Analysis Overview
SHA256
26ce2133eade07dd0eb3233616ff027e1aef0e852b469f826fbe3fbee88de93d
Threat Level: Shows suspicious behavior
The file 76093511e47066096d20a881a960b433_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Drops Chrome extension
Installs/modifies Browser Helper Object
Checks installed software on the system
UPX packed file
Drops file in Program Files directory
Browser Information Discovery
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:31
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 4948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2696 wrote to memory of 4948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2696 wrote to memory of 4948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
141s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-helper.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts.ico | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bho.dll | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\background.html | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bg.exe | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Installer.log | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ = "hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311531182}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311531182} = "1" | C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"
C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe
"C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064774}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"307BCCF1C1E443E881E6BA6EC5BF2FECIE\", \"installer_verifier\" : \"16063b7367d16a6ed107c6ee8dda7e3b\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"
C:\Program Files (x86)\hosts\hosts-codedownloader.exe
"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=307BCCF1C1E443E881E6BA6EC5BF2FECIE /verifier=16063b7367d16a6ed107c6ee8dda7e3b /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064774 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'
C:\Program Files (x86)\hosts\hosts-helper.exe
"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"
C:\Program Files (x86)\hosts\hosts-bg.exe
"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.weservstats.com | udp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| US | 8.8.8.8:53 | errors.weservstats.com | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\InstallerUtils.dll
| MD5 | 156e15e3dfcc2f2ff2dbcc373fc11f53 |
| SHA1 | 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799 |
| SHA256 | 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693 |
| SHA512 | d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4 |
C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe
| MD5 | e92df8cf0d3988c26395a390df381024 |
| SHA1 | 2ad26f6562595e6e16cf2bb468213099a7583aa1 |
| SHA256 | c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1 |
| SHA512 | add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log
| MD5 | 35085713808395ba1a23ab1013de83ef |
| SHA1 | b388910ad85c7aeb931e3dd184c9429b7e25a725 |
| SHA256 | 6c5c6b6f46b1451ba49b85a68177e918fc2ae8e97968b8c596c47293bda08b7f |
| SHA512 | 7d1d999a75cfd53e6e2d56eb82d6ad1a7ad411c16dc6926f24ba244c424ff5c609ea0d578eda9fb17dccf86514a8293ab07719610e43677e68e7dbf9eda839fd |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log
| MD5 | e9c8525e613974f5722ec4617b04325f |
| SHA1 | 37629ec814541d54b41e158eba974de4cf7e02be |
| SHA256 | 46f3b1917db32cf50a616dc68d77b6c2cb0ae22c21af9cedc7630ed461521107 |
| SHA512 | 852597e184ad0038310b14cb6d7f1a743ea615b77e555af6d81854e1425c9f602b791ef622724d836f83a2ebecf7865ad997d87355ce19033186d57850e750d0 |
memory/1280-243-0x0000000003430000-0x0000000003439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log
| MD5 | bbc0ad3ab163dd1f0e7418c9b1b34815 |
| SHA1 | e373df3e7132e7b6ee28130a2a21b0f6406b271c |
| SHA256 | a2f2154e4a8fffbe97371b5b4e9e9fecd2cb1b3baf56fc72a11ff9e89e238757 |
| SHA512 | f44efc14f58cf55830584a89154b2bd4a129eead131769ad18fd8cdb77aa61796e086fbf398ff999bd46a460f61d1659e9e22f8fabc1f52f2fa2a387abbe17dd |
memory/1280-36-0x0000000003430000-0x0000000003440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
memory/1280-315-0x0000000003460000-0x0000000003470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | db6715bdf5b2b5e760fff6f6879f20db |
| SHA1 | aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9 |
| SHA256 | 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f |
| SHA512 | e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64 |
memory/1280-447-0x0000000004310000-0x000000000433D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\ZipDLL.dll
| MD5 | 2dc35ddcabcb2b24919b9afae4ec3091 |
| SHA1 | 9eeed33c3abc656353a7ebd1c66af38cccadd939 |
| SHA256 | 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1 |
| SHA512 | 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CRNSISPlugins.dll
| MD5 | e95a1945663079496ac8f6374bf08d44 |
| SHA1 | b4b35eae891b2e06b1f559b12587b6ca54c3e82c |
| SHA256 | d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537 |
| SHA512 | e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972 |
memory/1280-544-0x0000000004300000-0x0000000004310000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png
| MD5 | 5fabc6d76523647c4b48b51fbd517408 |
| SHA1 | 4d009569658443968cbca3516949c9632cbd25ae |
| SHA256 | e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a |
| SHA512 | a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde |
memory/3416-572-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
memory/2808-597-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log
| MD5 | c18ce26b70c7014e88ceb9551b7d053c |
| SHA1 | 8d6e34f63f8fa556838491b0ffe0288d74bdec50 |
| SHA256 | 23839c51cca5c6f6c46581b205e3d56e2ef88b6105602a7331ac7c0208a6f93b |
| SHA512 | 9ff2a72e73bbf63b8b0f7efc3509306ab9437c1911e3809573e311bfb2c39ab606fda64d933b42e2d05b30b622de0014d2ae63151e4d6c54de4d8e877bddb108 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | 8ee8dfabbedf837a740ed2d1f19d6768 |
| SHA1 | f9462110b9623b63116387a3be9cf146845538c5 |
| SHA256 | 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1 |
| SHA512 | 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png
| MD5 | 68447a995095517de966faaaa441320d |
| SHA1 | 4229b0c045b7bfd1546cdc1f4e38c68135326fba |
| SHA256 | f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c |
| SHA512 | f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png
| MD5 | 12e783f1b55f54b719444e958d0f654e |
| SHA1 | b147828f4af4fb86da89b0219ea7ff2da1d84a1c |
| SHA256 | 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1 |
| SHA512 | c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf
| MD5 | d9714eb9c7ca8d6f12da011cb85a91b9 |
| SHA1 | 083b561967c9354264d1eea9fb5c7e0bbe41e81b |
| SHA256 | 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499 |
| SHA512 | 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js
| MD5 | 260967b62a302147d44c771cdc3d2c9b |
| SHA1 | fb83a8ccd8facac7c9edba98f6ce04274de8e903 |
| SHA256 | 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae |
| SHA512 | 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd
| MD5 | aae23d78c89bb64103e8d668bff80223 |
| SHA1 | c0903224a450ec3b506ede665b2fd8624f94aaf6 |
| SHA256 | 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f |
| SHA512 | 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js
| MD5 | deab4dc957c13108352c4f014b242353 |
| SHA1 | bc63ae0c5744a1ad67821937873d1829ed64bb06 |
| SHA256 | caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c |
| SHA512 | d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul
| MD5 | 68e04f0a85d4cb05c54f268e5e59fdc9 |
| SHA1 | 2a465323fb0d697226d481be9c599f94d62fd150 |
| SHA256 | d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6 |
| SHA512 | 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js
| MD5 | a5be5ea81e0b1653d3fa31600a0a36e0 |
| SHA1 | dacb7a24b99dfb9dd4541b00e4241db7df7a219d |
| SHA256 | ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4 |
| SHA512 | 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js
| MD5 | 769dbc56827458c72b7ad8098c91e7f7 |
| SHA1 | e8dbd8c650c6e35e064bee32e93200f713ea94d8 |
| SHA256 | 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5 |
| SHA512 | 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js
| MD5 | 9fc11c16a573da4dba7764fc111a50cc |
| SHA1 | 4035d7a0a8383e1b93d64fc161e3274d5f428ae3 |
| SHA256 | 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7 |
| SHA512 | 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js
| MD5 | 3e9a68cfaeb26b1bf7b39037a5670d38 |
| SHA1 | b6633a830be19b218af576417d0fec7ab5dff435 |
| SHA256 | 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18 |
| SHA512 | d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js
| MD5 | ef2e8bca169a0e83e6e1a1daaee07c4e |
| SHA1 | a78279e9bd75e866a18f36cafdc4e4385d88610d |
| SHA256 | 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673 |
| SHA512 | 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js
| MD5 | eec92acbcfa9d28b43b64aecc9e6c1ee |
| SHA1 | d4253a3cd8810d575e1100c58f088d70e063889f |
| SHA256 | 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f |
| SHA512 | 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js
| MD5 | 9844f60e1179aea762ef53ec0d542fa3 |
| SHA1 | 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0 |
| SHA256 | dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5 |
| SHA512 | d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js
