Malware Analysis Report

2024-07-28 05:19

Sample ID 240603-kycqeshf41
Target 91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118
SHA256 14c84058c3b9d2ef03bfcaf971cf6ea5488248ddb5398b4e51dbb4079d275997
Tags
adware discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

14c84058c3b9d2ef03bfcaf971cf6ea5488248ddb5398b4e51dbb4079d275997

Threat Level: Shows suspicious behavior

The file 91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Registers COM server for autorun

Installs/modifies Browser Helper Object

Drops Chrome extension

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

System policy modification

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Browser Extensions
T1176
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:00

Reported

2024-06-03 09:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll" C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eceocgppmpndinofealdcccbnlcbockd\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\YoutubeAdblocker\fR.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.tlb C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.tlb C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.dat C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.dat C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.dll" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 1656 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2560 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2396 wrote to memory of 592 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} = "1" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe

"C:\Users\Admin\AppData\Local\Temp/2fff6c69/kmP.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"

Network

N/A

Files

C:\ProgramData\YoutubeAdblocker\kmP.exe

MD5 67c0e85aff48138c7e24f222546ec1cb
SHA1 abd1e48ea7d820ec19b8b91556acf8b064eb4ba7
SHA256 6e41774bd669cccac6aa2901ff413a130f819bc8c754e9ef4d1ed2a8e0721f22
SHA512 883f6d3fc1933be85bc2a07023c6143bfba4cd914ee190300fa166b2b018f78e0d79d12ce7ce7d2ff0a38b6f126c5cacaec8074e33fa237b73dd0c0d08bc763e

C:\Program Files (x86)\YoutubeAdblocker\fR.tlb

MD5 0470e51ab6155fa6ab7c5ede0fbc9957
SHA1 f660d5661c0fadb56c5608e2aaf019dea75c4878
SHA256 4e830314ce7d9287d6d9344db8baac12080c9174d34155854db62d950775ba7f
SHA512 5e915c92b4f2555bbde1972227f002cc90492020de65329ab83dfb7779fe6c4f378db626ddf490046a0df49f5c218bcb8b4eeec530a56f24c8ec0a16c54c2240

C:\Program Files (x86)\YoutubeAdblocker\fR.dat

MD5 ee45bc4cde3c3ccd38614ce4ee3f1378
SHA1 d62a6739ea6fdcf4580c5170c74e4a3e8c0a77f0
SHA256 819bd2056c961add6ba09b0e054f65d978ff717fb6dfb3ac1f28f92d537a5695
SHA512 780f85f065292b7ab716ee723ad7bcf4eb85a7ebd20c4e316b892a3406bc8a9cecab465f24c405a6d49819648f1b5e3ae234f41061412cc18a97d399f497119c

\Program Files (x86)\YoutubeAdblocker\fR.x64.dll

MD5 a4a6482bc28e62a61ad01ceed7bd7d44
SHA1 12d3c0974d22dcba264088d9d68bc1eb20b988e5
SHA256 4a2a6fd3a04d31249310edb0c04b11d9afba4650f14e57a10884e61f430a0019
SHA512 241770653ae1b70cff9f06618d56c1756aec63210ab3df5e4e2e3c5e9b937369edf0e55b04df12d0046d199b4f27f1459efdcd4215a5ddc78d892190dd76ab1d

C:\Program Files (x86)\YoutubeAdblocker\fR.dll

MD5 aabcede5b824bd00717350b6b7474c46
SHA1 86c7cf982e18ca23f8ef30718417903dc010b00a
SHA256 7cf78eed551c7df977db6b274e3d25a41c80b9cde614f6eeb267f56e89fd78ab
SHA512 5a553ac22d08f6157639328e76016b488de7d92dae5d5d814ffae45ee0ec0e0b77c174ccb6ae851eeaf5e871d58a116d8ff768470d3e1575c58f506cc5563764

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\extensions\staged\[email protected]\install.rdf

MD5 802d93a96420ae2ad114e0c3902e57df
SHA1 72e2194cc5ee374fe021914e1bd4f5feed388d38
SHA256 aaeee2ec5bbe95d1243c4671ca8cb28d5dc657ea96b0a8c5fe5d05c9ad87e5bf
SHA512 f9fa1a93da19ac7262bd4654fda1f249735d2e7e42129adbc06f0807bf64b352848f5095fdbb13895c6376aab7f82d4e0332ea7a0a94f189cda6105b2d2b4fc9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\extensions\staged\[email protected]\content\bg.js

MD5 597c8b32820f58859df39f9281621e76
SHA1 ec0b0e8b6b81903d71c4c17c3cb5587974f0c786
SHA256 c49e030c820e4f22419770ef44f3f56965a4b5809cd67bb8b6218ddd0e04bd03
SHA512 2ce2763474c595f8a3426b3707898e87ef43d5c70b509fbd16c894d611c998ead0cbf8648526ec099069eb01b0ee2c77081c2d21f975a832bc3e691e97c87faf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\extensions\staged\[email protected]\chrome.manifest

