cf291f19cbaddd58221cbe3d3e4688fe4aabe5fb4895e99dff3f6827eef9b1a2

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
Size

1.8MB
MD5

deb6ea3b70f837d8254b74b2e3737dc2
SHA1

aefdcbe0f55ba70dbdcae82d97e831bc2a643f9b
SHA256

cf291f19cbaddd58221cbe3d3e4688fe4aabe5fb4895e99dff3f6827eef9b1a2
SHA512

25b72438a3f0b16645acda368a619675ea31f4124b8aba6b2e2a9584a916924ed1cef3cd847358fd56c4c51d614b376932bc24623822b16ebf96bfe15450f735
SSDEEP

49152:CNwseuWvDnRirk6uWKrBQSg/31kNXU7+6:W1elvTgomKSlL+6

Score

7^/10

adware discovery spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000700000001925e-202.dat	acprotect

Executes dropped EXE 8 IoCs

pid	Process
1324	scs.exe
2812	scs.exe
1824	scs.exe
1336	scs.exe
1344	scs.exe
1704	scs.exe
1600	scs.exe
2856	RewardsArcade.exe

Loads dropped DLL 64 IoCs

pid	Process
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
1836	regsvr32.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001925e-202.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041198}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041198}\ = "CrossriderApp0000498"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041198}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041198}	regsvr32.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\RewardsArcade\RewardsArcade.dll	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
File created	C:\Program Files (x86)\RewardsArcade\RewardsArcade.ico	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
File created	C:\Program Files (x86)\RewardsArcade\Uninstall.exe	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
File created	C:\Program Files (x86)\RewardsArcade\RewardsArcade.exe	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
File created	C:\Program Files (x86)\RewardsArcade\RewardsArcadeGui.exe	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RewardsArcade.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scs.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011041198}\AppName = "RewardsArcade.exe"	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011041198}\AppPath = "C:\\Program Files (x86)\\RewardsArcade"	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011041198}\Policy = "3"	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011041198}	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi\CLSID\ = "{33333333-3333-3333-3333-330033043398}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660066046698}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.BHO\CLSID\ = "{11111111-1111-1111-1111-110011041198}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044044498}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550055045598}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045598}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660066046698}\ = "ISandBox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.BHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.BHO\CurVer\ = "CrossriderApp0000498"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}\ = "IFBApi"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\ProgID\ = "CrossriderApp0000498.BHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044044498}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660066046698}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77777777-7777-7777-7777-770077047798}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.Sandbox\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\InprocServer32\ = "C:\\Program Files (x86)\\RewardsArcade\\RewardsArcade.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045598}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660066046698}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi.1\CLSID\ = "{33333333-3333-3333-3333-330033043398}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045598}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046698}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044044498}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.BHO\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi.1\ = "CrossriderApp0000498.FBApi"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi\ = "CrossriderApp0000498.FBApi"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi\CurVer\ = "CrossriderApp0000498.FBApi.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440044044498}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.Sandbox.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220022042298}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.BHO.1\ = "CrossriderApp0000498"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.Sandbox\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\ = "RewardsArcade"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046698}\ = "ISandBox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045598}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77777777-7777-7777-7777-770077047798}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055045598}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110011041198}\InprocServer32\ = "C:\\Program Files (x86)\\RewardsArcade\\RewardsArcade.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220022042298}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0000498.FBApi.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\InprocServer32\ = "C:\\Program Files (x86)\\RewardsArcade\\RewardsArcade.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33333333-3333-3333-3333-330033043398}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046698}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{77777777-7777-7777-7777-770077047798}\TypeLib\ = "{44444444-4444-4444-4444-440044044498}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77777777-7777-7777-7777-770077047798}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 1836	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2748	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2748	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2748	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2748	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2368	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2368	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2368	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2368	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	35
PID 2936 wrote to memory of 2612	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	37
PID 2936 wrote to memory of 2612	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	37
PID 2936 wrote to memory of 2612	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	37
PID 2936 wrote to memory of 2612	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	37
PID 2612 wrote to memory of 1324	2612	cmd.exe	39
PID 2612 wrote to memory of 1324	2612	cmd.exe	39
PID 2612 wrote to memory of 1324	2612	cmd.exe	39
PID 2612 wrote to memory of 1324	2612	cmd.exe	39
PID 2936 wrote to memory of 2812	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	40
PID 2936 wrote to memory of 2812	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	40
PID 2936 wrote to memory of 2812	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	40
PID 2936 wrote to memory of 2812	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	40
PID 2936 wrote to memory of 1132	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	42
PID 2936 wrote to memory of 1132	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	42
PID 2936 wrote to memory of 1132	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	42
PID 2936 wrote to memory of 1132	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	42
PID 1132 wrote to memory of 1824	1132	cmd.exe	44
PID 1132 wrote to memory of 1824	1132	cmd.exe	44
PID 1132 wrote to memory of 1824	1132	cmd.exe	44
PID 1132 wrote to memory of 1824	1132	cmd.exe	44
PID 2936 wrote to memory of 1336	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	45
PID 2936 wrote to memory of 1336	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	45
PID 2936 wrote to memory of 1336	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	45
PID 2936 wrote to memory of 1336	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	45
PID 2936 wrote to memory of 1344	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	47
PID 2936 wrote to memory of 1344	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	47
PID 2936 wrote to memory of 1344	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	47
PID 2936 wrote to memory of 1344	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	47
PID 2936 wrote to memory of 1704	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	49
PID 2936 wrote to memory of 1704	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	49
PID 2936 wrote to memory of 1704	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	49
PID 2936 wrote to memory of 1704	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	49
PID 2936 wrote to memory of 1600	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	51
PID 2936 wrote to memory of 1600	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	51
PID 2936 wrote to memory of 1600	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	51
PID 2936 wrote to memory of 1600	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	51
PID 2936 wrote to memory of 2856	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	53
PID 2936 wrote to memory of 2856	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	53
PID 2936 wrote to memory of 2856	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	53
PID 2936 wrote to memory of 2856	2936	deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe	53