| MD5 | a92e9ce9e1e0ad01baa684c419ebbb8f |
| SHA1 | 850271a386aff13b2d2f16d3e70778cc8a655519 |
| SHA256 | a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a |
| SHA512 | 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js
| MD5 | 0587e06fa0fb578c220245ddb95f7411 |
| SHA1 | 52df8780d25418d6fb90725c9816080e01bc5024 |
| SHA256 | 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f |
| SHA512 | 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js
| MD5 | b1d1b15628eeab4bd8ef82bea8b9110f |
| SHA1 | 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd |
| SHA256 | 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5 |
| SHA512 | 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js
| MD5 | b4a678cc9885730cd03de0d100bdcc25 |
| SHA1 | b0771a929a9624c256b45124e6f0c999707380e8 |
| SHA256 | 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29 |
| SHA512 | 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul
| MD5 | a82c0de0f37da22a6e07ff2077e8f318 |
| SHA1 | ae361ae3f52c2f7240c6275a6c40166796107c30 |
| SHA256 | d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172 |
| SHA512 | c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js
| MD5 | e7ae2f5a14532b1b645d14bc04e4a12f |
| SHA1 | 592ba96aa9d7e448fe67e92228442f9312c1ae32 |
| SHA256 | 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67 |
| SHA512 | 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js
| MD5 | 80297932a5645e651b2bc05c65cb8cf6 |
| SHA1 | dfb36a890b134fc09bb003c583f93c978e717f7c |
| SHA256 | 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d |
| SHA512 | f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js
| MD5 | 44bd338a01fc265a1f48feb6109cffd3 |
| SHA1 | 21a16911d1a82b1ad847b7a9c94f95127eefca60 |
| SHA256 | 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6 |
| SHA512 | 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js
| MD5 | 7f67b1f11066759f19de77335aa9e162 |
| SHA1 | 5c689fbf820dded68beb78a0695569ea6b7a9e5d |
| SHA256 | 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d |
| SHA512 | 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js
| MD5 | 1f7e4557cc0450b1b59f088534a972a9 |
| SHA1 | 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd |
| SHA256 | 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec |
| SHA512 | 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js
| MD5 | 7188f8b638a00a897acf7d6db9381c8b |
| SHA1 | 8394559d7791715741cf8f1dadebe7b7ad15132b |
| SHA256 | 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d |
| SHA512 | dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js
| MD5 | 58bb6d11d1eaf46767cc60de67cd9454 |
| SHA1 | d7c575929c2d14b8cc155879069fab443c44eb3a |
| SHA256 | 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1 |
| SHA512 | 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js
| MD5 | d84f78673765cd850eb1600fa60bfeb1 |
| SHA1 | bbf3b8f1a8c03b4733b326b9a36d02bb55902620 |
| SHA256 | dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915 |
| SHA512 | 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js
| MD5 | fd3f295f1c17b33d7a80103564a7f221 |
| SHA1 | 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28 |
| SHA256 | cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb |
| SHA512 | d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js
| MD5 | 60fd9774d8bb9d6eac945da719e68428 |
| SHA1 | 6f04d94ad0c566f23f432d3457e8116c0f97c119 |
| SHA256 | 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a |
| SHA512 | 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js
| MD5 | 311200eb1ab011b88c0e9545a4d2d049 |
| SHA1 | d22bf13518c77d46e45d556adf6244a251ccd3a1 |
| SHA256 | 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545 |
| SHA512 | bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html
| MD5 | fb162e226ced64d0b4d6e53ed9f82eb9 |
| SHA1 | 2b1d6ab496785d96ddcfc712a942a0d1de8ef018 |
| SHA256 | 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140 |
| SHA512 | 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js
| MD5 | aaba4db5965550fa33599a2888151785 |
| SHA1 | fb472dd90e55164f05774d9778e97a644ed2628d |
| SHA256 | b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44 |
| SHA512 | 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul
| MD5 | 275186e0a6d4ddabbf8bc8d1b00add5e |
| SHA1 | e4b57588e9be7de99e4b057801977f3614bcbf9f |
| SHA256 | 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2 |
| SHA512 | d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest
| MD5 | ba60b7b3decd2b1e30e55e4301e20de4 |
| SHA1 | 61ee703b552a8826fe1086ecc5abee4d45bd92c8 |
| SHA256 | 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b |
| SHA512 | 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js
| MD5 | aee13ba60482e203c4bfc871339b624d |
| SHA1 | a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba |
| SHA256 | cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913 |
| SHA512 | 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js
| MD5 | 8a07017e0756e912aa9fe2fa7f722456 |
| SHA1 | ecd41edeea92e2e00f2b518afb1410bce30792bb |
| SHA256 | 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953 |
| SHA512 | 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js
| MD5 | 2cbb07727f1ad5480752694ba113854a |
| SHA1 | 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674 |
| SHA256 | db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40 |
| SHA512 | 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js
| MD5 | 780b66c8196bd869af8eac63d695d9c9 |
| SHA1 | c02d465ce06fdc40e8adba0e463fa3b609fdf56a |
| SHA256 | aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486 |
| SHA512 | 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js
| MD5 | bad0c2449513ec4ed9ca13eb55591aa8 |
| SHA1 | e260a391e5dc7913ab3b81fe8da607ee43fe45df |
| SHA256 | e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779 |
| SHA512 | a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js
| MD5 | de002d9604f09b376b85159f289b75a3 |
| SHA1 | 5c6c4ad17b914118f387863ee5982aa52ac34c09 |
| SHA256 | 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce |
| SHA512 | a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css
| MD5 | 36ab40a4b899472d25a3c872a7f9ad4d |
| SHA1 | c29870d67d954de9c5c32783ce28cf7f77d13ec1 |
| SHA256 | 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664 |
| SHA512 | 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html
| MD5 | cbdf4e688981915b95a3741d0c9d5fe5 |
| SHA1 | e4f188d057f04638443eab966002e7feb63bf61a |
| SHA256 | af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c |
| SHA512 | 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css
| MD5 | 4bd957ddde2bb2e537060afcf55f1f72 |
| SHA1 | d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c |
| SHA256 | f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f |
| SHA512 | cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js
| MD5 | 7d8a2c2c54f33325eb30368eba7564df |
| SHA1 | 72e5449067e0c85242cb28c8069cabd547908d50 |
| SHA256 | 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed |
| SHA512 | 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js
| MD5 | 60c4db63eb127e64d24f7e9f37e43efb |
| SHA1 | dc799abfd6c2538d0b37e85936e9b80bac02badd |
| SHA256 | c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581 |
| SHA512 | 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js
| MD5 | e377ef2d419e60d15b422da1295201fe |
| SHA1 | 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02 |
| SHA256 | 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17 |
| SHA512 | cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js
| MD5 | ce25d7dd7d7e34dc5b92d25861cc2947 |
| SHA1 | 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880 |
| SHA256 | d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5 |
| SHA512 | cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js
| MD5 | 81b4df8409320d739e70e9d4cc4c62f7 |
| SHA1 | 7f5e03ed6d5d66fb9a0d052761731d302df21eca |
| SHA256 | 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08 |
| SHA512 | c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js
| MD5 | a1cd4406d7577807a698aa3995046192 |
| SHA1 | 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57 |
| SHA256 | 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7 |
| SHA512 | 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js
| MD5 | e8a80e409e40199e3309e5d37dfcfeaf |
| SHA1 | b74ce420ab51a7af5901cc2f17b3ba19ff2b847d |
| SHA256 | 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9 |
| SHA512 | 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png
| MD5 | 752c26453dc2fc989ed46f5920328edb |
| SHA1 | a064ccc009ee36c20dd5a8aeeab1a335bf82bda2 |
| SHA256 | 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb |
| SHA512 | b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | e2236f4df18b245c4428767eb7001bd8 |
| SHA1 | d091f299951ca8ade7bf03ae84ca3ca1ab2307b2 |
| SHA256 | 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e |
| SHA512 | 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | c1d9bb540a5cf2b8e335311c247bff92 |
| SHA1 | ac2dc11f16ec71ffbeee862afd72a41787e6980d |
| SHA256 | 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a |
| SHA512 | d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af |
C:\Program Files (x86)\hosts\hosts-buttonutil.exe
| MD5 | 6aeaaedda1949deb7c40b09ddfd7ed09 |
| SHA1 | f3d35bd0edb197845b96cfda824c96cf77e79a7f |
| SHA256 | 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc |
