Malware Analysis Report

2025-01-18 22:27

Sample ID 240503-lcp93abe7v
Target 102e4609c2b5713678938f7233bc9c59_JaffaCakes118
SHA256 83367ce33863af52ce81d9b38745ed60e9cd1bdfc364412a04af99528f416ce2
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

83367ce33863af52ce81d9b38745ed60e9cd1bdfc364412a04af99528f416ce2

Threat Level: Shows suspicious behavior

The file 102e4609c2b5713678938f7233bc9c59_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 09:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 09:23

Reported

2024-05-03 09:26

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gndlkccngholfmdlemknbiomneemlmgl\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dat C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dat C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.tlb C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.tlb C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.dll" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.dll" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Programmable C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 836 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2492 wrote to memory of 2532 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/F2ewBn.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe

MD5 6223a19e77e3b9b4f633e8863ee1cf40
SHA1 ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256 d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.dat

MD5 46228b8fb45b59527aecdf3ed1a97f58
SHA1 5db2bc4028068ce2c7556c4d2dfc25b709407297
SHA256 0a193647a6298766f576eab80d26e5713f5fdf0749f774c742ba033e6847e3de
SHA512 24196bbaf514dddc0c998a092d622408052d76b8ec395ae045cb33f976a82c5b7626e3757c48314e924534e2fd72fda7425e4df99a14c61d7fe6d3bfb35f7036

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\background.html

MD5 f77262e87e7d0fe8132ddbe0083d84ec
SHA1 7f702080941ec7c8287d7cd260fa017f7b904212
SHA256 30d1df7bc4e7ba737cf89a350a861e1b91eab9dcb6aea1cfee029d5a1e670583
SHA512 be7b4fe06b8f4cf920da4358a49c8a3581b10bf67f0c9af3af039b19711b8ca5aad171c6d2883fc7449153699aac03fd580949de25f5373dbe7872c19787d9df

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\MzZVwP.js

MD5 8e398cf605a7149462b845f88192371a
SHA1 41e92627634ed02bc56764101ee6b2defc4ab9a5
SHA256 8211e1f3cf385c2587e40941679a3f723ffd56ad81ad4f66cb3d580559f14c27
SHA512 178b480c9ad084ec24f6ba3aca40286a69c535350534bcc6e97d1bafefd46c80b873c7b96c05573d30028b45327c494be68c3913b5cc82a1353b7b82b065f006

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\sqlite.js

MD5 e01bbcaa478aeded50e5db9f601a74c9
SHA1 697ba20e3cd92a5f53c6ca65da7bf7600735cbbf
SHA256 ea00222f327abaadec50edfa195d3824435abdbb4e485218aab25400dd1bef34
SHA512 eb5eb5474342f782917f8a9c7017d56d79f7bf45509c4a981c82c51226759253f573d768a6819ad77ca5bec6f1800e383e251e7b97f89a30f35f2bdc8c9a2f9b

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 5653f7a2e87d1348aff4477552400cae
SHA1 a594b78d56f3aa135ce11f8e566f6b59dcfcf176
SHA256 52ec35f862a08c4d4950090baa6cfb148abc42f1f693340a50b77500f74fbdb6
SHA512 b357ee84d8e7c1a432e38d7eaf32e7d463b04e98d56f3ab9de270d33b5423263d26fe61480d05900cd2f0a62d1bbf9d11270ce13956f99451ce7f154a2a601cc

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 3b339e48c947092c6c139411277c5c98
SHA1 b5cf52974cf52ca48fb67a7b8710c604e49c4724
SHA256 13bdb25dca14b05c4254fb0d557e9264dc163a11391796028a61342e1c5248de
SHA512 e3b28de222c77d3fb5bad155f8e3fd5e5e1c30613f083e0c331dcc688ad53ee24ce45bc695cdc2892ae58b22aaeb16d47387d9ec0713462308ead17f22469e47

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 e8d570b25eb683ce6fcd0a935bfde69d
SHA1 45d31d86c547548b8cae43a6b6af36f0b1c75787
SHA256 46ffba4a465890639fca60c1f22ec484d91b746d73c5f24cf64a77671efcbf40
SHA512 1eb7b2279844b23f11be9ac35e38e879ad57541b4d68014f49ce2a5e0b4fb652e9d885cbb241755716a7e1b473601c487df502a4600356820ecb90997202ba1a