C:\Users\Admin\AppData\Local\Temp\deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\deb6ea3b70f837d8254b74b2e3737dc2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s "C:\Program Files (x86)\RewardsArcade\RewardsArcade.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1836
- C:\Windows\SysWOW64\CScript.exe
  C:\Windows\system32\CScript.exe C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\RemoveFromList.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Windows\SysWOW64\CScript.exe
  C:\Windows\system32\CScript.exe C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\CleanChromePrefs.vbs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\CookieDbIndex.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
    C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_498' LIMIT 1"
    3⤵
    - Executes dropped EXE
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
  C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_dcmagccbogebndpoodhhhafmofelpffh_0','crossrider_cookies_498','Crossrider Cookies Store',50 * 1024 * 1024);"
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\CookieDbIndex.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
    C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_498' LIMIT 1"
    3⤵
    - Executes dropped EXE
    PID:1824
- C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
  C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_dcmagccbogebndpoodhhhafmofelpffh_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"4cross5a93dbRW1AR24VZ6542\", \"sub_id\" : \"default\", \"uzid\" : \"12475&subid=&pid=1021\" } }','2111-09-11 21:16:31');"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
  C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_dcmagccbogebndpoodhhhafmofelpffh_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1726254274}','2111-09-11 21:16:31');"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
  C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_dcmagccbogebndpoodhhhafmofelpffh_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : true}','2111-09-11 21:16:31');"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe
  C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_dcmagccbogebndpoodhhhafmofelpffh_0\3" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"64107FD32BC247619DFB28FFD9FA32F5IE\", \"installer_verifier\" : \"934367a1fc19bfb899050af190091a9a\", \"installer_verifier_for_215app\" : \"837237ba84587a227bbbba4610f3ef24\" } }','2111-09-11 21:16:31');"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Program Files (x86)\RewardsArcade\RewardsArcade.exe
  "C:\Program Files (x86)\RewardsArcade\RewardsArcade.exe" /installapp=498
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RewardsArcade\RewardsArcade.dll