| SHA512 | 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | c0228d656c703062404bb811a2358892 |
| SHA1 | fa32581dfd2ffb9386c8bed36bbca46363d5c996 |
| SHA256 | d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2 |
| SHA512 | 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | 96217006f4ed6618c41c27ddc4410a91 |
| SHA1 | 391cf6d7bd90476855736cb1cc22d857c56e2e0b |
| SHA256 | 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f |
| SHA512 | fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | 062e75c38b5a59b16287e1ee8685cd44 |
| SHA1 | 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5 |
| SHA256 | b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e |
| SHA512 | 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154 |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | 8b017e3910261cb0c9d914a6abac5382 |
| SHA1 | 5e4400946760495478a72bd89bba9e88b37af589 |
| SHA256 | 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0 |
| SHA512 | 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e |
C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp
| MD5 | db6aedf26ae4c857fc7580611882669a |
| SHA1 | fa53a2e301e3bf024159c99e40c8d72e86bc68b9 |
| SHA256 | 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06 |
| SHA512 | 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 220
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 780 wrote to memory of 3992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 780 wrote to memory of 3992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 780 wrote to memory of 3992 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3992 -ip 3992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4208 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4208 wrote to memory of 4340 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 220
Network
Files
memory/1632-0-0x0000000075240000-0x000000007524A000-memory.dmp
memory/1632-3-0x0000000075230000-0x000000007523A000-memory.dmp
memory/1632-2-0x0000000075240000-0x000000007524A000-memory.dmp
memory/1632-1-0x0000000075220000-0x000000007522A000-memory.dmp
memory/1632-4-0x0000000075230000-0x000000007523A000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240708-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hosts\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-helper.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\background.html | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bg.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Installer.log | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts.ico | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bho.dll | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID\ = "{11111111-1111-1111-1111-110311531182}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322532282}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"
C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
"C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064763}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"4AB09E47A9604B77AE250F7A9AB07AB0IE\", \"installer_verifier\" : \"398c13b930b46504151fef474c344b7c\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"
C:\Program Files (x86)\hosts\hosts-codedownloader.exe
"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=4AB09E47A9604B77AE250F7A9AB07AB0IE /verifier=398c13b930b46504151fef474c344b7c /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064763 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'
C:\Program Files (x86)\hosts\hosts-helper.exe
"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"
C:\Program Files (x86)\hosts\hosts-bg.exe
"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stats.weservstats.com | udp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| US | 8.8.8.8:53 | errors.weservstats.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\InstallerUtils.dll
| MD5 | 156e15e3dfcc2f2ff2dbcc373fc11f53 |
| SHA1 | 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799 |
| SHA256 | 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693 |
| SHA512 | d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4 |
\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
| MD5 | e92df8cf0d3988c26395a390df381024 |
| SHA1 | 2ad26f6562595e6e16cf2bb468213099a7583aa1 |
| SHA256 | c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1 |
| SHA512 | add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f |
memory/2800-37-0x0000000000540000-0x0000000000550000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst92DF.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 1b5bd3e84b170a029cd82a4d32916de5 |
| SHA1 | 9f633a596353e7168b592281b0ff8ec09afaf687 |
| SHA256 | 27427fcc3cb6a43d01845a6beaddbf6351ba52207351b696a2740c29d2853c39 |
| SHA512 | 53ee5913dcb36b972ba9e4f359872efdbec363f4f5d5459ac3d5b23458b1105b4cd2080a31be97b679c3b130014886a34362767b5a2af273393e7b541b9c72fe |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 5c398638abdd0c5eaf70548986d4e325 |
| SHA1 | 77be6ed176ca930e16e5f2c2d34889af1d7f3f48 |
| SHA256 | 139f83f84d2cdb01f8872d6edcd5ba98d7deced5efe0bab133fd965e93c79f54 |
| SHA512 | e1f52ca3c3b6d0cde9024353e983a8644638f5455480405edb267dc30c856f5af07f8fd76fbde017f256b22de85f2c5492af94c93ec25a38ae005fe0e33a3dbe |
\Users\Admin\AppData\Local\Temp\nst92DF.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 335b774f630a4e777dea3b77acca7dc9 |
| SHA1 | 0803525a258ad80f9d204b1df480e5c9502dd7b7 |
| SHA256 | b95eb0d9e203755d4a101df25806cff4d6cf6280343e42e6267ff746ea9ffcb6 |
| SHA512 | d49af8a01f79073951130afd90451a652bfcbba5efe8472fbf1cbf14172dea480621ab537bb9f9633e2f5a629ea13e9b1ade790beced1d6660645f532293fa54 |
memory/2800-224-0x0000000000540000-0x0000000000549000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst92DF.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 9c4773b588a51fe611e38039c0953c28 |
| SHA1 | ff3b1dc6a9f6afd2eb50864a534cebed4045a902 |
| SHA256 | 0abefbe4c5b74e1327e0df020df095481ac6af8e58da67b73c61e5f4e52afc8b |
| SHA512 | cdabae36824e59c89e13963e53469015276c1aff71b45610a540ca0141c7a9ebd7af7b4f32be3487ba08a8d851baa3e3b87f0c63cbbef84efd54277688e4157f |
\Users\Admin\AppData\Local\Temp\nst92DF.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 2ab86d169919fcac862eb4ad08e1dd57 |
| SHA1 | 3baa54024c21045c660967ef987358043bf559fb |
| SHA256 | 547b909d0c59fabc30668292589b28c6ae62fc2188e3f3f92d4da6346c7397f4 |
| SHA512 | a3fb5aa45e2c344010744b1ab5256fa42052f778a681d6b6143a8a7479ab145d47361eaac7e2ad73e611507811b5a1affe84f4b24a82ea8948884640875b512c |
memory/2800-262-0x0000000000570000-0x0000000000580000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CRNSISPlugins.dll
| MD5 | e95a1945663079496ac8f6374bf08d44 |
| SHA1 | b4b35eae891b2e06b1f559b12587b6ca54c3e82c |
| SHA256 | d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537 |
| SHA512 | e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | db6715bdf5b2b5e760fff6f6879f20db |
| SHA1 | aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9 |
| SHA256 | 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f |
| SHA512 | e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64 |
memory/2800-391-0x0000000002F60000-0x0000000002F8D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png
| MD5 | 5fabc6d76523647c4b48b51fbd517408 |
| SHA1 | 4d009569658443968cbca3516949c9632cbd25ae |
| SHA256 | e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a |
| SHA512 | a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde |
memory/2800-487-0x0000000000590000-0x00000000005A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat
| MD5 | 4840b25bf476a60da7cddc8689b7804f |
| SHA1 | d1607e215a977aa7dfb19965e7ab0da7d9dff053 |
| SHA256 | a2974d24b3fb41279fd414a3f87ec3e71b157b1870dddb03c39bd2d577420a5e |
| SHA512 | d795c416a31aa62ec6c109d146c046a1f306c6cf6ca15493f8b4a89efd1ba0e27afb6f408741127f4b9be2801d66349bb8e465140cf288949d03f1ac77328915 |
memory/1864-527-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log
| MD5 | 3d0b076eee213fccb356b95058cb2ae6 |
| SHA1 | 0665fc7e2e1a60b13c4db7c82e1d6c1baecc83bf |
| SHA256 | fd6368a79e9fcf9ea31ee88a5a93100380067e516230669d2c0367105232653c |
| SHA512 | 1a6552230692389844b10a0ce9a3bf236cde4e6c7a47bb5b8e010cc4e30b34a375ba18a4e7cfa8bfa9f7ef1c1527dff90c5f0e6b7e31ac4a3e06f2bc35c6da89 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | 8ee8dfabbedf837a740ed2d1f19d6768 |
| SHA1 | f9462110b9623b63116387a3be9cf146845538c5 |
| SHA256 | 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1 |
| SHA512 | 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\ZipDLL.dll
| MD5 | 2dc35ddcabcb2b24919b9afae4ec3091 |
| SHA1 | 9eeed33c3abc656353a7ebd1c66af38cccadd939 |
| SHA256 | 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1 |
| SHA512 | 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png
| MD5 | 12e783f1b55f54b719444e958d0f654e |
| SHA1 | b147828f4af4fb86da89b0219ea7ff2da1d84a1c |
| SHA256 | 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1 |
| SHA512 | c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png
| MD5 | 68447a995095517de966faaaa441320d |
| SHA1 | 4229b0c045b7bfd1546cdc1f4e38c68135326fba |
| SHA256 | f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c |
| SHA512 | f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf
| MD5 | d9714eb9c7ca8d6f12da011cb85a91b9 |
| SHA1 | 083b561967c9354264d1eea9fb5c7e0bbe41e81b |
| SHA256 | 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499 |
| SHA512 | 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd
