fc02f799dea1b670c662c2d2b5b26359dd7e618293ca6fe86a4c6437b4d890b7

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
Size

5.3MB
MD5

012620b1a51fa4a646568ce74296061d
SHA1

d03959143bc05aeaed634749a38ba7f628a8f05b
SHA256

fc02f799dea1b670c662c2d2b5b26359dd7e618293ca6fe86a4c6437b4d890b7
SHA512

0448d974459b50c7a995d2ab1749baea1faf4e2c770a91ab149cd6d88945503e5a83a47dcc581ca84adee9b0dd679a90e065a3078cf2dc129d5e84621dfe79e1
SSDEEP

98304:jFLVwayNPX8shuZTkvW7gtcZ4fEY21Br+ADeGA4B9B3dl5SR6JnhhtoY:hBwpNPXtmTSLcdDjDeGAOpb0whtX

Score

7^/10

adware discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019279-233.dat	acprotect

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
1536	Glqjujnundzis.exe
1196	Plus-HD-2.2-chromeinstaller.exe
2940	Plus-HD-2.2-firefoxinstaller.exe
2840	Plus-HD-2.2-codedownloader.exe
2352	Plus-HD-2.2-helper.exe
2280	Plus-HD-2.2-bg.exe
1708	Plus-HD-2.2-enabler.exe

Loads dropped DLL 64 IoCs

pid	Process
2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfakeonomonapccoamcmdgpoaicnpnoo\1.24.62_0\manifest.json	Plus-HD-2.2-chromeinstaller.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}\NoExplorer = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	Plus-HD-2.2-enabler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}\ = "CrossriderApp0033036"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311301136}\ = "CrossriderApp0033036"	regsvr32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019279-233.dat	upx