Filesize
481KB

MD5
ecbafbc62f0ed497aff72e4f9f7f8b52

SHA1
34731b5942d391258d4e7b271c291a693506ccb5

SHA256
6530264b57dab3d580e055f52d79a1a472e6b0506b4662ed124f7ad5d49b7f86

SHA512
2710cfedf5ef823d08e095e34699074af9d45117b85840f1c5f505931388c9890ca49195ec8a7d257d19951503525858635ded391ff366882ad8d7bacd1a37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewardsArcadeInstaller_1726254274.log

Filesize
1KB

MD5
8dcddb9f9b0e4c22734b84525835945e

SHA1
bc2001203f313798899581f2eb986fccd89aba46

SHA256
132cc15b3c42e001c8de0fd10379d8652b3ceecd15036b42c1a9162877b1145b

SHA512
64137cd551945abe221781be88b866a9c97263f0f79c57ad2dbc0ede46c6aae432d619f7593932887bdabd28c400d3593bf95c5f738ea1042359ec84ec848327

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewardsArcadeInstaller_1726254274.log

Filesize
1KB

MD5
eaddc96bbfbad5ba5c10ba295d9e0e58

SHA1
483e348747ca8d56f7600e93857ade4a99beb1af

SHA256
f13111486df88d2d6138b3e5aeb63b056040ef533f2e99245ff3411b192b9319

SHA512
55d885b4150e234e027819ae1a221149840f02e3c5216380177f334f546c5a4f8159e962e9ad3487eccb8c93cf0d159d354ec8dcf96b81e8b769a1d29a893f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewardsArcadeInstaller_1726254274.log

Filesize
3KB

MD5
2f8f1b4aef0a1978626d464c2c6a0519

SHA1
8828a280f695acb9990745216bb82ca3bf4e4e86

SHA256
15e3844a2eaab7a8607f64f38a84f0b8c1fd967dc7786ecc1ce9034c8f34e0d9

SHA512
536200f94cbf2315758e8ff07f338bcd939df8fb2a3d07ee3adb23b9ed95dc152602fbc2bc84253305b29ccfb72dd6e539995f06425efa4e6cccbc9524ad9e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewardsArcadeInstaller_1726254274.log

Filesize
653B

MD5
193cf0cf5797770ae2e972c12cd3e26d

SHA1
0a14f10bdef772731a2d521bebb184be9c82b007

SHA256
dc7fbbeb9f80269bc31758658080f29e037db731495c36eb64cc228ffd90f87c

SHA512
5df6eedcdbd22538918b5a8913415bc210e7ef48deea4dee2f610a3ae820f372e09922af815e82088d1442e81da7439f67ac13fe35afe7158af9d4aadbae4c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\RewardsArcadeInstaller_1726254274.log

Filesize
5KB

MD5
1d47881af4e812f81e4d998de98d1a16

SHA1
a8ded0ca3cb5d7247080f21865b9315c5ed415a8

SHA256
946434852c316eb529b3edafe186718f08fbf473cebfed2aa8b41fb4804d5eb9

SHA512
1c1b12d78b5f265a377cf3fd9a8068063ade8f12dc412748b27c302c264eb6cdac0c76c2f0cf2d78cc9f1a67c8e21bb3342cd06a5ac5c6d97cba0a93f35c0788

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\CookieDbIndex.bat

Filesize
280B

MD5
82cbaf19d595d8c6645a8f04fce400e5

SHA1
60ce31d3e0e5182cb9405bbb97746a409b14dfd7

SHA256
378eff62cd94db4bf07d4f46b8703132a90a062bdf1e8ff6263ac1d45f89bb75

SHA512
3f5617f93d366b4a3a66d7074c3816bc75c2533211605f84a94038264873763d463a0acc8b8a920fd800141c5d91a57367bd0e8046db679372d88f3a9623ba76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\[email protected]\skin\button3.png

