Malware Analysis Report

2024-10-19 11:02

Sample ID 240524-hrev4ahb5s
Target 6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118
SHA256 20802dbd7a6399c0788d2a99ea9cfb299b3d5b4fc27268ee4d3cdad3b78f3959
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

20802dbd7a6399c0788d2a99ea9cfb299b3d5b4fc27268ee4d3cdad3b78f3959

Threat Level: Shows suspicious behavior

The file 6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Loads dropped DLL

Registers COM server for autorun

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Drops Chrome extension

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 06:57

Reported

2024-05-24 07:00

Platform

win10v2004-20240426-en

Max time kernel

135s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adblocker\91q.tlb C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.tlb C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.dat C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.dat C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.x64.dll C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.x64.dll C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.dll C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.dll C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adblocker\\91q.tlb" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID\ = "Adblocker.1.0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} = "1" C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe

"C:\Users\Admin\AppData\Local\Temp/28397003/30e0.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Adblocker\91q.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Adblocker\91q.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.226:443 www.bing.com tcp
US 8.8.8.8:53 226.83.221.88.in-addr.arpa udp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\28397003\30e0.exe

MD5 b2618483d2b505447782784d83fc3c6b
SHA1 5805f72466a86ab72fd328bdafbe20784a02cfbc
SHA256 94553457b3d86e4527651df80e3aa28a0815f9a985e4909a7d0b344fb057ea69
SHA512 b4b60df94f5a4ef16778ba76d504ead9d8f3fb5e9dd3f5e3d5f4108936572ff42e4a54cef61244761df0c9461511f33c0204adfa45ff97b89f4edc38757fc734

C:\Users\Admin\AppData\Local\Temp\28397003\30e0.dat

MD5 923e60e9d2f9bca9269444ff59b867bc
SHA1 2ad85895c594d4efb4cc06b3ba91189ccb43f6a2
SHA256 f3a011d262eb975489d3426c2661b8de858a59cc9bec052f3d467788c73a067d
SHA512 f6534cbc7919a92d0b566e2ac62a195f75426487da9f0cbc6c834e812379779704a117d09d2b7dfec47bb6b1dd4e1a4f4b31a6e7b5721fd8bdf0521dc076ee6c

C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\Iu3eN.js

MD5 48df0e24dc7d630e4341cbe47c7d29fa
SHA1 7a20bf2b7b5552e8f6a326c0e557b1494b8294a9
SHA256 1159746016bb4c518e56d1810765c08ec2f3d429a6e7edc512d43d55279edde0
SHA512 192ba84a60ac7e84ccc3e1ddcf37b83280b2be14df20d8f0e5b1a69382a314ff08bbc7a2d153c4f0c78704a217e484d35cbc017c7ac83ee821ad9666e4ee3706

C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\content.js

MD5 07139eaa9d1fd2d7c3b47ef37578bbbd
SHA1 782122104e812fc11b30f38f47d142c6de7a2cec
SHA256 4307187a58cde5dca07316df4b950fda6381391af8b63ee8be31cbcff65ad1e0
SHA512 3cab09b0a43f9587c4f70d9bac6f8b9da3de34cf5e739ffd6336ce297500f84486487dd0bf4194e5d523bbb9e4cda209d16050ca8e53d07c5af3496fd78d88ed

C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\background.html

MD5 c0c4948dab582878ec0564c46166bda1
SHA1 92c6df67d7f3865d25b1c139ae20e3710a19d4e8
SHA256 c08e9a1b0eaf74c54e1c012590f706b1bedae8fdeb1e1964357aec5d1d9fd14d
SHA512 3c4c74c05f2286e5db20e2fd4fe7c400df3d657d595a1b49afec48b22187300d8b6c9827f1463db362679ed6cdfd72f1415d8e735f3710f3bda516057438def2

C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\manifest.json

MD5 12da9defacf7555da51406c40f6a7319
SHA1 6bec535c8f7ba012046c43ffdce58c5602a9ed61
SHA256 2250ebd3138423759f8ba2fcf4eb09180cdb206b5c755128b892626512bd3162
SHA512 3adeb9112d447760f687556f3795633182918bb9c84ce100fcaf4fc5bcf17caa08f4d461db4ad6fc718233b0df0bcb5f89e2629b3764737de1f9f474e4b3780f