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.dll

MD5 9afeb7fa65aa31c6b871237d14a8fb94
SHA1 58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.x64.dll

MD5 410bb7e2c88f92de31b83a173e173e2d
SHA1 ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256 afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512 d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 09:23

Reported

2024-05-03 09:26

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gndlkccngholfmdlemknbiomneemlmgl\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dll C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.tlb C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.tlb C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dat C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\hY6bh.dat C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.tlb" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\hY6bh.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{36C02C6B-020C-26EF-C2C1-559D1BA9D14F} = "1" C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\102e4609c2b5713678938f7233bc9c59_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe

"C:\Users\Admin\AppData\Local\Temp/00294823/F2ewBn.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\hY6bh.x64.dll"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.exe

MD5 6223a19e77e3b9b4f633e8863ee1cf40
SHA1 ee5ec9cffb59790d553f5a3394ad5808e1e37446
SHA256 d4041f6772da83d968fcf13181a9004ba69f89effc3a69bee019ab44b5ad1f46
SHA512 66c99f26af2895142c61d75025f9343cc132883f79a513b47c18da1f9eb2582971eeee0610779e20d51d378fda854bf4c5a51434a0f0425054a7d059f764bcb3

C:\Users\Admin\AppData\Local\Temp\00294823\F2ewBn.dat

MD5 46228b8fb45b59527aecdf3ed1a97f58
SHA1 5db2bc4028068ce2c7556c4d2dfc25b709407297
SHA256 0a193647a6298766f576eab80d26e5713f5fdf0749f774c742ba033e6847e3de
SHA512 24196bbaf514dddc0c998a092d622408052d76b8ec395ae045cb33f976a82c5b7626e3757c48314e924534e2fd72fda7425e4df99a14c61d7fe6d3bfb35f7036

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\background.html

MD5 f77262e87e7d0fe8132ddbe0083d84ec
SHA1 7f702080941ec7c8287d7cd260fa017f7b904212
SHA256 30d1df7bc4e7ba737cf89a350a861e1b91eab9dcb6aea1cfee029d5a1e670583
SHA512 be7b4fe06b8f4cf920da4358a49c8a3581b10bf67f0c9af3af039b19711b8ca5aad171c6d2883fc7449153699aac03fd580949de25f5373dbe7872c19787d9df

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\content.js

MD5 5f9891607f65f433b0690bae7088b2c1
SHA1 b4edb7579dca34dcd00bca5d2c13cbc5c8fac0de
SHA256 fb01e87250ac9985ed08d97f2f99937a52998ea9faebdc88e4071d6517e1ea6b
SHA512 76018b39e4b62ff9ea92709d12b0255f33e8402dfc649ed403382eebc22fb37c347c403534a7792e6b5de0ed0a5d97a09b69f0ffc39031cb0d4c7d79e9440c7c

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\lsdb.js

MD5 209b7ae0b6d8c3f9687c979d03b08089
SHA1 6449f8bff917115eef4e7488fae61942a869200f
SHA256 e3cf0049af8b9f6cb4f0223ccb8438f4b0c75863684c944450015868a0c45704
SHA512 1b38d5509283ef25de550b43ef2535dee1a13eff12ad5093f513165a47eec631bcc993242e2ce640f36c61974431ae2555bd6e2a97aba91eb689b7cd4bf25a25

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\MzZVwP.js

MD5 8e398cf605a7149462b845f88192371a
SHA1 41e92627634ed02bc56764101ee6b2defc4ab9a5
SHA256 8211e1f3cf385c2587e40941679a3f723ffd56ad81ad4f66cb3d580559f14c27
SHA512 178b480c9ad084ec24f6ba3aca40286a69c535350534bcc6e97d1bafefd46c80b873c7b96c05573d30028b45327c494be68c3913b5cc82a1353b7b82b065f006

C:\Users\Admin\AppData\Local\Temp\00294823\gndlkccngholfmdlemknbiomneemlmgl\sqlite.js