Filesize
1KB

MD5
8b1eb9cb80417ec0022d278a44ab1dc7

SHA1
c49eb73f79e70b8ed96d91ef62f0bc344e41219a

SHA256
e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6

SHA512
0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome.manifest

Filesize
390B

MD5
aafad02e41a00515ab7353db6e2aaba7

SHA1
a874d20f9a78b7b125d72b38dc28c2507746e6ca

SHA256
2880375fc4cdaf0e27298dd2fe187f7690500c1af1822b91c224444e88353d92

SHA512
c8db63a8bc85a78ec232acbcafc321d518a887e7941b7c6764d088e1805385d92239721a46f6091f5f1f9d95bb97166d278f419090135cc817cb8518cd66b5db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\background.html

Filesize
1KB

MD5
6a87faae8ba9a0d10545e2f38ae7064f

SHA1
34b0f203bec68273df5b07f3319d065ee604ee10

SHA256
2b912755b38441ac92e31169bbd10bc98f8d6e3955bf0b8eab8cbb4973a74808

SHA512
28ddefde6b55e21a79e3e3d29a58d9c7523d9cf5cd3d2ed79b0ece06b2ed3ad1c9cea94281ff0d9f7dda5028edad894b7a11b9efb2b265692daaaa8973859a01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\browser.xul

Filesize
1KB

MD5
b18892000efe012044ef1b67fb6ff644

SHA1
14cfe7c34b4cc3176351feff1063d15750786cc3

SHA256
00a3e56fad7beb994a12a31df9e93decea49227ebbf952c10abfbb547405942b

SHA512
ccccf50904a0f77ae582f866bd97094222669f3d1a9e004653fac3f7e707fe318343924ff22d35a9799b5af7ee0e28642fdcc901415328bb999bfa49d9863b23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\crossrider.js

Filesize
61KB

MD5
07926ed297b3a0bcd1a394360cee11bb

SHA1
4625aba965263a0aa9f722c26d77ffe07830c854

SHA256
080fc9810a7da9195dc0577763ffd8397fb72e01dffb7e4da292f4135da6d0b2

SHA512
7245fbf97742a679e0235d369bbadd0264570f01df863636af12e0b89fb0e437fcdc06e9fb7684dec0ff059747a9f0f1df8a52439c853670b893cc3e2d83ecf1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\crossriderapi.js

Filesize
26KB

MD5
4117293d09c0ced58bca91f7a3975c09

SHA1
e5a14fe9683e3209e58755e2f25f432a2fe3b69c

SHA256
36db68953a04b46aedc205b0752058033bd1f312904d74ee5b79e226bfa0a844

SHA512
b4dc202cde84625d4ec8ce7f19d94fc4e999dc70bd5cd267a99a658f9f9672bb49c69b68223200cb9f7b9f9c7275657fe0c57bcd3f2548736f6c9e93d0fb6f31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\dialog.js

Filesize
1KB

MD5
e6a5893c64eb5e5b77aa021892912588

SHA1
61b38dbea6f772e877becc162018a5f3c8d43ff4

SHA256
11a30a3f685a0c56c58824d6b934309619560cc66ef35ccae546b550dcdcf1a4

SHA512
a20e6ef51e9d9317eaf7d69cf8517e465b2f7a24884d6bc44b7d31c1ed947b9860e882250a543a04f3e6bfd4477857180a80e40b629ea4a4c2f577fa653334a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\lib\faye-browser-min.js

Filesize
22KB

MD5
e943bac82bcc26b9f70a56e8d17a621a

SHA1
119829ca0c946afc9b9f08b4cde2bfd7d3db8757

SHA256
032a3516641eb897c7b0429965a0d2fb0774b904b6f780278569f1890ae60da9

SHA512
acc9af1de7419ea74f3afb5033b1c97f455d87b78093fa04382f09588a1c0de18d25199ce8f6b5792b09e0d97e93409f551233330cf8838cde73ddd10f609de5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\manage-apps-style.css

