc642c1aca2aa945ec1557 |
| SHA256 | dd99b8f1485d87664f15cf21df7f3f2a45f5de4c4631ac29cde4fc4bfc8802ef |
| SHA512 | 011247e3ecc1b5ca19a7c3ddfaccc97287068327566a6e00e1939897fb0cdfc3bcd04569692d9489f1dc45b57a6316690954d8ad676c6ab5b0cdef2b14e0f45d |
C:\Users\Admin\AppData\Local\Temp\7bc35711\6f7.dat
| MD5 | a96e6930d089ada581ef153697c72931 |
| SHA1 | 1bc15949489abcddb9bcc487430a8902bf720f64 |
| SHA256 | 25930238280d2c9198a07a39eb871b1a8f7bbe42ec5f2934fb735ea984a2dde8 |
| SHA512 | 5cdaa80b33156aa82b982ab020ef1d3d4508b2f30e290bcd25572cfa69ae01b7f202058da95afefb9a80015b1ca21f14f0a370ca9ee9a595a28d16250e5ab3e7 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\pelhkchllagdafhnmpfafpjckclphdpl\background.html
| MD5 | 2a76dda7377c1a165dc529c5462d12ac |
| SHA1 | 31fb199216fdc576a83cccb27210e67ccc3bea96 |
| SHA256 | a61941930f4d400c5e091dce4a564116adb4db4296c8e51cf69a7bcb84f9f7bd |
| SHA512 | c1b8027a65b85a9cf0259a8ee40596ea9b151a699065bd6c575f4b8a4cfa1be92bab2a8c8ba621aa34bd44e629491e09c7ad7fad5c8ecf290daba57706cf18a1 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\pelhkchllagdafhnmpfafpjckclphdpl\content.js
| MD5 | 03cbb4735e46a3fc8292fa5347151ed5 |
| SHA1 | b55e6ab543ba1326e93aaeeeb3f8912c7fa183c0 |
| SHA256 | 10384f515d1ce43e28cb2902b03bdb3bc76d6f03fe9e06b9038a7b13cbd8b474 |
| SHA512 | a25af770e3a09e2aad90d5f21e8ff3daa278eea9e867d77cee8556d7add92e0057df3f677771c5c15018f330fbd9d03c657d09f6c44a15b52777330fa208ba55 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\pelhkchllagdafhnmpfafpjckclphdpl\lsdb.js
| MD5 | 7fcd6794af01134f529291be0f92d33d |
| SHA1 | 200114ab57d6dd09d85a2fd159fc35c776975f7a |
| SHA256 | 46b6a16406bc9d4cf793766b9131b952d20e0cfb5190aa1d3e96fa82982da26a |
| SHA512 | 205aee4cd6edd464154be21280a16113e6d6b250b736412586c5ce1ab2f8596c19df2a9a2e3034ac9340d6147a8ed84526314f7d8d9cea213d6beab47568f5cb |
C:\Users\Admin\AppData\Local\Temp\7bc35711\pelhkchllagdafhnmpfafpjckclphdpl\Hr8Y.js
| MD5 | be9f49378bf3bfc8287e97e290de31ad |
| SHA1 | 6c26f56cfe5fc9fd4933e1d3afaad9eb7e5e53a8 |
| SHA256 | 222eb36b8af0c0ce23d7ca9ed4dd7a165bb5ac89496e6a08c6b3c9950aae23d2 |
| SHA512 | 64a59bafde26de3f70c8e10227402205e65d9231f28148dd57bd599a8587357d1859606c48b7bc586d06286deaf088cdf11e9b91b4d8b7415c8bf8c57b04668c |
C:\Users\Admin\AppData\Local\Temp\7bc35711\pelhkchllagdafhnmpfafpjckclphdpl\manifest.json
| MD5 | 700b3804997e7fdc22304e5a899742c4 |
| SHA1 | 75c415538e00408b4dbf3441656be06f754725f7 |
| SHA256 | ffd4c63421dd74f3d7f9cf52ea86028b22be6b5e41d2b2b064732b33680b0f77 |
| SHA512 | df3eb7baa7e79091c2257b9a847a95cd3b94a0b959895cb6672e7093a038a7f9e891ad91c0a5f1906d0de6d3bf66b8fa491d37d5cd68636326066fb7c4f7bcb6 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\[email protected]\bootstrap.js
| MD5 | df13f711e20e9c80171846d4f2f7ae06 |
| SHA1 | 56d29cda58427efe0e21d3880d39eb1b0ef60bee |
| SHA256 | 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4 |
| SHA512 | 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e |
C:\Users\Admin\AppData\Local\Temp\7bc35711\[email protected]\chrome.manifest
| MD5 | 9c87dbfbf486a1c393158d62a16ba19a |
| SHA1 | 6283eb3e7c08735f0462b7bbf34933152e375450 |
| SHA256 | 34e76554bba5577f490b6226ae79573ab583fcd131887be622338656cfd4015f |