MD5 faf31174ddc46d5da93f1c5a2033a945
SHA1 b6e4a5a8611d96919168c99065911177830370dc
SHA256 4b3186f616cf2a0402c89a9d6d6c7ad30d907ff44cada4eb6856e97966c2889f
SHA512 d81bf9adff9c4f82e3f5264612c2e702161cc1e6a843bde88b3414f85ba646bba6fe4f5d479fceb35e8327a4a610027bba3533e38c2fa0986bd25ff1a8485250

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gdoevwuq.Admin\extensions\staged\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\rzIq.js

MD5 3214f4dd041b3e0b360185d0f3323e58
SHA1 0a3e3a0705ebebef467de4a69845fc562c97ff07
SHA256 b5c836d9c4453523290e5cbc991e88906c90d87528ec08955e6e4950cfefdd3d
SHA512 552fe62d06f56679a69074b866a6887420b9d7ccfd46ee62c024d2936e6bf87f013fac77ad4ebb5082ddf6a5b97c1060ba508f1ac580b9f45e8f2617dfa4158d

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\lsdb.js

MD5 36d98318ab2b3b2585a30984db328afb
SHA1 f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256 ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA512 6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\content.js

MD5 0654917402505bc71a231599d02e09a2
SHA1 e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA256 9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA512 3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\background.html

MD5 bbc71f16a4d2a527706e0605a8e4d33f
SHA1 bdc52f38e6f5d4c549cac979456e14b08a3b960a
SHA256 a324b4e9eea5afd5d0b31f1d3c1abf058b3637af83836922ad2597775cc10e62
SHA512 7acf3808917f532003ac27876987bdd649f0c955b8145a1aa51f88892841e54788304ab85ce395e85b47e935fad07270e5782f3d83730292baa3bc1343bf9ae8

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:00

Reported

2024-06-03 09:02

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eceocgppmpndinofealdcccbnlcbockd\1.0\manifest.json C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.dat C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.dll C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.tlb C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File opened for modification C:\Program Files (x86)\YoutubeAdblocker\fR.tlb C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
File created C:\Program Files (x86)\YoutubeAdblocker\fR.dat C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.tlb" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID\ = "YoutubeAdblocker.1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win64\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.x64.dll" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Programmable C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\VersionIndependentProgID\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ = "YoutubeAdblocker" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\CLSID\ = "{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ = "C:\\Program Files (x86)\\YoutubeAdblocker\\fR.dll" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker.1.0\ = "YoutubeAdblocker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B}\ProgID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\YoutubeAdblocker.YoutubeAdblocker\CurVer\ = "YoutubeAdblocker.1.0" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 4020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 4020 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe
PID 3320 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3320 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3320 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1984 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1984 wrote to memory of 2800 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{66C5DD56-DEB6-A83D-5C8B-FDD3594F261B} = "1" C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91354a2b989c2a90e71af9dc57545a1e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe

"C:\Users\Admin\AppData\Local\Temp/2fff6c69/kmP.exe"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\YoutubeAdblocker\fR.x64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.exe

MD5 67c0e85aff48138c7e24f222546ec1cb
SHA1 abd1e48ea7d820ec19b8b91556acf8b064eb4ba7
SHA256 6e41774bd669cccac6aa2901ff413a130f819bc8c754e9ef4d1ed2a8e0721f22
SHA512 883f6d3fc1933be85bc2a07023c6143bfba4cd914ee190300fa166b2b018f78e0d79d12ce7ce7d2ff0a38b6f126c5cacaec8074e33fa237b73dd0c0d08bc763e

C:\Users\Admin\AppData\Local\Temp\2fff6c69\kmP.dat

MD5 ee45bc4cde3c3ccd38614ce4ee3f1378
SHA1 d62a6739ea6fdcf4580c5170c74e4a3e8c0a77f0
SHA256 819bd2056c961add6ba09b0e054f65d978ff717fb6dfb3ac1f28f92d537a5695
SHA512 780f85f065292b7ab716ee723ad7bcf4eb85a7ebd20c4e316b892a3406bc8a9cecab465f24c405a6d49819648f1b5e3ae234f41061412cc18a97d399f497119c

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\content.js

MD5 0654917402505bc71a231599d02e09a2
SHA1 e24d4fcf6f136c3be86b4dc01bd3bf446ce462ff
SHA256 9577828de9e701114e75cca9918972c9028689518882edcb6aa193f9353c19ae
SHA512 3e7077342d4c06d1192898a4ec5c9b19f3ca8883c5fd7c6e2a581d855959b748b5a8c4b07e3468cfc8b79e6abc1595fefccb41011c179da665567d5dc4b2da5d

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\lsdb.js

MD5 36d98318ab2b3b2585a30984db328afb
SHA1 f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5
SHA256 ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7
SHA512 6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\manifest.json