Filesize
1KB

MD5
a3c551e7275dd76fd02d4f10309183a4

SHA1
440893b78433368b254e080dfb9c785ac019bb10

SHA256
0a7e976ebc584c56d0bbcfc389bab8a63f7b79a3ce75af9eec3da690c8579815

SHA512
7b25d2122cc9b67f1045355b4b4cb8818cb58f1e79b95b282baa5b1513bfa88efaefc492a7375e3a3879b3b115c2198a2908fa7d9631106213b5fae5b3923b93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\manage-apps.html

Filesize
3KB

MD5
293ddbfc22ce23433709de9c2e39f0cb

SHA1
b9ad163f868ed30f07ff712a365f8f1e6a3d04d0

SHA256
b42829d1fd40781778ec8baa7c909b9165521d1e96842fc009ad442934d02b71

SHA512
6c312e24cfd5a1d0e1a7dfe9edff86ae4b4b25b9718a01323d7122f447b9ed7b0eed1d9be7ebce8749cfddb6ebc77b2d3364dce19c94a12f274a058825e488d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\messaging.js

Filesize
219B

MD5
c9f4939b77060984f4eba88a959e60f2

SHA1
9e438799da35416385a1715c2057784472798f32

SHA256
7893a28103483c68dc99b333bfdc11d741ba3556cd6ac21dec104fb1af630001

SHA512
bb0790525c82090afb28d65b41c67cf8762ca4452abee4be5e6023aa56334c1bd8af55480bd1f978bebbd50f02354c8604cfddfb40700d19681f26680c9f7b24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\options.js

Filesize
1KB

MD5
50d7f66d4bef9942d18ec2ed049993cc

SHA1
9d335bb230b19e11b5f4c46b78181fbd371596b9

SHA256
2c8048387bf5aee4ca90584017ff1e9146531b6c2417e9f54fa994d83c955e61

SHA512
859e9971cb6f30280ca28dde384a107546f1d31ef474333ea6767600240ae9f8ab08a84b86835e0e991924d26d4737c9c9470fc309dff8bdc4a82a2c729ca870

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\options.xul

Filesize
1KB

MD5
5f23b8d19de895d3593241af16d7bf1a

SHA1
d969538617f805a7206f724b061085ddfe4e57b6

SHA256
f7d1e268c8f1bb7a09342ee9cd04b99f2420ad08f47f895f8203bf2ef155c15e

SHA512
e2c9e19a14b8ad6a2f84ac801d2d162fe31dfd459f41305c3611b638cb7665dd3650fcb1f9bde6dee39939276a8532b28875ae04f00c791b354cf5ee262b5e09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\push.html

Filesize
396B

MD5
0e2c4481ddc0d0b46adc914f88f04149

SHA1
0ed83f212a9ea0ee26f509a2504de4405e3e56fd

SHA256
32c6b3be5ff9c5b3586a9fed2acbe65066514d673d37abac58df8b3ff7ae11c8

SHA512
50b6190a3e2df05a986b77a82fbcde76dc3feffe9bba3deccbcee77a436a728670aa2d133479f75b0329c59c00b3607af8bf6f50ba909207f0af1866dc74d5fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\search_dialog.xul

Filesize
2KB

MD5
53c23974dd4a8e990ab95cbbddb2c7bc

SHA1
ffe19ec1e2bd88fbcc092f3be04e0671dc733367

SHA256
86e4a9e0ca82c9e805db1d722664e1fc802e131358850453e533daeafba5796f

SHA512
0135e5f244ce2ee65f06967534474d2224da8875c9b3c8560122a00d1362565ec2c20b8a4baa4d030c5dc4a6d03db6317d2f8697352914e416d3caae0e013e18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\chrome\content\update.html

Filesize
1KB

MD5
64e222caca925ac4bb7270fc0f9f9a01

SHA1
0f18c9af8597a82bf4436203c41109d316a24100

SHA256
c806df1e5084fd46ebaf715a0f7e4edd27071db016118db4892d1ab094a38416

SHA512
a4dd077791fbe9517aa83c9162b764067112a0d08cbf382cd7268924ad14962205f3ff5251686fa6313315099fcd5d0e8b1f7d233b11aeb057597732a9d9dd97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\defaults\preferences\prefs.js