MD5 e01bbcaa478aeded50e5db9f601a74c9
SHA1 697ba20e3cd92a5f53c6ca65da7bf7600735cbbf
SHA256 ea00222f327abaadec50edfa195d3824435abdbb4e485218aab25400dd1bef34
SHA512 eb5eb5474342f782917f8a9c7017d56d79f7bf45509c4a981c82c51226759253f573d768a6819ad77ca5bec6f1800e383e251e7b97f89a30f35f2bdc8c9a2f9b

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\bootstrap.js

MD5 1b53c596cfb1aa2209446ff64c17dabd
SHA1 2542da14728dcdbe1763f1ee39fe9ceae38ad414
SHA256 a7dfea4bf7e1d46a8b8e64ccfb2cf35017e3a5b350eead26d6671254d2b3c46f
SHA512 be54481675c38ef6a41697cf8cd3ab5a0b126922b192732a9c587dd8905b74b66c79eb0c849f62bbe8934979a894be63734b0ad59ffae295f5797cbfaa327030

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\chrome.manifest

MD5 5653f7a2e87d1348aff4477552400cae
SHA1 a594b78d56f3aa135ce11f8e566f6b59dcfcf176
SHA256 52ec35f862a08c4d4950090baa6cfb148abc42f1f693340a50b77500f74fbdb6
SHA512 b357ee84d8e7c1a432e38d7eaf32e7d463b04e98d56f3ab9de270d33b5423263d26fe61480d05900cd2f0a62d1bbf9d11270ce13956f99451ce7f154a2a601cc

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\content\bg.js

MD5 3b339e48c947092c6c139411277c5c98
SHA1 b5cf52974cf52ca48fb67a7b8710c604e49c4724
SHA256 13bdb25dca14b05c4254fb0d557e9264dc163a11391796028a61342e1c5248de
SHA512 e3b28de222c77d3fb5bad155f8e3fd5e5e1c30613f083e0c331dcc688ad53ee24ce45bc695cdc2892ae58b22aaeb16d47387d9ec0713462308ead17f22469e47

C:\Users\Admin\AppData\Local\Temp\00294823\[email protected]\install.rdf

MD5 e8d570b25eb683ce6fcd0a935bfde69d
SHA1 45d31d86c547548b8cae43a6b6af36f0b1c75787
SHA256 46ffba4a465890639fca60c1f22ec484d91b746d73c5f24cf64a77671efcbf40
SHA512 1eb7b2279844b23f11be9ac35e38e879ad57541b4d68014f49ce2a5e0b4fb652e9d885cbb241755716a7e1b473601c487df502a4600356820ecb90997202ba1a

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.dll

MD5 9afeb7fa65aa31c6b871237d14a8fb94
SHA1 58f99ae9ea22f56f28b6c5fa798bda3109f297f6
SHA256 4cb847c3d1b5b9ae746e3725ae26b756c4eb980c93faf2a5963a030e9db2874a
SHA512 311655752677bad1e397ef2f03608ee9819157d211b65cb3b4d81a11b70c32fdd07a6e38c7b276e66ad7953f7549d1c881a0fd97ec82621365a4c2ec23dca855

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.tlb

MD5 9f260bfcd1ef83627ceb2792ee3324f5
SHA1 078164529ae639e5ff9cf0e4003a82259c2aace8
SHA256 8ce97c40c3fea5c0a6446b3e647cdb0d1d38eb0a07c40a91a8df4ad0517b2526
SHA512 3e3fa6af779fdda2ecd4e75cfb7b09eae69352eb39560fecbeae750130a111aa099a11d91dce90ab2a7dc11a9fe25d3898c65da8de7fb5729398cdb8260dcd6f

C:\Users\Admin\AppData\Local\Temp\00294823\hY6bh.x64.dll

MD5 410bb7e2c88f92de31b83a173e173e2d
SHA1 ff40233a038f80b7b1513431d6a9632e8f0e39f0
SHA256 afd8e3c979685360c26ff618eb85e0b788f7d9b743fc4e52b9337c242e5bf8d3
SHA512 d5a2727ac2936f189e4247852f147efe93f4473c690abb046c0e38cd8371198c601ae3ec41b04f389da208090c110b7d7ccc903bd3ae9f6ec1b926d5461fdd1e