| MD5 | aae23d78c89bb64103e8d668bff80223 |
| SHA1 | c0903224a450ec3b506ede665b2fd8624f94aaf6 |
| SHA256 | 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f |
| SHA512 | 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js
| MD5 | 260967b62a302147d44c771cdc3d2c9b |
| SHA1 | fb83a8ccd8facac7c9edba98f6ce04274de8e903 |
| SHA256 | 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae |
| SHA512 | 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest
| MD5 | ba60b7b3decd2b1e30e55e4301e20de4 |
| SHA1 | 61ee703b552a8826fe1086ecc5abee4d45bd92c8 |
| SHA256 | 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b |
| SHA512 | 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul
| MD5 | 275186e0a6d4ddabbf8bc8d1b00add5e |
| SHA1 | e4b57588e9be7de99e4b057801977f3614bcbf9f |
| SHA256 | 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2 |
| SHA512 | d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html
| MD5 | fb162e226ced64d0b4d6e53ed9f82eb9 |
| SHA1 | 2b1d6ab496785d96ddcfc712a942a0d1de8ef018 |
| SHA256 | 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140 |
| SHA512 | 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js
| MD5 | deab4dc957c13108352c4f014b242353 |
| SHA1 | bc63ae0c5744a1ad67821937873d1829ed64bb06 |
| SHA256 | caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c |
| SHA512 | d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul
| MD5 | 68e04f0a85d4cb05c54f268e5e59fdc9 |
| SHA1 | 2a465323fb0d697226d481be9c599f94d62fd150 |
| SHA256 | d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6 |
| SHA512 | 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js
| MD5 | aaba4db5965550fa33599a2888151785 |
| SHA1 | fb472dd90e55164f05774d9778e97a644ed2628d |
| SHA256 | b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44 |
| SHA512 | 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js
| MD5 | a5be5ea81e0b1653d3fa31600a0a36e0 |
| SHA1 | dacb7a24b99dfb9dd4541b00e4241db7df7a219d |
| SHA256 | ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4 |
| SHA512 | 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js
| MD5 | 311200eb1ab011b88c0e9545a4d2d049 |
| SHA1 | d22bf13518c77d46e45d556adf6244a251ccd3a1 |
| SHA256 | 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545 |
| SHA512 | bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js
| MD5 | 80297932a5645e651b2bc05c65cb8cf6 |
| SHA1 | dfb36a890b134fc09bb003c583f93c978e717f7c |
| SHA256 | 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d |
| SHA512 | f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul
| MD5 | a82c0de0f37da22a6e07ff2077e8f318 |
| SHA1 | ae361ae3f52c2f7240c6275a6c40166796107c30 |
| SHA256 | d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172 |
| SHA512 | c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js
| MD5 | 0587e06fa0fb578c220245ddb95f7411 |
| SHA1 | 52df8780d25418d6fb90725c9816080e01bc5024 |
| SHA256 | 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f |
| SHA512 | 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js
| MD5 | b1d1b15628eeab4bd8ef82bea8b9110f |
| SHA1 | 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd |
| SHA256 | 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5 |
| SHA512 | 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js
| MD5 | b4a678cc9885730cd03de0d100bdcc25 |
| SHA1 | b0771a929a9624c256b45124e6f0c999707380e8 |
| SHA256 | 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29 |
| SHA512 | 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js
| MD5 | e7ae2f5a14532b1b645d14bc04e4a12f |
| SHA1 | 592ba96aa9d7e448fe67e92228442f9312c1ae32 |
| SHA256 | 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67 |
| SHA512 | 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js
| MD5 | a92e9ce9e1e0ad01baa684c419ebbb8f |
| SHA1 | 850271a386aff13b2d2f16d3e70778cc8a655519 |
| SHA256 | a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a |
| SHA512 | 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js
| MD5 | 9844f60e1179aea762ef53ec0d542fa3 |
| SHA1 | 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0 |
| SHA256 | dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5 |
| SHA512 | d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js
| MD5 | 9fc11c16a573da4dba7764fc111a50cc |
| SHA1 | 4035d7a0a8383e1b93d64fc161e3274d5f428ae3 |
| SHA256 | 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7 |
| SHA512 | 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js
| MD5 | 769dbc56827458c72b7ad8098c91e7f7 |
| SHA1 | e8dbd8c650c6e35e064bee32e93200f713ea94d8 |
| SHA256 | 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5 |
| SHA512 | 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js
| MD5 | eec92acbcfa9d28b43b64aecc9e6c1ee |
| SHA1 | d4253a3cd8810d575e1100c58f088d70e063889f |
| SHA256 | 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f |
| SHA512 | 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js
| MD5 | ef2e8bca169a0e83e6e1a1daaee07c4e |
| SHA1 | a78279e9bd75e866a18f36cafdc4e4385d88610d |
| SHA256 | 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673 |
| SHA512 | 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js
| MD5 | 3e9a68cfaeb26b1bf7b39037a5670d38 |
| SHA1 | b6633a830be19b218af576417d0fec7ab5dff435 |
| SHA256 | 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18 |
| SHA512 | d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js
| MD5 | 60fd9774d8bb9d6eac945da719e68428 |
| SHA1 | 6f04d94ad0c566f23f432d3457e8116c0f97c119 |
| SHA256 | 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a |
| SHA512 | 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js
| MD5 | fd3f295f1c17b33d7a80103564a7f221 |
| SHA1 | 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28 |
| SHA256 | cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb |
| SHA512 | d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js
| MD5 | 44bd338a01fc265a1f48feb6109cffd3 |
| SHA1 | 21a16911d1a82b1ad847b7a9c94f95127eefca60 |
| SHA256 | 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6 |
| SHA512 | 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js
| MD5 | d84f78673765cd850eb1600fa60bfeb1 |
| SHA1 | bbf3b8f1a8c03b4733b326b9a36d02bb55902620 |
| SHA256 | dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915 |
| SHA512 | 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js
| MD5 | 58bb6d11d1eaf46767cc60de67cd9454 |
| SHA1 | d7c575929c2d14b8cc155879069fab443c44eb3a |
| SHA256 | 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1 |
| SHA512 | 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js
| MD5 | 1f7e4557cc0450b1b59f088534a972a9 |
| SHA1 | 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd |
| SHA256 | 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec |
| SHA512 | 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js
| MD5 | 7f67b1f11066759f19de77335aa9e162 |
| SHA1 | 5c689fbf820dded68beb78a0695569ea6b7a9e5d |
| SHA256 | 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d |
| SHA512 | 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js
| MD5 | 7188f8b638a00a897acf7d6db9381c8b |
| SHA1 | 8394559d7791715741cf8f1dadebe7b7ad15132b |
| SHA256 | 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d |
| SHA512 | dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js
| MD5 | 2cbb07727f1ad5480752694ba113854a |
| SHA1 | 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674 |
| SHA256 | db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40 |
| SHA512 | 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js
| MD5 | 8a07017e0756e912aa9fe2fa7f722456 |
| SHA1 | ecd41edeea92e2e00f2b518afb1410bce30792bb |
| SHA256 | 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953 |
| SHA512 | 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js
| MD5 | aee13ba60482e203c4bfc871339b624d |
| SHA1 | a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba |
| SHA256 | cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913 |
| SHA512 | 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js
| MD5 | 780b66c8196bd869af8eac63d695d9c9 |
| SHA1 | c02d465ce06fdc40e8adba0e463fa3b609fdf56a |
| SHA256 | aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486 |
| SHA512 | 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js
| MD5 | bad0c2449513ec4ed9ca13eb55591aa8 |
| SHA1 | e260a391e5dc7913ab3b81fe8da607ee43fe45df |
| SHA256 | e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779 |
| SHA512 | a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js
| MD5 | e8a80e409e40199e3309e5d37dfcfeaf |
| SHA1 | b74ce420ab51a7af5901cc2f17b3ba19ff2b847d |
| SHA256 | 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9 |
| SHA512 | 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js
| MD5 | a1cd4406d7577807a698aa3995046192 |
| SHA1 | 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57 |
| SHA256 | 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7 |
| SHA512 | 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js
| MD5 | e377ef2d419e60d15b422da1295201fe |
| SHA1 | 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02 |
| SHA256 | 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17 |
| SHA512 | cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js
| MD5 | ce25d7dd7d7e34dc5b92d25861cc2947 |
| SHA1 | 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880 |
| SHA256 | d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5 |
| SHA512 | cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js