Filesize
1KB

MD5
245dabbf6455e256f44f2e530cb35d64

SHA1
4f30ef8c28223bf842e1dce5fc6302b94dcad678

SHA256
fdef414c1b42feeafcc56d21b1258ad14ed55152e1deb8256d3efcbee5bbfd97

SHA512
994110e4772c30c074794f5fcc636667d31b607ef8344cbacb540e876d21f9bd3feebbdf39d4a3797843b430b6e5e3f64f04d1cc7059d5ac6fc24ff85f0747e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\install.rdf

Filesize
1KB

MD5
6b07d821ffac1ca72ee702432462d035

SHA1
6abca3945c9599cba06a9d43923ca8c079ff0a86

SHA256
32107fd93e4d7d7b141da6cb35007bb9ed4f2d8ea4ccbe172eec7c57971d7cd5

SHA512
9bc0565f813ed89fbd335a7f4e93dc44d02b62e43a243f18d705eafea41ccdcfbc2d7b531126898120876420a709174248984bd17dd9869b58eb936d2fdbcd8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\locale\en-US\translations.dtd

Filesize
425B

MD5
aae23d78c89bb64103e8d668bff80223

SHA1
c0903224a450ec3b506ede665b2fd8624f94aaf6

SHA256
10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f

SHA512
79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\icon128.png

Filesize
14KB

MD5
8f7dbd12c1c3c7892a875691fd860622

SHA1
3683507c65f39fd98fb7f6c3de595c1f661281b9

SHA256
bde72301531856f2c5224e02e2369a2085f75001d01b23af5bb80b81c02dcfee

SHA512
68f2abedea403fa7db99fc3dfe8d2f91f0a1d89a8af6f272d4f0fe607e70a3b8a34c8c332e3b05cfad87c9f6833a04e6b9876db33295f7c633eb1a99e91cfc52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\icon16.png

Filesize
955B

MD5
d8a17505e285d253716b99f073470086

SHA1
9179fdb2d850c4ccd491e53a4ae5e6850d78c894

SHA256
b0371ab03dab35b7f273952592af05834e11430bdb3930bfa11bb536ebb312dd

SHA512
dd6caeb67762c19a3ffc35fe0ab11d71f4c8d685a0026f559b092559f0ef68df8cb0bb26e33370a531902480a2faf9b78a297141c394c2425a5aef1cb281c7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\icon24.png

Filesize
2KB

MD5
48183f7889c86f075274d9db783a02af

SHA1
e1e4d0e1a752ef8ee0fd7f3a471832298a5f7860

SHA256
51ac228ae70c2a1d8e68d654597791c2e0bf465bd81ad1068e8d32b6a8b76223

SHA512
218161d784e57674312f254e22a2ba15bec4d3175a3d33f737802aaf5c0be94b8873435f9a2aca326fc9018a4939d19a0069f4eb4344c19c25d820be392f69a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\icon48.png

Filesize
3KB

MD5
3cfe23ae9eb527cf91fd1a2c016e1f14

SHA1
97f7cc97cee72672b46d525c5940650ca14db8f9

SHA256
2a6404b3f0dfaef0d1e753264c975d0f7de94ce5fabeebf3eaea5e15082592a7

SHA512
f8eee9f713ae2ec3b19e8171caf93d353c5d74c57862dba866ef4e2e948fc1993e073747bea5a0e81f22db1fb22505773c81bbf7783d7ebb5c27f116316b6a2c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\panelarrow-up.png

Filesize
917B

MD5
752c26453dc2fc989ed46f5920328edb

SHA1
a064ccc009ee36c20dd5a8aeeab1a335bf82bda2

SHA256
758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb

SHA512
b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\popup.css

Filesize
532B

MD5
6bbcc9c0e713316413d8a73ab5851b39

SHA1
ea5bb3c0359cbcdb0e7759c3e1f7b82bd0b6348d

SHA256
d8e46a8d436647511e66d55fef08fc24fa04899bce37b80e0d319e3a9c2c8286

SHA512
1cf92950ab1d9402ee4e60f3fd2c7c89794be90b689b7a972215c2ad1d3b7826a308eb728d8b6837364ff4dd90acc73174104ba9894bc31368754724531f3287