C:\Users\Admin\AppData\Local\Temp\28397003\nfminohdmmapkakbegbgpiajbjdneaoe\lsdb.js

MD5 0a4c526d7ab529d15a4bee9e218bca79
SHA1 62180ed7a558bb3c3347a81e030c8414d0c4807e
SHA256 dfe75314a9d6e0a3e74b4932c58e81ce8ffeb0fd83af0663a4818698f9f056d1
SHA512 2a78ffa0755f9c44c82ccfd2bf36a08c6d80afd46fae152317b0a285220ff8666cbef0e5bb15582bf0e6955432b3c276a44b15f9c1ead76f0b0969e95c9dfda0

C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\chrome.manifest

MD5 9eb9821da9d821d6d6137c90aeb1121a
SHA1 6c360d8e80031e13bd695f02c47463c3d28c190e
SHA256 c8df63e332b04b7ca8aac5ad567a6b22e059751e670aeef534233c18163dc434
SHA512 5918e2edb22ecc121a049c1a4fab81b34a6737d4c4f0ab1555c0593ac691199d069b0ea186288dee60b45eafa0a41d804efe8538ce53f46a788c3b5e66414972

C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\content\bg.js

MD5 0b4b8d7bb080c85d0ee70988d3cd2c8f
SHA1 f07b4eddce3ba358a8bc3378a35c83f048bf7b34
SHA256 c5178fb809724b5e34dc2e9ee9e331af4c453bd5094b3e1160124b52bb5cdea8
SHA512 13bf071e40e58bb9498aeac5b2de29d8c8ba8b41c78b668fa1ddfc9d9752e4d4dbe123b04634b989a8b33980592a62dfc2fcd1b903aa751c7982bc700ea27e99

C:\Users\Admin\AppData\Local\Temp\28397003\[email protected]\install.rdf

MD5 bfe3aeb0c60d0286cef66e8e2f10e640
SHA1 a6ff855cd7e492a33dcd52779fdbe8b4ce6ac67d
SHA256 01972e468827776d2ca4975eb0a81fcf3719ef072863bb3b2f0fae75727a71c7
SHA512 ef83ea92d9cabf68c1f6bb0a165009c191106063bad4a78fb68360270013f5e048d64ad3ebe5f53e147c3e179626c1e9fdbca92b4cce58158f7cb9d4f9e12162

C:\Users\Admin\AppData\Local\Temp\28397003\91q.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\28397003\91q.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\28397003\91q.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 06:57

Reported

2024-05-24 07:00

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adblocker\91q.tlb C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.dat C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.dat C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.x64.dll C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.x64.dll C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.dll C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File opened for modification C:\Program Files (x86)\Adblocker\91q.dll C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
File created C:\Program Files (x86)\Adblocker\91q.tlb C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\CLSID\ = "{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker.1.0\ = "Adblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer\ = "Adblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\ProgID\ = "Adblocker.1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\InprocServer32\ = "C:\\Program Files (x86)\\Adblocker\\91q.dll" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CurVer C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Adblocker" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Adblocker.Adblocker\CLSID\ = "{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\Adblocker\\91q.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\Adblocker\\91q.dll" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe
PID 620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe
PID 620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe
PID 620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3056 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2748 wrote to memory of 1828 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{9B482BA6-0CBF-D98B-F6DA-A51E955AD016} = "1" C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6dab619d97eafee6e9fc1e9748c2fab9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe

"C:\Users\Admin\AppData\Local\Temp/1f304a16/30e0.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\Adblocker\91q.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Adblocker\91q.x64.dll"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\1f304a16\30e0.exe

MD5 b2618483d2b505447782784d83fc3c6b
SHA1 5805f72466a86ab72fd328bdafbe20784a02cfbc
SHA256 94553457b3d86e4527651df80e3aa28a0815f9a985e4909a7d0b344fb057ea69
SHA512 b4b60df94f5a4ef16778ba76d504ead9d8f3fb5e9dd3f5e3d5f4108936572ff42e4a54cef61244761df0c9461511f33c0204adfa45ff97b89f4edc38757fc734

C:\Users\Admin\AppData\Local\Temp\1f304a16\30e0.dat

MD5 923e60e9d2f9bca9269444ff59b867bc
SHA1 2ad85895c594d4efb4cc06b3ba91189ccb43f6a2
SHA256 f3a011d262eb975489d3426c2661b8de858a59cc9bec052f3d467788c73a067d
SHA512 f6534cbc7919a92d0b566e2ac62a195f75426487da9f0cbc6c834e812379779704a117d09d2b7dfec47bb6b1dd4e1a4f4b31a6e7b5721fd8bdf0521dc076ee6c