| SHA512 | b6333751f218f74e3879edf5d490259bd7370bf95c2a00a274c8dbe74e862c4217ad88006e3378b669001a4591781105a6068bb9eae36c538e1e4a9d96c1847f |
C:\Users\Admin\AppData\Local\Temp\7bc35711\[email protected]\content\bg.js
| MD5 | d201c088941f80a81c2c2bbab4cc86a3 |
| SHA1 | ab61271dda44e08070bcaa997816fe20a9e860be |
| SHA256 | 3f1e414c9c819fdc330740e37ad237c1344812c2698a77122322215b03bde6ec |
| SHA512 | 2a15c4716001970b13f4bbf35d4e1f90df5536ddae0d227a4bad3717c495bdae6a87132f40c7bba6b6ffacfab38a23ab7d011cf14688f82ca0a7e3cb2ea7c9f4 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\[email protected]\install.rdf
| MD5 | 49fd898f0e16e1f60b37fd48ef47cb1e |
| SHA1 | dd576fb1bffd96a7af144e8a5097f30422a1925c |
| SHA256 | 25b93f5d5c338ef0838e4475582e727cdecade196679eeae9833b5415557075e |
| SHA512 | af869d85f59c1d1fa07fdf980d1750aa39e7a89253ee72f736db8c329651076acf1de255ebb46052e9a2bb0fbfd7f4b0309f6e39fd1d1af500e1e5a89918d1e7 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\Z4.tlb
| MD5 | 8d10c52cfa044ccdcfff4e0b5775babd |
| SHA1 | 3b2c872ab3237d7b74377032ed7a5239c82df766 |
| SHA256 | af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156 |
| SHA512 | 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700 |
C:\Users\Admin\AppData\Local\Temp\7bc35711\Z4.dll
| MD5 | ffe3f0c62f2fede9890b18d73724fd97 |
| SHA1 | 0dafa42039405f8d49a6790180194076bd57c833 |
| SHA256 | 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8 |
| SHA512 | 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc |
C:\Users\Admin\AppData\Local\Temp\7bc35711\Z4.x64.dll
| MD5 | 0231aebb8155fd069d17eab6a679cc1e |
| SHA1 | 61cb4b5228e6253863391ef3346c2f9920dbc554 |
| SHA256 | fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672 |
| SHA512 | 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-03 08:39
Reported
2024-05-03 08:41
Platform
win10v2004-20240419-en
Max time kernel
135s
Max time network
104s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ = "C:\\Program Files (x86)\\saave oen\\Z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pelhkchllagdafhnmpfafpjckclphdpl\2.14\manifest.json | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C94963EC-961B-34CC-9B76-E90E5446EE70}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.dll | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.tlb | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.tlb | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.dat | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.dat | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File opened for modification | C:\Program Files (x86)\saave oen\Z4.x64.dll | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| File created | C:\Program Files (x86)\saave oen\Z4.dll | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Implemented Categories | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID\ = "sauve On" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14 | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID\ = "sauve On" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ = "saave oen" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.sauve | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On\CLSID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\saave