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Plus-HD-2.2\Uninstall.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-buttonutil.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bho.dll	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bho64.dll	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\background.html	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-enabler.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\utils.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-firefoxinstaller.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-helper.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-buttonutil64.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2.ico	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-updater.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\33036.crx	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-chromeinstaller.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-buttonutil64.dll	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Installer.log	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\33036.xpi	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-codedownloader.exe	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-buttonutil.dll	Glqjujnundzis.exe
File created	C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bg.exe	Glqjujnundzis.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\Plus-HD-2.2-codedownloader.job	Glqjujnundzis.exe
File opened for modification	C:\Windows\Tasks\temp_Plus-HD-2.2-enabler.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\Plus-HD-2.2-updater.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\Plus-HD-2.2-chromeinstaller.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\Plus-HD-2.2-firefoxinstaller.job	Glqjujnundzis.exe
File opened for modification	C:\Windows\Tasks\Plus-HD-2.2-firefoxinstaller.job	Glqjujnundzis.exe
File opened for modification	C:\Windows\Tasks\Plus-HD-2.2-enabler.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\temp_Plus-HD-2.2-enabler.job	Glqjujnundzis.exe
File opened for modification	C:\Windows\Tasks\Plus-HD-2.2-updater.job	Glqjujnundzis.exe
File opened for modification	C:\Windows\Tasks\Plus-HD-2.2-chromeinstaller.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\Plus-HD-2.2-codedownloader.job	Glqjujnundzis.exe
File created	C:\Windows\Tasks\Plus-HD-2.2-enabler.job	Glqjujnundzis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plus-HD-2.2-chromeinstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plus-HD-2.2-codedownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glqjujnundzis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plus-HD-2.2-firefoxinstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plus-HD-2.2-bg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plus-HD-2.2-enabler.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016de0-18.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bdc459d1-6eb9-4f6f-9642-ded0543b84a1}\Policy = "3"	Glqjujnundzis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f8bb49dc-bc97-449a-ae10-7512490d3649}\Policy = "3"	Glqjujnundzis.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b3266dd-2b7b-44e9-93f5-8c6355d3ec65}\AppPath = "C:\\Program Files (x86)\\Plus-HD-2.2"	Glqjujnundzis.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Approved Extensions	Plus-HD-2.2-enabler.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{34c5463e-f4a2-4895-b930-5e124eb8372d}	Glqjujnundzis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{34c5463e-f4a2-4895-b930-5e124eb8372d}\Policy = "3"	Glqjujnundzis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35b82ec9-2b2f-4e95-a957-6dd54a6d8d76}\Policy = "3"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bdc459d1-6eb9-4f6f-9642-ded0543b84a1}\AppName = "Plus-HD-2.2-buttonutil.exe"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f8bb49dc-bc97-449a-ae10-7512490d3649}\AppName = "Plus-HD-2.2-buttonutil64.exe"	Glqjujnundzis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Plus-HD-2.2-bg.exe = "8000"	Glqjujnundzis.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b3266dd-2b7b-44e9-93f5-8c6355d3ec65}	Glqjujnundzis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b3266dd-2b7b-44e9-93f5-8c6355d3ec65}\Policy = "1"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{34c5463e-f4a2-4895-b930-5e124eb8372d}\AppPath = "C:\\Program Files (x86)\\Plus-HD-2.2"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35b82ec9-2b2f-4e95-a957-6dd54a6d8d76}\AppName = "Plus-HD-2.2-helper.exe"	Glqjujnundzis.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f8bb49dc-bc97-449a-ae10-7512490d3649}	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8b3266dd-2b7b-44e9-93f5-8c6355d3ec65}\AppName = "Plus-HD-2.2-bg.exe"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{11111111-1111-1111-1111-110311301136}	Plus-HD-2.2-enabler.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bdc459d1-6eb9-4f6f-9642-ded0543b84a1}	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{bdc459d1-6eb9-4f6f-9642-ded0543b84a1}\AppPath = "C:\\Program Files (x86)\\Plus-HD-2.2"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35b82ec9-2b2f-4e95-a957-6dd54a6d8d76}\AppPath = "C:\\Program Files (x86)\\Plus-HD-2.2"	Glqjujnundzis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f8bb49dc-bc97-449a-ae10-7512490d3649}\AppPath = "C:\\Program Files (x86)\\Plus-HD-2.2"	Glqjujnundzis.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	Plus-HD-2.2-enabler.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{34c5463e-f4a2-4895-b930-5e124eb8372d}\AppName = "Plus-HD-2.2-codedownloader.exe"	Glqjujnundzis.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35b82ec9-2b2f-4e95-a957-6dd54a6d8d76}	Glqjujnundzis.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355305536}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355305536}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0\0\win32\ = "C:\\Program Files (x86)\\Plus-HD-2.2\\Plus-HD-2.2-bho64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366306636}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\ProgID\ = "CrossriderApp0033036.BHO.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\ProgID\ = "CrossriderApp0033036.Sandbox.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355305536}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\TypeLib\ = "{44444444-4444-4444-4444-440344304436}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322302236}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox\ = "CrossriderApp0033036.Sandbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\TypeLib\ = "{44444444-4444-4444-4444-440344304436}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311301136}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.BHO\CurVer\ = "CrossriderApp0033036"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355305536}\TypeLib\ = "{44444444-4444-4444-4444-440344304436}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox\ = "CrossriderApp0033036.Sandbox"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.BHO\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\VersionIndependentProgID\ = "CrossriderApp0033036"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0\ = "CrossriderApp0033036 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366306636}\ = "ISandBox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\ = "Plus-HD-2.2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.BHO\ = "CrossriderApp0033036"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox\CurVer\ = "CrossriderApp0033036.Sandbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366306636}\TypeLib\ = "{44444444-4444-4444-4444-440344304436}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344304436}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366306636}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.Sandbox.1\ = "CrossriderApp0033036.Sandbox"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0033036.BHO.1\ = "CrossriderApp0033036"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322302236}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311301136}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\TypeLib\ = "{44444444-4444-4444-4444-440344304436}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322302236}\ProgID\ = "CrossriderApp0033036.Sandbox.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311301136}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1536	Glqjujnundzis.exe
1196	Plus-HD-2.2-chromeinstaller.exe
1536	Glqjujnundzis.exe
2940	Plus-HD-2.2-firefoxinstaller.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 2220 wrote to memory of 1536	2220	012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe	30
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 1196	1536	Glqjujnundzis.exe	32
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2940	1536	Glqjujnundzis.exe	33
PID 1536 wrote to memory of 2840	1536	Glqjujnundzis.exe	34
PID 1536 wrote to memory of 2840	1536	Glqjujnundzis.exe	34
PID 1536 wrote to memory of 2840	1536	Glqjujnundzis.exe	34
PID 1536 wrote to memory of 2840	1536	Glqjujnundzis.exe	34
PID 1536 wrote to memory of 2352	1536	Glqjujnundzis.exe	35
PID 1536 wrote to memory of 2352	1536	Glqjujnundzis.exe	35
PID 1536 wrote to memory of 2352	1536	Glqjujnundzis.exe	35
PID 1536 wrote to memory of 2352	1536	Glqjujnundzis.exe	35
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1864	1536	Glqjujnundzis.exe	36
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1536 wrote to memory of 1072	1536	Glqjujnundzis.exe	37
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1072 wrote to memory of 2908	1072	regsvr32.exe	38
PID 1536 wrote to memory of 2280	1536	Glqjujnundzis.exe	39
PID 1536 wrote to memory of 2280	1536	Glqjujnundzis.exe	39
PID 1536 wrote to memory of 2280	1536	Glqjujnundzis.exe	39
PID 1536 wrote to memory of 2280	1536	Glqjujnundzis.exe	39
PID 1608 wrote to memory of 1708	1608	taskeng.exe	41
PID 1608 wrote to memory of 1708	1608	taskeng.exe	41
PID 1608 wrote to memory of 1708	1608	taskeng.exe	41
PID 1608 wrote to memory of 1708	1608	taskeng.exe	41