| MD5 | 81b4df8409320d739e70e9d4cc4c62f7 |
| SHA1 | 7f5e03ed6d5d66fb9a0d052761731d302df21eca |
| SHA256 | 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08 |
| SHA512 | c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js
| MD5 | 60c4db63eb127e64d24f7e9f37e43efb |
| SHA1 | dc799abfd6c2538d0b37e85936e9b80bac02badd |
| SHA256 | c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581 |
| SHA512 | 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js
| MD5 | de002d9604f09b376b85159f289b75a3 |
| SHA1 | 5c6c4ad17b914118f387863ee5982aa52ac34c09 |
| SHA256 | 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce |
| SHA512 | a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js
| MD5 | 7d8a2c2c54f33325eb30368eba7564df |
| SHA1 | 72e5449067e0c85242cb28c8069cabd547908d50 |
| SHA256 | 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed |
| SHA512 | 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html
| MD5 | cbdf4e688981915b95a3741d0c9d5fe5 |
| SHA1 | e4f188d057f04638443eab966002e7feb63bf61a |
| SHA256 | af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c |
| SHA512 | 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css
| MD5 | 36ab40a4b899472d25a3c872a7f9ad4d |
| SHA1 | c29870d67d954de9c5c32783ce28cf7f77d13ec1 |
| SHA256 | 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664 |
| SHA512 | 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css
| MD5 | 4bd957ddde2bb2e537060afcf55f1f72 |
| SHA1 | d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c |
| SHA256 | f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f |
| SHA512 | cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png
| MD5 | 752c26453dc2fc989ed46f5920328edb |
| SHA1 | a064ccc009ee36c20dd5a8aeeab1a335bf82bda2 |
| SHA256 | 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb |
| SHA512 | b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | e2236f4df18b245c4428767eb7001bd8 |
| SHA1 | d091f299951ca8ade7bf03ae84ca3ca1ab2307b2 |
| SHA256 | 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e |
| SHA512 | 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | c1d9bb540a5cf2b8e335311c247bff92 |
| SHA1 | ac2dc11f16ec71ffbeee862afd72a41787e6980d |
| SHA256 | 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a |
| SHA512 | d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | b1f30ce7d2d156fc327d7c6ad834f9fd |
| SHA1 | 282365a98e00aeb832cbf025886768dceb1398a7 |
| SHA256 | 8f47d496d92f92c8ee15e25bf26140bf0fb9fa27d72a38fa0604a56f3028a832 |
| SHA512 | 3d5ac114d48f56fe4ad64e4e2cd5045f8d5228081c78e78b6abc9243e12eabd9b26baf31c8f9202d4e0cb3b7e4621271336596fb56caeb7d83c8be3309b8b591 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | 98f9cc75bb98314644108c53f7a4a954 |
| SHA1 | 0094498b7016518da8fa5f1e1a457f43fd7ade9c |
| SHA256 | 761bbdceb0f905656cf9e0e3b979e0b355fa61d44084bc02e113117e8c7931c6 |
| SHA512 | bae234bfa0d175b21af8db35bed5e6db255565700de3d039dc040113d5f4022c7c6bf08bb7579b3bab39eb4dc255a74723c76e510a867a87c053ab0e200d66b5 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | 96217006f4ed6618c41c27ddc4410a91 |
| SHA1 | 391cf6d7bd90476855736cb1cc22d857c56e2e0b |
| SHA256 | 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f |
| SHA512 | fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | 9c571c2a40ab0f32992324ca4967ea4d |
| SHA1 | bac78782334bceb3c8dc7ee69a509c184737738b |
| SHA256 | 47f6683062d28a5099d2fdf756f9c3164122543a1d30a4fe8e93b56ab96ee30f |
| SHA512 | 223472ff1be723e1deb64ede18d872ffe779651f4c844c1285749adfcb7c06221268a44a85fc920f4d74aac063b491ebd4b3975e7e954898a63fc5e15e774059 |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | 8b017e3910261cb0c9d914a6abac5382 |
| SHA1 | 5e4400946760495478a72bd89bba9e88b37af589 |
| SHA256 | 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0 |
| SHA512 | 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e |
C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp
| MD5 | db6aedf26ae4c857fc7580611882669a |
| SHA1 | fa53a2e301e3bf024159c99e40c8d72e86bc68b9 |
| SHA256 | 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06 |
| SHA512 | 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4232 wrote to memory of 516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4232 wrote to memory of 516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4232 wrote to memory of 516 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 516 -ip 516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-helper.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bg.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Installer.log | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts.ico | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bho.dll | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\background.html | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311531182}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322532282}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ = "hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311531182} = "1" | C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3056,8D637B667EDB4632AB83DF05009335BB,BF924038E5624C18B9D68AC7C641D364,6D16371606334E9DADD9983D0592C9D9
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3056,4C33C0BBD41C4A5FA74FEDF0AA8ADAA0,0FA6695B07BA41BE9FA317183A1185F9,6D16371606334E9DADD9983D0592C9D9
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe
"C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064782}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"23D8F80C2F0E46D9A8B29801CD56C170IE\", \"installer_verifier\" : \"ef56edb22bd226b3df8ac9917ff5820a\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"
C:\Program Files (x86)\hosts\hosts-codedownloader.exe
"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=23D8F80C2F0E46D9A8B29801CD56C170IE /verifier=ef56edb22bd226b3df8ac9917ff5820a /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064782 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'
C:\Program Files (x86)\hosts\hosts-helper.exe
"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"
C:\Program Files (x86)\hosts\hosts-bg.exe
"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | downlite.net | udp |
| US | 172.98.192.37:80 | downlite.net | tcp |
| US | 8.8.8.8:53 | v2.irismediainc.com | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.192.98.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 172.98.192.37:80 | downlite.net | tcp |
| US | 8.8.8.8:53 | v2.irismediainc.com | udp |
| US | 8.8.8.8:53 | stats.weservstats.com | udp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| US | 8.8.8.8:53 | errors.weservstats.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
memory/392-13-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/3872-15-0x00000000010E0000-0x00000000010E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\InstallerStuff.dll
| MD5 | bcbacda49fb2c44fee595cbc82036242 |
| SHA1 | a33356996c7b3e032693bb373bbde2acf72cc469 |
| SHA256 | 77ecf5896f33bbc002f00dd4742c00a20981bbc618563e49f34ea8f740da890d |
| SHA512 | 18c44cedb9b0fbd301ad9cbe5ebafe66d16380090baa41697f3224a5086313c61420730e8a5050fa7de31e2f47dbd21259d6758cf84557e0c34b901a93c4ddc0 |
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\nsJSON.dll
| MD5 | 292aa9f95a7f081625056c497078159a |
| SHA1 | 72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1 |
| SHA256 | 18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5 |
| SHA512 | 87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910 |
memory/3056-27-0x00000000730D0000-0x00000000730DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
| MD5 | ca023e6709a718a4917df6f3f2c8bbf7 |
| SHA1 | f9b989d482562796c8c95d124e52bd9e4643d32e |
| SHA256 | 6df47c38d9452173201fb301c3a7225221d4cafeaf07a3edc1dae9ea6135b86d |
| SHA512 | 23e813a6ac93394102b9448a3b5b3e41cf7eeb7eb683edaaf56335bd4ff3ac45884c6e0e10c7c0a9d8cd7f472e58b45e57d32fdcac819659c22e3dd547ae4d03 |
C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\InstallerUtils.dll
| MD5 | 156e15e3dfcc2f2ff2dbcc373fc11f53 |
| SHA1 | 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799 |
| SHA256 | 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693 |
| SHA512 | d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4 |
C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe
| MD5 | e92df8cf0d3988c26395a390df381024 |
| SHA1 | 2ad26f6562595e6e16cf2bb468213099a7583aa1 |
| SHA256 | c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1 |
| SHA512 | add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
memory/2504-76-0x00000000024D0000-0x00000000024E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/3872-311-0x00000000010E0000-0x00000000010E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
memory/2504-309-0x00000000024D0000-0x00000000024D9000-memory.dmp
memory/392-308-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log
| MD5 | e952310230b08f478f84ada4c7d0b44b |
| SHA1 | 32baf1a88319657a1f1d343e490a08c34e335d6e |
| SHA256 | 71c64c90fc4d3bc11d2cea217832f60ba82c3ae56f7bf15bfb06f10412486450 |
| SHA512 | 28fb2b1a6eb476d1affffda004454eaf79a0dfbc484be38afb353c6f85ee227fe64bddf306c811881b676d0368abe9fb83a5329f552f848e94c9fe1cdf62aa8b |
memory/2504-346-0x00000000024F0000-0x0000000002500000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | db6715bdf5b2b5e760fff6f6879f20db |
| SHA1 | aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9 |
| SHA256 | 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f |