oen\\Z4.tlb" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\saave oen\\Z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\Programmable | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On\ = "saave oen" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\CLSID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On\CLSID\ = "{C94963EC-961B-34CC-9B76-E90E5446EE70}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\InprocServer32\ = "C:\\Program Files (x86)\\saave oen\\Z4.x64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\ProgID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\On.2.14\CLSID\ = "{C94963EC-961B-34CC-9B76-E90E5446EE70}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C94963EC-961B-34CC-9B76-E90E5446EE70} = "1" | C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\101ac22637a089c983009d18273276f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\101ac22637a089c983009d18273276f9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe
"C:\Users\Admin\AppData\Local\Temp/2f4629f8/6f7.exe"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\saave oen\Z4.x64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\saave oen\Z4.x64.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.58:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.exe
| MD5 | 074fdbec16dcf4bc211b27f64c3512ae |
| SHA1 | 56d02cbacbe50e3d87dc642c1aca2aa945ec1557 |
| SHA256 | dd99b8f1485d87664f15cf21df7f3f2a45f5de4c4631ac29cde4fc4bfc8802ef |
| SHA512 | 011247e3ecc1b5ca19a7c3ddfaccc97287068327566a6e00e1939897fb0cdfc3bcd04569692d9489f1dc45b57a6316690954d8ad676c6ab5b0cdef2b14e0f45d |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\6f7.dat
| MD5 | a96e6930d089ada581ef153697c72931 |
| SHA1 | 1bc15949489abcddb9bcc487430a8902bf720f64 |
| SHA256 | 25930238280d2c9198a07a39eb871b1a8f7bbe42ec5f2934fb735ea984a2dde8 |
| SHA512 | 5cdaa80b33156aa82b982ab020ef1d3d4508b2f30e290bcd25572cfa69ae01b7f202058da95afefb9a80015b1ca21f14f0a370ca9ee9a595a28d16250e5ab3e7 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\pelhkchllagdafhnmpfafpjckclphdpl\content.js
| MD5 | 03cbb4735e46a3fc8292fa5347151ed5 |
| SHA1 | b55e6ab543ba1326e93aaeeeb3f8912c7fa183c0 |
| SHA256 | 10384f515d1ce43e28cb2902b03bdb3bc76d6f03fe9e06b9038a7b13cbd8b474 |
| SHA512 | a25af770e3a09e2aad90d5f21e8ff3daa278eea9e867d77cee8556d7add92e0057df3f677771c5c15018f330fbd9d03c657d09f6c44a15b52777330fa208ba55 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\pelhkchllagdafhnmpfafpjckclphdpl\background.html
| MD5 | 2a76dda7377c1a165dc529c5462d12ac |
| SHA1 | 31fb199216fdc576a83cccb27210e67ccc3bea96 |
| SHA256 | a61941930f4d400c5e091dce4a564116adb4db4296c8e51cf69a7bcb84f9f7bd |
| SHA512 | c1b8027a65b85a9cf0259a8ee40596ea9b151a699065bd6c575f4b8a4cfa1be92bab2a8c8ba621aa34bd44e629491e09c7ad7fad5c8ecf290daba57706cf18a1 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\pelhkchllagdafhnmpfafpjckclphdpl\Hr8Y.js
| MD5 | be9f49378bf3bfc8287e97e290de31ad |
| SHA1 | 6c26f56cfe5fc9fd4933e1d3afaad9eb7e5e53a8 |
| SHA256 | 222eb36b8af0c0ce23d7ca9ed4dd7a165bb5ac89496e6a08c6b3c9950aae23d2 |