C:\Users\Admin\AppData\Local\Temp\012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\012620b1a51fa4a646568ce74296061d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\Glqjujnundzis.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\Glqjujnundzis.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-chromeinstaller.exe
    "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-chromeinstaller.exe" /installcrx /agentregpath='Plus-HD-2.2' /extensionfilepath='C:\Program Files (x86)\Plus-HD-2.2\33036.crx' /appid=33036 /srcid='000342' /subid='0' /zdata='0' /bic=0C226C5D7B8C4939AC4901A718F446C0IE /verifier=d0b4c419ac6600e6e43f78f1dcf33530 /installerversion=1_28_153 /installerfullversion=1.28.153.1 /installationtime=1727696790 /statsdomain=http://stats.ourstatssrv.com /errorsdomain=http://errors.ourstatssrv.com /waitforbrowser=300 /extensionid=kfakeonomonapccoamcmdgpoaicnpnoo /extensionversion=1.24.62 /extensionpublickey=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS9drj+ED7r3Qa2m4C4xLVmOH4LSwSso/VpVefBKvScjDwGQVgwoz2MZ5ffDEmH1ujsoGLwof5lvp3SLBa9j0Su8P+0bxlu/NcSCcCmNhLYrWh//WPGPxJveP4kfQdSH+X0U8hb2ZbiNaemVrNv+VjM1edjaCvnM2DAPO+omgYEwIDAQAB /allusers /allprofiles /showthankyoupage /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1196
- - C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-firefoxinstaller.exe
    "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-firefoxinstaller.exe" /installxpi /agentregpath='Plus-HD-2.2' /extensionfilepath='C:\Program Files (x86)\Plus-HD-2.2\33036.xpi' /appid=33036 /srcid='000342' /subid='0' /zdata='0' /bic=0C226C5D7B8C4939AC4901A718F446C0IE /verifier=d0b4c419ac6600e6e43f78f1dcf33530 /installerversion=1_28_153 /installerfullversion=1.28.153.1 /installationtime=1727696790 /statsdomain=http://stats.ourstatssrv.com /errorsdomain=http://errors.ourstatssrv.com /waitforbrowser=300 /extensionid=4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com /extensionversion=0.92 /prefsbranch=a4fdacf00e9c44ad5b4cfbf9800f184f63685711674e04973936f860cd2a102a9com33036 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/33036.rdf /allusers /allprofiles /showthankyoupage /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2940
- - C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-codedownloader.exe
    "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-codedownloader.exe" /installapp /agentregpath='Plus-HD-2.2' /appid=33036 /srcid='000342' /subid='0' /zdata='0' /bic=0C226C5D7B8C4939AC4901A718F446C0IE /verifier=d0b4c419ac6600e6e43f78f1dcf33530 /installerversion=1_28_153 /installerfullversion=1.28.153.1 /installationtime=1727696790 /statsdomain=http://stats.ourstatssrv.com /errorsdomain=http://errors.ourstatssrv.com /codedownloaddomain=http://app-static.crossrider.com /allusers /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-helper.exe
    "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bho.dll"
    3⤵
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1864
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bho64.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bho64.dll"
      4⤵
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:2908
- - C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bg.exe
    "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2280

C:\Windows\system32\taskeng.exe
taskeng.exe {C56A3DB3-6244-42E9-B509-7C928F66DE5D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-enabler.exe
  "C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-enabler.exe" /enablebho /agentregpath='Plus-HD-2.2' /appid=33036 /srcid='000342' /subid='0' /zdata='0' /bic=0C226C5D7B8C4939AC4901A718F446C0IE /verifier=d0b4c419ac6600e6e43f78f1dcf33530 /installerversion=1_28_153 /installationtime=1727696790 /statsdomain=http://stats.ourstatssrv.com /errorsdomain=http://errors.ourstatssrv.com /bhoguid=11111111-1111-1111-1111-110311301136 /allusers /externallog='C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log'
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Plus-HD-2.2\33036.crx