C:\Users\Admin\AppData\Local\Temp\1f304a16\nfminohdmmapkakbegbgpiajbjdneaoe\background.html

MD5 c0c4948dab582878ec0564c46166bda1
SHA1 92c6df67d7f3865d25b1c139ae20e3710a19d4e8
SHA256 c08e9a1b0eaf74c54e1c012590f706b1bedae8fdeb1e1964357aec5d1d9fd14d
SHA512 3c4c74c05f2286e5db20e2fd4fe7c400df3d657d595a1b49afec48b22187300d8b6c9827f1463db362679ed6cdfd72f1415d8e735f3710f3bda516057438def2

C:\Users\Admin\AppData\Local\Temp\1f304a16\nfminohdmmapkakbegbgpiajbjdneaoe\content.js

MD5 07139eaa9d1fd2d7c3b47ef37578bbbd
SHA1 782122104e812fc11b30f38f47d142c6de7a2cec
SHA256 4307187a58cde5dca07316df4b950fda6381391af8b63ee8be31cbcff65ad1e0
SHA512 3cab09b0a43f9587c4f70d9bac6f8b9da3de34cf5e739ffd6336ce297500f84486487dd0bf4194e5d523bbb9e4cda209d16050ca8e53d07c5af3496fd78d88ed

C:\Users\Admin\AppData\Local\Temp\1f304a16\nfminohdmmapkakbegbgpiajbjdneaoe\Iu3eN.js

MD5 48df0e24dc7d630e4341cbe47c7d29fa
SHA1 7a20bf2b7b5552e8f6a326c0e557b1494b8294a9
SHA256 1159746016bb4c518e56d1810765c08ec2f3d429a6e7edc512d43d55279edde0
SHA512 192ba84a60ac7e84ccc3e1ddcf37b83280b2be14df20d8f0e5b1a69382a314ff08bbc7a2d153c4f0c78704a217e484d35cbc017c7ac83ee821ad9666e4ee3706

C:\Users\Admin\AppData\Local\Temp\1f304a16\nfminohdmmapkakbegbgpiajbjdneaoe\lsdb.js

MD5 0a4c526d7ab529d15a4bee9e218bca79
SHA1 62180ed7a558bb3c3347a81e030c8414d0c4807e
SHA256 dfe75314a9d6e0a3e74b4932c58e81ce8ffeb0fd83af0663a4818698f9f056d1
SHA512 2a78ffa0755f9c44c82ccfd2bf36a08c6d80afd46fae152317b0a285220ff8666cbef0e5bb15582bf0e6955432b3c276a44b15f9c1ead76f0b0969e95c9dfda0

C:\Users\Admin\AppData\Local\Temp\1f304a16\nfminohdmmapkakbegbgpiajbjdneaoe\manifest.json

MD5 12da9defacf7555da51406c40f6a7319
SHA1 6bec535c8f7ba012046c43ffdce58c5602a9ed61
SHA256 2250ebd3138423759f8ba2fcf4eb09180cdb206b5c755128b892626512bd3162
SHA512 3adeb9112d447760f687556f3795633182918bb9c84ce100fcaf4fc5bcf17caa08f4d461db4ad6fc718233b0df0bcb5f89e2629b3764737de1f9f474e4b3780f

C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\content.js

MD5 57352f594c705ef7c32bce068184e2d4
SHA1 8add6a8b6b50762a48d20c3e9cacadb08e48e6da
SHA256 bec8eab839d932f41de91a426082e7e401d748354bd86108f48cffda86db016c
SHA512 2ad590ee04360b8c7d59d1bc4222bcbbcdef00af3e82331ff07a4dcc6a006262b2ae3e1a6fa0f0fc3db758d11f1cb1f9f03ca7e8e6b891f464f4a82836deb254

C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\Iu3eN.js

MD5 cb6a90852222a9c154a0169d9cbff50f
SHA1 5f9c673dd06ef3a06f90573713afb7026f609d73
SHA256 411225f4d38e129ffd2f6f60182ae73978f7e3e22a77c3e4a47d717a6bd2f4de
SHA512 947204a8fa0e548f896aef7af4907d62595076aa4659300684c514f6092b40d3c68440e2eceb025859b90837feeaa44fb2d9ab42c05278df87da4ffd7f08f164