| SHA512 | 64a59bafde26de3f70c8e10227402205e65d9231f28148dd57bd599a8587357d1859606c48b7bc586d06286deaf088cdf11e9b91b4d8b7415c8bf8c57b04668c |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\pelhkchllagdafhnmpfafpjckclphdpl\lsdb.js
| MD5 | 7fcd6794af01134f529291be0f92d33d |
| SHA1 | 200114ab57d6dd09d85a2fd159fc35c776975f7a |
| SHA256 | 46b6a16406bc9d4cf793766b9131b952d20e0cfb5190aa1d3e96fa82982da26a |
| SHA512 | 205aee4cd6edd464154be21280a16113e6d6b250b736412586c5ce1ab2f8596c19df2a9a2e3034ac9340d6147a8ed84526314f7d8d9cea213d6beab47568f5cb |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\pelhkchllagdafhnmpfafpjckclphdpl\manifest.json
| MD5 | 700b3804997e7fdc22304e5a899742c4 |
| SHA1 | 75c415538e00408b4dbf3441656be06f754725f7 |
| SHA256 | ffd4c63421dd74f3d7f9cf52ea86028b22be6b5e41d2b2b064732b33680b0f77 |
| SHA512 | df3eb7baa7e79091c2257b9a847a95cd3b94a0b959895cb6672e7093a038a7f9e891ad91c0a5f1906d0de6d3bf66b8fa491d37d5cd68636326066fb7c4f7bcb6 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\[email protected]\chrome.manifest
| MD5 | 9c87dbfbf486a1c393158d62a16ba19a |
| SHA1 | 6283eb3e7c08735f0462b7bbf34933152e375450 |
| SHA256 | 34e76554bba5577f490b6226ae79573ab583fcd131887be622338656cfd4015f |
| SHA512 | b6333751f218f74e3879edf5d490259bd7370bf95c2a00a274c8dbe74e862c4217ad88006e3378b669001a4591781105a6068bb9eae36c538e1e4a9d96c1847f |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\[email protected]\bootstrap.js
| MD5 | df13f711e20e9c80171846d4f2f7ae06 |
| SHA1 | 56d29cda58427efe0e21d3880d39eb1b0ef60bee |
| SHA256 | 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4 |
| SHA512 | 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\[email protected]\content\bg.js
| MD5 | d201c088941f80a81c2c2bbab4cc86a3 |
| SHA1 | ab61271dda44e08070bcaa997816fe20a9e860be |
| SHA256 | 3f1e414c9c819fdc330740e37ad237c1344812c2698a77122322215b03bde6ec |
| SHA512 | 2a15c4716001970b13f4bbf35d4e1f90df5536ddae0d227a4bad3717c495bdae6a87132f40c7bba6b6ffacfab38a23ab7d011cf14688f82ca0a7e3cb2ea7c9f4 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\[email protected]\install.rdf
| MD5 | 49fd898f0e16e1f60b37fd48ef47cb1e |
| SHA1 | dd576fb1bffd96a7af144e8a5097f30422a1925c |
| SHA256 | 25b93f5d5c338ef0838e4475582e727cdecade196679eeae9833b5415557075e |
| SHA512 | af869d85f59c1d1fa07fdf980d1750aa39e7a89253ee72f736db8c329651076acf1de255ebb46052e9a2bb0fbfd7f4b0309f6e39fd1d1af500e1e5a89918d1e7 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\Z4.tlb
| MD5 | 8d10c52cfa044ccdcfff4e0b5775babd |
| SHA1 | 3b2c872ab3237d7b74377032ed7a5239c82df766 |
| SHA256 | af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156 |
| SHA512 | 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700 |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\Z4.dll
| MD5 | ffe3f0c62f2fede9890b18d73724fd97 |
| SHA1 | 0dafa42039405f8d49a6790180194076bd57c833 |
| SHA256 | 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8 |
| SHA512 | 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc |
C:\Users\Admin\AppData\Local\Temp\2f4629f8\Z4.x64.dll
| MD5 | 0231aebb8155fd069d17eab6a679cc1e |
| SHA1 | 61cb4b5228e6253863391ef3346c2f9920dbc554 |
| SHA256 | fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672 |
| SHA512 | 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434 |