Filesize
310KB

MD5
8e82bcb090068737fcff5df5737f17a9

SHA1
d08c2ca9bed34634a1aeb7c310beaf989485dbe0

SHA256
da3b7f9b74685d9cc089b27d71b0af851990277f40a8c6bfa5aaca3690bfff56

SHA512
98df08227b32827c8cd96e41ca5524f8ede960e91c8bf8f28bad38b5984b24baa07d4681ffeb9d1ab0cd9ab2d9446cc31cfbfd8f4f41b9f1538888728d5cf7bb

Download Submit
C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-chromeinstaller.exe

Filesize
477KB

MD5
4225cb13c6b29578c742f96f3c86e892

SHA1
af0cc156bf9d1f122d773bc05e4af68b7064932c

SHA256
aac942cf4e56f722e0b676e7ceff7e3ae9c8ff08520af80d045fb203dd6ec7bd

SHA512
21f17c07a36be3b3149086c500ce4b49940e100b778ba012f78f9712e695a4fc150b53741862535fd704ccf0b9e3d805c85a8d392a4af59b15ecea5862872d2b

Download Submit
C:\Program Files (x86)\Plus-HD-2.2\Plus-HD-2.2-firefoxinstaller.exe

Filesize
710KB

MD5
6df596b5ca9744d5d6c274badf67f486

SHA1
e6727ac9af96cb31951c413dc3cde07b64cffc14

SHA256
692f6d669241e1e5c0aa40add596f47c055379f1bf26d1fcb6943c83609bcb6f

SHA512
87348be673e60e1f40f1215c3bb03067c28a896973472bc72bcc441e91e0cea2d29ca9990794b9f207eab8b3a38f070a420b667ef80ff9063d5d8aecf794dc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
1KB

MD5
9f3b2ca68997c110b5aaa64e7fc4a686

SHA1
e6ffeced2452c2d30722c1290425ccb0e0389546

SHA256
17a02ed6919ed2e0c9886c45e8251d9d57d8e55b2f02fa94c2d5c4970ec9c420

SHA512
12983003de19ab08b6d3e97468671d44bafe79fddf5f7008769959389f78ab17ffe5586b1bb47a7d92bef9158e57211dc17a6ff7a1f408790cd0eda972c305c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
1KB

MD5
270a977871f70d65b4c07fc4ec726cfa

SHA1
5b3728080565096d07f5812f6e64a603bbc447ce

SHA256
f30ec0dfdacd2b1f1531e387669b1a4ccbe5fc5636229ba42e868e043cb50bc4

SHA512
1b3446ddf00835e9d0d3c037c130335694027d075860401cf6275d7a870e18359e429929b6e2960de0e04b3e216ef96b00f269a7a66e86e61496af4d8964ecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
1KB

MD5
af9e7b792477a1df586a02ba000bd0ac

SHA1
c647321ecb96e491dfa465def4b4db53be1b5460

SHA256
4cc88189c4e45c6cc6c030f2b9e550343d9ff7ca36130235c93d2c55178efc33

SHA512
f78c4f3d48d1920be02e4b022a695a400e74dcf7a00a19e8b4ce469378621c88fc05a1cbd3dfc56cc2fe4a19d725dabe8718dca4625537970a42f874f92f05ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
3KB

MD5
ab632d75b2463314cf7112cf91a466bc

SHA1
6c82d34f359a0fe8a5f044ce4f56ff75d672e0ae

SHA256
c5c2b5816136721b0b8b00ff36c2a2cf602ef131b4e40761542aa6cc9a7e49f8

SHA512
124582361961d79a2bf86f75a128b568d96a311975704889ae614aa70255e672605ca8f628ae53c8052ca6b8122aa750562c0f97328e08b8e13499316f95d655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
5KB

MD5
8afb611ed562450bd0f0ad644589fecd

SHA1
6e5601325e8be9af3e54fc3b3c1043193f7324c6

SHA256
41befcc56b208cff16b4be6a4ecd0dd9c2d7fcdf06d13896577ab3818a92b360

SHA512
a0aa93e5f415c96678fcc937e0fab0f86cfd45d12d8e13de9f6afd34a1e230b7604c43ce990d31ebb9dec7bfdc59aa0dccc0c598d9be98ec1a6fb00278cf3c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Plus-HD-2.2Installer_1727696790.log