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\popup.html

Filesize
300B

MD5
ba9f930650b379038d2fcbf4caee0f2d

SHA1
91322f23a1eba322e10f83b65eaaed2915227bab

SHA256
011fff54291c370d040cf1d6c9b4e56fa6019b2f932b053d1d58238e58259e09

SHA512
86eaba684a5e882e45916fc897566c8a3a2780b33f73b505867e37c17b256c03dbfcf32f1ee7bd2b212f0dfdd85032420ddfeee024211c7886603fc986e1b223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\popup_binding.xml

Filesize
381B

MD5
e64cb97e104da3f5a3748c4d84135b7c

SHA1
a033f09598e4cf4497ffa8ce4bcca250f7559865

SHA256
59ce7ae082994ee8f0c74a9caf8250f0a4a8e2fe3a31a8a3c4c44a181c5a41c7

SHA512
7595e72ffbbd0be05021e37db1c72454cf8e74e7fcc53c5e78f50d0d9b1c56843eba7a03a7c6bdff82ae4513b391a4fbb80e4016a301fc0d698ebf985df2d2cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\skin.css

Filesize
502B

MD5
d652a63512660d925a4f30c518d18164

SHA1
7486e687ccab329fa59ec723c75554bc1393e920

SHA256
4da8f0f57eb5002a838b31362f622270e128c52947060ed292cd24cb162caf1e

SHA512
877720a7acb4bad21d30c117ebb452a9a6fefb1c7c137692af4e23adb5bf17aa1c6371c9424570154e44b5eb0d293292e818044537a780f811b40da38d65c296

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\[email protected]\skin\update.css

Filesize
140B

MD5
36ab40a4b899472d25a3c872a7f9ad4d

SHA1
c29870d67d954de9c5c32783ce28cf7f77d13ec1

SHA256
4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664

SHA512
9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\Dialer.dll

Filesize
3KB

MD5
068ba6a2cece65f680895ea627f71e39

SHA1
27070d0fa949a80360426f37b3dfe9eaa0ed66f4

SHA256
ef649d2b3daed72b0778ab6b3f22a02e288fd009cf9e7e76eb1991451e580f82

SHA512
adf99b31790694d8ad02c56b1cb7c9dadeac49d492225a2d297654bfcd617f3afad23990d1d695fba03af1c355456e2e7c3e972eaa9b5ab1770bbb6eef0e733f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\ExecDos.dll

Filesize
5KB

MD5
ebcf9f71d804abab3c2e5ce4c17dc22e

SHA1
17d13084e75cbfa5fbfdd0025e9a0ee5772ae765

SHA256
d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993

SHA512
5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\Processes.dll

Filesize
35KB

MD5
2cfba79d485cf441c646dd40d82490fc

SHA1
83e51ac1115a50986ed456bd18729653018b9619

SHA256
86b302fa9c85dfa0c1c03ba000864a928365dab571f3355347dba02da22949b7

SHA512
cca186a7f9c5cff3f4eca410fbe8cc13dad2514a7e36aec9b1addfbcb239ace9b9b2d8427771858e3fd11783abce7e24d43c286f98da9f8b17562ca095a4c043

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\inetc.dll

Filesize
20KB

MD5
4c01fdfd2b57b32046b3b3635a4f4df8

SHA1
e0af8e418cbe2b2783b5de93279a3b5dcb73490e

SHA256
b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014

SHA512
cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nsdC0D1.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/2936-228-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/2936-14-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2936-305-0x00000000005D0000-0x00000000005DD000-memory.dmp

Filesize
52KB

Download
memory/2936-408-0x0000000002AB0000-0x0000000002ADD000-memory.dmp

Filesize
180KB

Download