| SHA512 | e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\ZipDLL.dll
| MD5 | 2dc35ddcabcb2b24919b9afae4ec3091 |
| SHA1 | 9eeed33c3abc656353a7ebd1c66af38cccadd939 |
| SHA256 | 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1 |
| SHA512 | 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901 |
memory/2504-478-0x00000000040C0000-0x00000000040ED000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png
| MD5 | 5fabc6d76523647c4b48b51fbd517408 |
| SHA1 | 4d009569658443968cbca3516949c9632cbd25ae |
| SHA256 | e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a |
| SHA512 | a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CRNSISPlugins.dll
| MD5 | e95a1945663079496ac8f6374bf08d44 |
| SHA1 | b4b35eae891b2e06b1f559b12587b6ca54c3e82c |
| SHA256 | d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537 |
| SHA512 | e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972 |
memory/2504-575-0x00000000040C0000-0x00000000040D0000-memory.dmp
memory/1872-603-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
memory/3836-628-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log
| MD5 | 54b5c63c755875ae1d62d18551aa3772 |
| SHA1 | 99dabb29ef9fcf30261492bbe903a363adbf0b1c |
| SHA256 | c0ae17b36ca2b23c8b7639c43baea6d8aa23a9e2695d8392c2b7b411ac198796 |
| SHA512 | 7e3c75da40eeb3cc1ea9f83978c48c9a4e523e2414bde28047d11b2eda6c459bfc285f1720c3353fbca87e4b1f5a81fa0fb78b45c71ca98f5e2c671d628a6ce5 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | 8ee8dfabbedf837a740ed2d1f19d6768 |
| SHA1 | f9462110b9623b63116387a3be9cf146845538c5 |
| SHA256 | 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1 |
| SHA512 | 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png
| MD5 | 12e783f1b55f54b719444e958d0f654e |
| SHA1 | b147828f4af4fb86da89b0219ea7ff2da1d84a1c |
| SHA256 | 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1 |
| SHA512 | c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png
| MD5 | 68447a995095517de966faaaa441320d |
| SHA1 | 4229b0c045b7bfd1546cdc1f4e38c68135326fba |
| SHA256 | f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c |
| SHA512 | f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf
| MD5 | d9714eb9c7ca8d6f12da011cb85a91b9 |
| SHA1 | 083b561967c9354264d1eea9fb5c7e0bbe41e81b |
| SHA256 | 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499 |
| SHA512 | 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd
| MD5 | aae23d78c89bb64103e8d668bff80223 |
| SHA1 | c0903224a450ec3b506ede665b2fd8624f94aaf6 |
| SHA256 | 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f |
| SHA512 | 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js
| MD5 | 260967b62a302147d44c771cdc3d2c9b |
| SHA1 | fb83a8ccd8facac7c9edba98f6ce04274de8e903 |
| SHA256 | 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae |
| SHA512 | 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest
| MD5 | ba60b7b3decd2b1e30e55e4301e20de4 |
| SHA1 | 61ee703b552a8826fe1086ecc5abee4d45bd92c8 |
| SHA256 | 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b |
| SHA512 | 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul
| MD5 | 275186e0a6d4ddabbf8bc8d1b00add5e |
| SHA1 | e4b57588e9be7de99e4b057801977f3614bcbf9f |
| SHA256 | 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2 |
| SHA512 | d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js
| MD5 | deab4dc957c13108352c4f014b242353 |
| SHA1 | bc63ae0c5744a1ad67821937873d1829ed64bb06 |
| SHA256 | caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c |
| SHA512 | d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html
| MD5 | fb162e226ced64d0b4d6e53ed9f82eb9 |
| SHA1 | 2b1d6ab496785d96ddcfc712a942a0d1de8ef018 |
| SHA256 | 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140 |
| SHA512 | 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul
| MD5 | 68e04f0a85d4cb05c54f268e5e59fdc9 |
| SHA1 | 2a465323fb0d697226d481be9c599f94d62fd150 |
| SHA256 | d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6 |
| SHA512 | 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js
| MD5 | a5be5ea81e0b1653d3fa31600a0a36e0 |
| SHA1 | dacb7a24b99dfb9dd4541b00e4241db7df7a219d |
| SHA256 | ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4 |
| SHA512 | 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js
| MD5 | aaba4db5965550fa33599a2888151785 |
| SHA1 | fb472dd90e55164f05774d9778e97a644ed2628d |
| SHA256 | b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44 |
| SHA512 | 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js
| MD5 | 311200eb1ab011b88c0e9545a4d2d049 |
| SHA1 | d22bf13518c77d46e45d556adf6244a251ccd3a1 |
| SHA256 | 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545 |
| SHA512 | bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js
| MD5 | 80297932a5645e651b2bc05c65cb8cf6 |
| SHA1 | dfb36a890b134fc09bb003c583f93c978e717f7c |
| SHA256 | 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d |
| SHA512 | f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul
| MD5 | a82c0de0f37da22a6e07ff2077e8f318 |
| SHA1 | ae361ae3f52c2f7240c6275a6c40166796107c30 |
| SHA256 | d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172 |
| SHA512 | c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js
| MD5 | b1d1b15628eeab4bd8ef82bea8b9110f |
| SHA1 | 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd |
| SHA256 | 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5 |
| SHA512 | 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js
| MD5 | b4a678cc9885730cd03de0d100bdcc25 |
| SHA1 | b0771a929a9624c256b45124e6f0c999707380e8 |
| SHA256 | 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29 |
| SHA512 | 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js
| MD5 | 0587e06fa0fb578c220245ddb95f7411 |
| SHA1 | 52df8780d25418d6fb90725c9816080e01bc5024 |
| SHA256 | 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f |
| SHA512 | 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js
| MD5 | a92e9ce9e1e0ad01baa684c419ebbb8f |
| SHA1 | 850271a386aff13b2d2f16d3e70778cc8a655519 |
| SHA256 | a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a |
| SHA512 | 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js
| MD5 | 769dbc56827458c72b7ad8098c91e7f7 |
| SHA1 | e8dbd8c650c6e35e064bee32e93200f713ea94d8 |
| SHA256 | 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5 |
| SHA512 | 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js
| MD5 | e7ae2f5a14532b1b645d14bc04e4a12f |
| SHA1 | 592ba96aa9d7e448fe67e92228442f9312c1ae32 |
| SHA256 | 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67 |
| SHA512 | 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js
| MD5 | 9fc11c16a573da4dba7764fc111a50cc |
| SHA1 | 4035d7a0a8383e1b93d64fc161e3274d5f428ae3 |
| SHA256 | 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7 |
| SHA512 | 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js
| MD5 | 9844f60e1179aea762ef53ec0d542fa3 |
| SHA1 | 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0 |
| SHA256 | dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5 |
| SHA512 | d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js
| MD5 | eec92acbcfa9d28b43b64aecc9e6c1ee |
| SHA1 | d4253a3cd8810d575e1100c58f088d70e063889f |
| SHA256 | 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f |
| SHA512 | 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js
| MD5 | ef2e8bca169a0e83e6e1a1daaee07c4e |
| SHA1 | a78279e9bd75e866a18f36cafdc4e4385d88610d |
| SHA256 | 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673 |
| SHA512 | 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js
| MD5 | 60fd9774d8bb9d6eac945da719e68428 |
| SHA1 | 6f04d94ad0c566f23f432d3457e8116c0f97c119 |
| SHA256 | 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a |
| SHA512 | 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js
| MD5 | 3e9a68cfaeb26b1bf7b39037a5670d38 |
| SHA1 | b6633a830be19b218af576417d0fec7ab5dff435 |
| SHA256 | 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18 |
| SHA512 | d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js
| MD5 | fd3f295f1c17b33d7a80103564a7f221 |
| SHA1 | 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28 |
| SHA256 | cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb |
| SHA512 | d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js
| MD5 | d84f78673765cd850eb1600fa60bfeb1 |
| SHA1 | bbf3b8f1a8c03b4733b326b9a36d02bb55902620 |
| SHA256 | dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915 |
| SHA512 | 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js
| MD5 | 7f67b1f11066759f19de77335aa9e162 |
| SHA1 | 5c689fbf820dded68beb78a0695569ea6b7a9e5d |
| SHA256 | 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d |
| SHA512 | 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js
| MD5 | 1f7e4557cc0450b1b59f088534a972a9 |
| SHA1 | 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd |
| SHA256 | 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec |
| SHA512 | 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js
| MD5 | 58bb6d11d1eaf46767cc60de67cd9454 |
| SHA1 | d7c575929c2d14b8cc155879069fab443c44eb3a |
| SHA256 | 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1 |
| SHA512 | 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js
| MD5 | 44bd338a01fc265a1f48feb6109cffd3 |
| SHA1 | 21a16911d1a82b1ad847b7a9c94f95127eefca60 |
| SHA256 | 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6 |
| SHA512 | 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js