Filesize
637B

MD5
6d4fd191d001203bf7ab4392024f625c

SHA1
af999770a15f65da7dde83de1453e82ca95fbc76

SHA256
b715fac80175b77b6b669e2f519a778e1c8b66f2c20ba0ca7f482e9e376d0ae4

SHA512
d81dde98999886078a3065e4e1f91576295ce86bb2c744be69f83ebc205ba41264866cbf653179357c49f0c5112d5585080abfd4f76afd3e116e4a5366a22368

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\ExecDos.dll

Filesize
5KB

MD5
ebcf9f71d804abab3c2e5ce4c17dc22e

SHA1
17d13084e75cbfa5fbfdd0025e9a0ee5772ae765

SHA256
d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993

SHA512
5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
480KB

MD5
075c08da8984f20c9f1595e77e215877

SHA1
f09311d3c90a2e9016d65a9f8be607e26aa2c9f7

SHA256
78cbf11845ad6b11511e71de50ca423a10ee24a373ecb39acf6be5e1111e5ba5

SHA512
e86e70cc61728fba108ef5f927f8c9bdd57b7728f8359634849bac9dcbe8a2ea85714a0005089acb796f6002841db20175a5be43f8b7167f989e62bd8da3d0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
308KB

MD5
01b6d8fc916c3ed2a5470b65bba527d2

SHA1
c2ca8f7af1a75686f78f87d230a1c12db84ed16c

SHA256
e67da62b56635927536bb1a93c8fb72ba83430ecda079fb4e868c5bd29ace79b

SHA512
5c9a451596041bdc86900a1fcc662a69c5549138b69e4c9a8d2260f79036b49e957836c4a9730edbe7f30f55529e8725f048b43b2fdbbcce043c2d3762b22614

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
335KB

MD5
66745020d0ac38812c0273a694d5cb4e

SHA1
ed2ab58095516a9bdd1f13990115abe488613c14

SHA256
5a6bd6dfa66c6f7a0160a7a0c4e68e72f30ac1e46cf084321265fcf8835819d6

SHA512
3ff23527f0e6203d7defcf6091bfaee781ab5d4c2f435ab5ad598eecf150a751d61edac7486bb9dde2879cb5b701df359ba1d554c7b180511d00b8a1c28a0206

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
395KB

MD5
bffac22b4e278790716fbaa9b3cd091a

SHA1
8eb677ebee23da14bd038450615d3c29691fa098

SHA256
a1bcc65ea89b1fb1d10b4d19d35915190670fc7eabd23479d293f81f5c7019ed

SHA512
1ed1c5254f8822843f6bdb64108bc576feb8d8fd3211efa2fefa3844c040ba0a873bdb768edfb0bbbd2a541a127dd42e3d9edd55cfc76d4f0cb9e42f55ea3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
64KB

MD5
e6283c7dc374d29a5fb9f3f1cae24457

SHA1
c447dae6deb9c2f5804448c9e72d85b748b191e6

SHA256
ec8fe7820e8239e99cbfbc5a3277ae6474a4de3623fb4dd09c08cde76d7f8fdd

SHA512
bf5d1d29d0553cb6e6ea1a6eea26743ab16f54c1b8df25638340b396a73af118331c974473a1fcb7e327eb570b56b54345a66db84b70f0ff9dd2b245bbc110f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
588KB

MD5
f886f2dbe62a2137cfd4aec3bbc338b6

SHA1
18eb4dc5e4f54aff7dbf6f335f8b2fec67cfae7a

SHA256
be5320eda3434f7496d17740e7854ace643247bcda9d6ac2142f5006acf22fa2

SHA512
c590c652df8efd48540d87209f3cf66748e46d32d21c5d582c1e55b4118c56e4064d4182466c5e3efe4983e4e0ca8c02e6ca7f7d2bf593b7785f82cfd526c2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
922KB

MD5
34b6481ae40471df7f44d8de035cc389

SHA1
f24ed89d1ecf8c36274fd69a7b7cbd7c749032a5

SHA256
9099cd0e70824e989e3ec90e245198ff6dc21a0a1af3377794d3a470dda07642

SHA512
6d0c03655ac831cb959efdab726d350a67981f0c3170760a123fa697b11d33f8c6d47a59192e3763d3e189f8da3f7a03ed7a7459c3a5e9261557b65c9ca244b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
725KB