MD5 e2832fbedae560495781610b5c511afa
SHA1 95f9c6fe1ea5a6ee009bce1e9c215ef53fb5c108
SHA256 6e03e688a9f7cc23a788e004cea4c87ee73e36c1053d2fb34a214bcc597f3ea2
SHA512 2e206b58d02a88d21cb0cd74d5523b9f07f4558b4af9a19936befb256c2dc868107ab1716849e09b665721d1ac7b01ba6762bb54822596e39a4cdad763c68cb9

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\background.html

MD5 bbc71f16a4d2a527706e0605a8e4d33f
SHA1 bdc52f38e6f5d4c549cac979456e14b08a3b960a
SHA256 a324b4e9eea5afd5d0b31f1d3c1abf058b3637af83836922ad2597775cc10e62
SHA512 7acf3808917f532003ac27876987bdd649f0c955b8145a1aa51f88892841e54788304ab85ce395e85b47e935fad07270e5782f3d83730292baa3bc1343bf9ae8

C:\Users\Admin\AppData\Local\Temp\2fff6c69\eceocgppmpndinofealdcccbnlcbockd\rzIq.js

MD5 3214f4dd041b3e0b360185d0f3323e58
SHA1 0a3e3a0705ebebef467de4a69845fc562c97ff07
SHA256 b5c836d9c4453523290e5cbc991e88906c90d87528ec08955e6e4950cfefdd3d
SHA512 552fe62d06f56679a69074b866a6887420b9d7ccfd46ee62c024d2936e6bf87f013fac77ad4ebb5082ddf6a5b97c1060ba508f1ac580b9f45e8f2617dfa4158d

C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\bootstrap.js

MD5 df13f711e20e9c80171846d4f2f7ae06
SHA1 56d29cda58427efe0e21d3880d39eb1b0ef60bee
SHA256 6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4
SHA512 6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\chrome.manifest

MD5 faf31174ddc46d5da93f1c5a2033a945
SHA1 b6e4a5a8611d96919168c99065911177830370dc
SHA256 4b3186f616cf2a0402c89a9d6d6c7ad30d907ff44cada4eb6856e97966c2889f
SHA512 d81bf9adff9c4f82e3f5264612c2e702161cc1e6a843bde88b3414f85ba646bba6fe4f5d479fceb35e8327a4a610027bba3533e38c2fa0986bd25ff1a8485250

C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\content\bg.js

MD5 597c8b32820f58859df39f9281621e76
SHA1 ec0b0e8b6b81903d71c4c17c3cb5587974f0c786
SHA256 c49e030c820e4f22419770ef44f3f56965a4b5809cd67bb8b6218ddd0e04bd03
SHA512 2ce2763474c595f8a3426b3707898e87ef43d5c70b509fbd16c894d611c998ead0cbf8648526ec099069eb01b0ee2c77081c2d21f975a832bc3e691e97c87faf

C:\Users\Admin\AppData\Local\Temp\2fff6c69\[email protected]\install.rdf

MD5 802d93a96420ae2ad114e0c3902e57df
SHA1 72e2194cc5ee374fe021914e1bd4f5feed388d38
SHA256 aaeee2ec5bbe95d1243c4671ca8cb28d5dc657ea96b0a8c5fe5d05c9ad87e5bf
SHA512 f9fa1a93da19ac7262bd4654fda1f249735d2e7e42129adbc06f0807bf64b352848f5095fdbb13895c6376aab7f82d4e0332ea7a0a94f189cda6105b2d2b4fc9

C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.tlb

MD5 0470e51ab6155fa6ab7c5ede0fbc9957
SHA1 f660d5661c0fadb56c5608e2aaf019dea75c4878
SHA256 4e830314ce7d9287d6d9344db8baac12080c9174d34155854db62d950775ba7f
SHA512 5e915c92b4f2555bbde1972227f002cc90492020de65329ab83dfb7779fe6c4f378db626ddf490046a0df49f5c218bcb8b4eeec530a56f24c8ec0a16c54c2240

C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.dll

MD5 aabcede5b824bd00717350b6b7474c46
SHA1 86c7cf982e18ca23f8ef30718417903dc010b00a
SHA256 7cf78eed551c7df977db6b274e3d25a41c80b9cde614f6eeb267f56e89fd78ab
SHA512 5a553ac22d08f6157639328e76016b488de7d92dae5d5d814ffae45ee0ec0e0b77c174ccb6ae851eeaf5e871d58a116d8ff768470d3e1575c58f506cc5563764

C:\Users\Admin\AppData\Local\Temp\2fff6c69\fR.x64.dll

MD5 a4a6482bc28e62a61ad01ceed7bd7d44
SHA1 12d3c0974d22dcba264088d9d68bc1eb20b988e5
SHA256 4a2a6fd3a04d31249310edb0c04b11d9afba4650f14e57a10884e61f430a0019
SHA512 241770653ae1b70cff9f06618d56c1756aec63210ab3df5e4e2e3c5e9b937369edf0e55b04df12d0046d199b4f27f1459efdcd4215a5ddc78d892190dd76ab1d