| MD5 | 7188f8b638a00a897acf7d6db9381c8b |
| SHA1 | 8394559d7791715741cf8f1dadebe7b7ad15132b |
| SHA256 | 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d |
| SHA512 | dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js
| MD5 | 2cbb07727f1ad5480752694ba113854a |
| SHA1 | 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674 |
| SHA256 | db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40 |
| SHA512 | 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js
| MD5 | 8a07017e0756e912aa9fe2fa7f722456 |
| SHA1 | ecd41edeea92e2e00f2b518afb1410bce30792bb |
| SHA256 | 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953 |
| SHA512 | 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js
| MD5 | aee13ba60482e203c4bfc871339b624d |
| SHA1 | a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba |
| SHA256 | cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913 |
| SHA512 | 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js
| MD5 | 780b66c8196bd869af8eac63d695d9c9 |
| SHA1 | c02d465ce06fdc40e8adba0e463fa3b609fdf56a |
| SHA256 | aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486 |
| SHA512 | 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js
| MD5 | bad0c2449513ec4ed9ca13eb55591aa8 |
| SHA1 | e260a391e5dc7913ab3b81fe8da607ee43fe45df |
| SHA256 | e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779 |
| SHA512 | a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js
| MD5 | e8a80e409e40199e3309e5d37dfcfeaf |
| SHA1 | b74ce420ab51a7af5901cc2f17b3ba19ff2b847d |
| SHA256 | 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9 |
| SHA512 | 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js
| MD5 | a1cd4406d7577807a698aa3995046192 |
| SHA1 | 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57 |
| SHA256 | 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7 |
| SHA512 | 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js
| MD5 | ce25d7dd7d7e34dc5b92d25861cc2947 |
| SHA1 | 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880 |
| SHA256 | d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5 |
| SHA512 | cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js
| MD5 | e377ef2d419e60d15b422da1295201fe |
| SHA1 | 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02 |
| SHA256 | 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17 |
| SHA512 | cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js
| MD5 | 81b4df8409320d739e70e9d4cc4c62f7 |
| SHA1 | 7f5e03ed6d5d66fb9a0d052761731d302df21eca |
| SHA256 | 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08 |
| SHA512 | c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js
| MD5 | 60c4db63eb127e64d24f7e9f37e43efb |
| SHA1 | dc799abfd6c2538d0b37e85936e9b80bac02badd |
| SHA256 | c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581 |
| SHA512 | 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js
| MD5 | de002d9604f09b376b85159f289b75a3 |
| SHA1 | 5c6c4ad17b914118f387863ee5982aa52ac34c09 |
| SHA256 | 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce |
| SHA512 | a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js
| MD5 | 7d8a2c2c54f33325eb30368eba7564df |
| SHA1 | 72e5449067e0c85242cb28c8069cabd547908d50 |
| SHA256 | 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed |
| SHA512 | 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css
| MD5 | 36ab40a4b899472d25a3c872a7f9ad4d |
| SHA1 | c29870d67d954de9c5c32783ce28cf7f77d13ec1 |
| SHA256 | 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664 |
| SHA512 | 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html
| MD5 | cbdf4e688981915b95a3741d0c9d5fe5 |
| SHA1 | e4f188d057f04638443eab966002e7feb63bf61a |
| SHA256 | af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c |
| SHA512 | 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css
| MD5 | 4bd957ddde2bb2e537060afcf55f1f72 |
| SHA1 | d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c |
| SHA256 | f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f |
| SHA512 | cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png
| MD5 | 752c26453dc2fc989ed46f5920328edb |
| SHA1 | a064ccc009ee36c20dd5a8aeeab1a335bf82bda2 |
| SHA256 | 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb |
| SHA512 | b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | e2236f4df18b245c4428767eb7001bd8 |
| SHA1 | d091f299951ca8ade7bf03ae84ca3ca1ab2307b2 |
| SHA256 | 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e |
| SHA512 | 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | c1d9bb540a5cf2b8e335311c247bff92 |
| SHA1 | ac2dc11f16ec71ffbeee862afd72a41787e6980d |
| SHA256 | 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a |
| SHA512 | d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | 6aeaaedda1949deb7c40b09ddfd7ed09 |
| SHA1 | f3d35bd0edb197845b96cfda824c96cf77e79a7f |
| SHA256 | 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc |
| SHA512 | 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | c0228d656c703062404bb811a2358892 |
| SHA1 | fa32581dfd2ffb9386c8bed36bbca46363d5c996 |
| SHA256 | d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2 |
| SHA512 | 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | 96217006f4ed6618c41c27ddc4410a91 |
| SHA1 | 391cf6d7bd90476855736cb1cc22d857c56e2e0b |
| SHA256 | 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f |
| SHA512 | fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | 062e75c38b5a59b16287e1ee8685cd44 |
| SHA1 | 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5 |
| SHA256 | b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e |
| SHA512 | 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154 |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | 8b017e3910261cb0c9d914a6abac5382 |
| SHA1 | 5e4400946760495478a72bd89bba9e88b37af589 |
| SHA256 | 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0 |
| SHA512 | 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e |
C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp
| MD5 | db6aedf26ae4c857fc7580611882669a |
| SHA1 | fa53a2e301e3bf024159c99e40c8d72e86bc68b9 |
| SHA256 | 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06 |
| SHA512 | 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 1864 wrote to memory of 1916 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 924 wrote to memory of 4796 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 924 wrote to memory of 4796 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 924 wrote to memory of 4796 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 244
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 228
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20241010-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DownLite.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b043ded9b728db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000c1934af36f05b9a2fdb0947f12cfd683dbc87cda7b679b3e72c1efb37e9e53e3000000000e800000000200002000000009f975be850fa4acf3e6e260d1e20ba07a01df5c5ea4ee31c0c89d8457f64aa0200000000054ed9067efb7182658b7f78357417b841ccfb606039f94832d771c19d9d0d3400000007ee5f8d1da2da8b120f2fcae2d3480999713e0d225c903a55faa030c92a5711816d801ae0bbed52062196e1a72af2ee41e0f4176c7ef4389aac3d615abe36765 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000004e142f0aeda4adf9e3fda069747ae3f61933c18476355cf317950574408e7f2d000000000e8000000002000020000000f9a73a4840a4c3bbc436a902d69686fc9505215e2dd475b560eaecf5dabb12094001000087e7342a244a003e47b31feb6b2370faa04c685bcf4f3faeff0dc32deecf712a0bb7bfd1664b33eba07b1b76ac16135452db992c83aee274bf0fc20cc41ba610ed5d6944f059c92b24b27890a9c4ddb267d5cdb0454895a96643eb6bd638d0af9b25e698d7542ed9d26ef83bf3e22f3126b14ea134ae3f5da920ebe4ac68e36d9e3e03229cf560ac22e3281b3c60cfd371f036cda17bdf29b7655591d3218a57cf8534d854d0daad5485a992f3e9c8e89c5ead08c6a8ec09d9eabdfca83275861fb0af948c2bc6be04be5140c3380cb548469a859f70090bc493070c0e5d39549fdd9c467a1a51b9df1f6af345664986d38c472c56d01856810116893f4d0ffe46fabc19e9625a26cb70b3e3a6c1f1428401caf0c97b8d0ef817f3772a64c0853d9fd59b6ff743ffa78f353129bdd9458a62f3aec08c353ba50ffa1e49e7b6894000000003fe7c447126617dce311ed3848ea263f88acaa1dfd01c2306851b97cb73877f902a537af8c21db1e26976f07a02b0f74a6e14bc028dbc809ab39bf25975729b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{02E671B1-94AB-11EF-BA44-CA806D3F5BF8} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436226639" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DownLite.exe
"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/getjava/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.java.com | udp |
| GB | 2.18.27.94:80 | www.java.com | tcp |
| GB | 2.18.27.94:80 | www.java.com | tcp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| US | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| GB | 104.103.246.175:443 | static.ocecdn.oraclecloud.com | tcp |
| GB | 104.103.246.175:443 | static.ocecdn.oraclecloud.com | tcp |
| US | 8.8.8.8:53 | s.go-mpulse.net | udp |
| GB | 184.26.44.174:443 | s.go-mpulse.net | tcp |
| GB | 184.26.44.174:443 | s.go-mpulse.net | tcp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| US | 8.8.8.8:53 | c.oracleinfinity.io | udp |
| US | 8.8.8.8:53 | www.oracle.com | udp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 2.18.27.81:443 | c.oracleinfinity.io | tcp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 2.18.27.81:443 | c.oracleinfinity.io | tcp |