MD5
ecdbe128e7bfb5212f9918f92ca155cd

SHA1
2914706b156212682d478634805d0ea30996b5f2

SHA256
0b383ccf8d95ec6b32f614dbdeceec25973f165e992537f95d2b02b8d56e7028

SHA512
cb05e8fbff388cabe06da1535dbe30df0ab1c2f2b03ee88d3b4cc3ebbea132030d0578ce647a33e25686cc59f4da1e86e6bd3658086dbfbe317cd4b9730f5e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
339KB

MD5
59ae58c1cffcdfaf1213c8dbfa95a4e9

SHA1
4c8ead275c7912e73fde8829c801f8f0287081ee

SHA256
e2dec53a454dcabb056e1627e1b9d23c65ad70f26f4b19fd58b464275e888502

SHA512
4f3186b446052b9bc1d394240358584e58d25ae0b211cd0f43aa38acc11c0d35baef8448d2f030e7b86f1c6c2dc311ea5b9b5b60f378bb0bbd2cc247cd75d803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\temp_file_after.tmp

Filesize
359KB

MD5
d676f2bac96693020edf230bb87a561b

SHA1
d8245ee848ec124f885f1f61908b9b6a2e2c9bd2

SHA256
d7c83cbe9e3f7dca901b24027a4888d5b7ca1b4af024c9ff0f0cbdafbc031bdc

SHA512
97eb07e76fd70e01e50d38e376a1ff0fecc98116dfad14b04d4bc87f5ebc52735af9d07394768ddc0741d14ef1259f4412b043cf13fcf444fbd2ac138daff8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ytcgl2sn.Admin\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\skin\crossrider_statusbar.png

Filesize
1KB

MD5
8b1eb9cb80417ec0022d278a44ab1dc7

SHA1
c49eb73f79e70b8ed96d91ef62f0bc344e41219a

SHA256
e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6

SHA512
0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\Glqjujnundzis.exe

Filesize
5.1MB

MD5
031dec704e62c722a25b734bf5ff6e80

SHA1
c1c70008c67a4f2966fd473b8862722bdc8ac2f7

SHA256
bdff38a1474a7c64e1405196a680d124493df393b1ad87356020a7482482f40a

SHA512
ab88c2f5c7f830c074977eba51562826051a74f39cbc7cca0593b8410b06bfd4b70a3dcdd4ff456e87f1d87b72ff6416ef88eca11b6734e8db6bf9b10f9cc634

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\StdUtils.dll

Filesize
14KB

MD5
21010df9bc37daffcc0b5ae190381d85

SHA1
a8ba022aafc1233894db29e40e569dfc8b280eb9

SHA256
0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16

SHA512
95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6EFB.tmp\WrapperUtils.dll

Filesize
69KB

MD5
2cb7f556341e254d282e7ec24a2c6164

SHA1
87053c1dae3d1c8f2a6b5909b30ffeb8ef085b8f

SHA256
def2632242ea5a7b30fd2808545ed81b1545aca18a0a517553db4f2dd1442d0c

SHA512
79cb47e48c09f39958ff944c64aad2a3ef5cdb02975b68b9dcb85712e1a24baf48f856a8859efe77b66c10e487535496c4618482e864819104fda86249b29ce3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\InstallerUtils.dll

Filesize
117KB

MD5
f82531707dbff737f2052698ab65953e

SHA1
ef011769695010f018c2f9a2b9071bc2bc9a89d4

SHA256
616fc6483570eb2f061b7bc77b9f323d3fc87040bedf4bf5b1c38da73769dda8

SHA512
d951213d5a75042d908e7106a47334f350fef4c9bef67ce6561a50a6ed0e937a16c72e375f6a1b0d7d91914375d7c239870d6b2be3810599ca6c044d71d86186

Download Submit
\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\nsislog.dll

Filesize
42KB

MD5
e47100b70748fc790ffe6299cdf7ef2d

SHA1
ad2a9cd5f7c39121926b7c131816e7ba85aeead2

SHA256
271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144

SHA512
88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

Download Submit
\Users\Admin\AppData\Local\Temp\nsj72A3.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
memory/1536-304-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1536-37-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/1536-265-0x0000000002790000-0x0000000002799000-memory.dmp

Filesize
36KB

Download
memory/1536-389-0x0000000002A70000-0x0000000002A80000-memory.dmp

Filesize
64KB

Download
memory/1536-138-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1536-972-0x0000000002790000-0x0000000002799000-memory.dmp

Filesize
36KB

Download