C:\Users\Guest\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\nfminohdmmapkakbegbgpiajbjdneaoe\1.0\lsdb.js

MD5 69cb310684520930070f1e3071bad401
SHA1 7e19a987f18dc71d10e2d276719a311844b568e1
SHA256 20c2ea20f45d91d21443d09f7b23ae41c7f103281799d49c041b1e00df9a2aba
SHA512 7824667d0cabd9d2f89fd3a35a1f949c38c08f80fc81d061166c3a7f6b2099404921bee71760ac86ec1768b9b082926b9369f9ad1991a401be6516f4d3b6f225

C:\Users\Admin\AppData\Local\Temp\1f304a16\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\1f304a16\[email protected]\chrome.manifest

MD5 9eb9821da9d821d6d6137c90aeb1121a
SHA1 6c360d8e80031e13bd695f02c47463c3d28c190e
SHA256 c8df63e332b04b7ca8aac5ad567a6b22e059751e670aeef534233c18163dc434
SHA512 5918e2edb22ecc121a049c1a4fab81b34a6737d4c4f0ab1555c0593ac691199d069b0ea186288dee60b45eafa0a41d804efe8538ce53f46a788c3b5e66414972

C:\Users\Admin\AppData\Local\Temp\1f304a16\[email protected]\content\bg.js

MD5 0b4b8d7bb080c85d0ee70988d3cd2c8f
SHA1 f07b4eddce3ba358a8bc3378a35c83f048bf7b34
SHA256 c5178fb809724b5e34dc2e9ee9e331af4c453bd5094b3e1160124b52bb5cdea8
SHA512 13bf071e40e58bb9498aeac5b2de29d8c8ba8b41c78b668fa1ddfc9d9752e4d4dbe123b04634b989a8b33980592a62dfc2fcd1b903aa751c7982bc700ea27e99

C:\Users\Admin\AppData\Local\Temp\1f304a16\[email protected]\install.rdf

MD5 bfe3aeb0c60d0286cef66e8e2f10e640
SHA1 a6ff855cd7e492a33dcd52779fdbe8b4ce6ac67d
SHA256 01972e468827776d2ca4975eb0a81fcf3719ef072863bb3b2f0fae75727a71c7
SHA512 ef83ea92d9cabf68c1f6bb0a165009c191106063bad4a78fb68360270013f5e048d64ad3ebe5f53e147c3e179626c1e9fdbca92b4cce58158f7cb9d4f9e12162

C:\Users\Admin\AppData\Local\Temp\1f304a16\91q.dll

MD5 ffe3f0c62f2fede9890b18d73724fd97
SHA1 0dafa42039405f8d49a6790180194076bd57c833
SHA256 2ec40c7a7808d8aeee27eb8db1ed36424dd7d692e6d2043b20b3c75e8dd2b4d8
SHA512 84fb90d2214beae1e0c90b2d4a8678c8a55792daf60e70c441d6b5e279ae7ab5e03f49c401e14b7610189f4e885095f7f569add030254656c0e7e41f75eb8bfc

C:\Users\Admin\AppData\Local\Temp\1f304a16\91q.tlb

MD5 8d10c52cfa044ccdcfff4e0b5775babd
SHA1 3b2c872ab3237d7b74377032ed7a5239c82df766
SHA256 af8efa41494e63e07553fed5bd5df73cf55c160de292ea2a2ee0568cf12e0156
SHA512 123d5af4dec8a370a1176fe50998be5a97d3bc46ed7dd9fa365f8f4fc669785b4ed3cb0b65b266095edd3dc3512a4a1d916c035d6184e8e134617502b90f9700

C:\Users\Admin\AppData\Local\Temp\1f304a16\91q.x64.dll

MD5 0231aebb8155fd069d17eab6a679cc1e
SHA1 61cb4b5228e6253863391ef3346c2f9920dbc554
SHA256 fde9e3251cc1237aa3b2ad89acfb5691e8fee5a434989d9a9308ab41b774b672
SHA512 42c61873d4287d4a7fb17760fc9e9902723d8c74b21be92ddf6a949b1d6170894abbab9e03680a1518c997decf58ccafc351a5ed619e6515532379663e4f5434