| US | 8.8.8.8:53 | dc.oracleinfinity.io | udp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2208-0-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2208-28-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2208-26-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\PFKSITLH\www.java[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico
| MD5 | 8e39f067cc4f41898ef342843171d58a |
| SHA1 | ab19e81ce8ccb35b81bf2600d85c659e78e5c880 |
| SHA256 | 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd |
| SHA512 | 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat
| MD5 | 657867b83e03d7240b365d20acb3603e |
| SHA1 | 21aa0fffd89e362b5e407c8f367a37a8de28338f |
| SHA256 | fdc2c28c991b7a3c90b3bf54d647cc9aa197433075a185b908292ef09fde4982 |
| SHA512 | 4efe3d2f65fd2a4f792890534149ae032e61ebebc8ede2a36bf74d218b0c8d82c50d598ebc326b6a9c44c52f2a3a6a90b4c7c081705d0f2dab2e5910072113c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 55c130003eaaeafa9141838a5330ac39 |
| SHA1 | fe8d6f6dfddb1493d74d7ccc2894882b7ae294b9 |
| SHA256 | 65cf0589e0b3df3ce8177c22d59020892b795988fbcb91f2a428f23b6fbf952e |
| SHA512 | f203da238ff25871bfa6f919918e863be4b71dae3713c5faf39f93a34572b53f8747148acfa554b8acdda65b057b61404b38d80c08ea035326b4c6513df75d99 |
C:\Users\Admin\AppData\Local\Temp\CabBABA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBABB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fc1d2a177f6c53f80a4f0246b8d9c2b3 |
| SHA1 | 60edd2cbaf52db39a46e98cd9be86f1e828331c1 |
| SHA256 | db564eb4c797fa4dfbcf52ba790dad31b574c5d24a7287cead7606e2a865fe46 |
| SHA512 | 181e15e0ade4b532869b0dd4768dd5d0f65e887043ef0654bc5622d5d7e24dc75360f2ce9a3b7ba9fa296a4c66991bbe063a3ddf999104bc193a26d0071c1fca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6bbcd67cd9446f1e22dd478e19122359 |
| SHA1 | 3100d2abeb05eed30b2fc057d6266e7c9791a7fc |
| SHA256 | 382ae5c37f1b5b193afcb751567304d3421ba5d8c3e0cce2e2cb7f326470d2e5 |
| SHA512 | 965feebf2c2bb30812c31122545dd8ed13201c0e68323ebb4a80a56af61e34dd7b6936b84c6181a13e5335abcfcb5dfe2c29c2588fa46885467cb903ccc227ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85e297d4cb56817b5dac52e50404e53b |
| SHA1 | 93f24680670ad1c57ad63e20211267b0406b7a78 |
| SHA256 | 0cff5b9659e5f95e8573c5918642537096bae312b200e848f4bef64b806b72c4 |
| SHA512 | 8bdec105450a30959f043cd7545beae3cc0a53452464ffa4784fc419af87b984593d9e21257b939e92cd9935ec7d44a2f37ff4353cde0f382fca38b40505f6e8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 305f7d3429b074f520186e47f1450997 |
| SHA1 | c8a99500f4b86143e6b01e8a771492ff58c0a45a |
| SHA256 | 4b6da9e2f2d58acd0a422b9154d88651ff3638689bcd1f05d9fbeab6e76e616c |
| SHA512 | b2e2e9d8b2552639b13979072491be9912324e81af5f39b3e7cf6f654ce126da3e17a532e0089b099d662edc22a643f2bd188e7c67cff5346f560c271aae6e3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05ac9907c13ff6c3ee89f9608fcdc5c6 |
| SHA1 | 53cd1393e7355f137a1b17e50ed2df2bbf39ab4f |
| SHA256 | 5f5f4af5c76c21af6ad50eec62b3f6938a3f02bf08ffc3a8d2458d93499782eb |
| SHA512 | aab49d73711ece6cc33d305623a2b332569b80821fe7593ffec5aa74c46a7e64a2edac9c9bfcfa553b4d33e128c2012f0057f660829839075005611fdd3fe191 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6912decd3e5db2fa77681d38e91a092 |
| SHA1 | 48cddcc31a92433f5c9e52fafb4efc8cea7ba9a9 |
| SHA256 | c01525862f6693f76bcde074f39ea5629272677c3c0e36bd368695463213caab |
| SHA512 | b7e8948b1353ec90bbfeafb5ae4a02be2f13434c20a540ca34768ba6ef44e1c13175ef7e6591622cf483da26924c8f6d468ad03760e2324c7ab7526aebfbe8cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2fbf749a109887278b2839cb270a31f |
| SHA1 | f9fcda0fef3b57fe5177281db616e5a330c8fd29 |
| SHA256 | c5ed683e486256a32ea6bd0d03d42bad94c96fecce284fb92f89c0b34a00fd94 |
| SHA512 | d7c149c87789a549cfc74d9bf98cd37e7c03f5bf5f9f9708471f914c3b3392ec606eaeff99469fbf2535127488ffd831f4faa5709767b455ca9a52e8491a15de |
memory/2208-557-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 345d41a3926b000f5378aeff55950213 |
| SHA1 | a36dc0aa75e29eb2e55415eea9206d314da6228a |
| SHA256 | 57880f2dcd1aa697334a874491fc9e9ea30a3ab2f644d91920dfbf49892cf6c9 |
| SHA512 | 86f79d32ecd2f31613b77e61a1c40c67d07d6ab6d1f4e10915e7407ae5e161ea9b48a6e3d7468eff5ced7008fb721290e5435aaa0eba3c03aa06063fd676b574 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ca92c0f7a4b1a400b0d68d0e6cdfc16c |
| SHA1 | 4ef2021cb055ed18817ead0dd8f2a54f982bd18e |
| SHA256 | ebf82ac00c01500f0aecd1903afb75628bc51481f061ddf82d708c692286da6b |
| SHA512 | 02f0655036edeaf0b17eb29dce16bfacc9e99c69811dc22e4d506de3c68615460c9361d63062cc921830ac523f9295a1551a228c02a97ff7837be5b93d62e35a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c3486ab3e66cd886742267990c140bad |
| SHA1 | 5b1785a4ed68d851a96fc7a1cea8d322b58470c4 |
| SHA256 | a659d54adcef19d936bff502f02b4a408924de8f04a18e18bbbc471c595de4d9 |
| SHA512 | ec779c5fe235d6948ae9d36d7d1e8a761598a606371896ea89ab4a6d460cf4f4c40ca7b6483e898e88052024e6eb9de6285538a6bb46472a2f6f1f9205f46d57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 867773ec4b250c8eed25bdec393e04d7 |
| SHA1 | 9a935331b92dadcbc5cd64b3468469513b0d9b02 |
| SHA256 | 0fe65600410789200ac4df313c5fecd5b0065140a61692f4202a0ecf99453395 |
| SHA512 | a5cda6f81642fb7ffcecbeada8299c3e68bda7308640518795df5b2407e1267e71a5ba12e2b156ab5def50184eb256f58fa6c72441b0dbc7ac14a753a5b76399 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c843f686f73ec061cefb1b4628fd36dc |
| SHA1 | afa59a23f55db82a95917db9496aefcffa3fbee5 |
| SHA256 | 9f2eaa54346c29f779a6cbb1b2036c6b589c94d703c3f0d7dcaf7c9f5fd5cc67 |
| SHA512 | 1ce93cd1ad0a14602049ad8ca24c1273f71b055422fb07e4ba9c45294e8ac96f80dd1527c0b866324d6c3be18365cbebfc8c3e306f552c4417facc49fb600afb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c995030b81d813f6ee9fba6b1b18d9c7 |
| SHA1 | c43cfe8f01c78fe67924f76c67d9473275b2cf5c |
| SHA256 | becf429dc47d259d957703c272570277bf626b01e0c9057a3407df6f641be748 |
| SHA512 | ec4d3fc42adcfc7cf14ad53298f0064b3390752b94b1a2cd59d0f485555cd179d86f074ad6845de89db3716f3ce60064f8f08201cb43c5183ccaeabe1d9bd0a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 805c1eb240a8bc122248816a34a6ad1c |
| SHA1 | 0d3b448bbcfb2755b50d1ee772648c3a3d58239c |
| SHA256 | c42b3f95bda8ed3b2928f07566f2b49fa3e4912bf1a2386e69593820e18ef5e1 |
| SHA512 | d76588f1f560acf29e62b8392bee04e215ff74067ac793403830836bbbd2a0a268b1ae88cb5db809169eb69a78e526b9ac77db8b8779db57426634d48e19eea8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 71d0425f37f7f65d1fe43573f44353c6 |
| SHA1 | 90704b96d655e8fdae72a17979cc7325e7886b81 |
| SHA256 | e620b4a9eca12dadcbb22d646dc0f582c4cf635fa68f93d496df9dc547530af5 |
| SHA512 | d673aa6ccf8c01f14bb972ef6b542bb395853353db3d0aebea82841defe9a9eec9848b42f0d8e425dfc507ab26439b8d927e87a6e1d48d4136c9e9747b847d94 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2056cae59f75a825a10779ad34c2da8a |
| SHA1 | b80ce1021d5ff013dc815a4efeb59256bb61b045 |
| SHA256 | d28390286b35eb04ff00f1fe84504b6bdadb589ee0a02f30f2e38ca50a8f5e79 |
| SHA512 | 1a8973d837221094cb428a262f9d1b89484c07b95b848b8dfd1b246f5c09dd4815c5d79440aa14d2549df52004f207ba360e6f70096ac7645b2a8e27c5cf7be5 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\DownLite.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DownLite.exe
"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.java.com/getjava/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c7e46f8,0x7ff98c7e4708,0x7ff98c7e4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.java.com | udp |
| GB | 2.18.27.94:80 | www.java.com | tcp |
| GB | 2.18.27.94:80 | www.java.com | tcp |
| US | 8.8.8.8:53 | 94.27.18.2.in-addr.arpa | udp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| GB | 2.18.27.94:443 | www.java.com | tcp |
| US | 8.8.8.8:53 | dc.oracleinfinity.io | udp |
| US | 8.8.8.8:53 | c.oracleinfinity.io | udp |
| US | 8.8.8.8:53 | www.oracle.com | udp |
| GB | 2.18.27.95:443 | c.oracleinfinity.io | tcp |
| GB | 147.154.230.206:443 | dc.oracleinfinity.io | tcp |
| US | 8.8.8.8:53 | static.ocecdn.oraclecloud.com | udp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 104.103.246.175:443 | static.ocecdn.oraclecloud.com | tcp |
| US | 8.8.8.8:53 | 95.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.go-mpulse.net | udp |
| GB | 184.26.44.174:443 | s.go-mpulse.net | tcp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 2.18.27.95:443 | c.oracleinfinity.io | tcp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| GB | 184.26.44.77:443 | www.oracle.com | tcp |
| US | 8.8.8.8:53 | 206.230.154.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.44.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.246.103.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.44.26.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.trustarc.com | udp |
| DE | 108.157.4.99:443 | consent.trustarc.com | tcp |
| US | 8.8.8.8:53 | 99.4.157.108.in-addr.arpa | udp |
| DE | 108.157.4.99:443 | consent.trustarc.com | tcp |
| US | 8.8.8.8:53 | 26.4.157.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent-pref.trustarc.com | udp |
| DE | 18.154.63.86:443 | consent-pref.trustarc.com | tcp |
| US | 8.8.8.8:53 | consent-st.trustarc.com | udp |
| DE | 18.66.248.102:443 | consent-st.trustarc.com | tcp |
| US | 8.8.8.8:53 | 86.63.154.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.248.66.18.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3940-0-0x0000000002400000-0x0000000002401000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 34d2c4f40f47672ecdf6f66fea242f4a |
| SHA1 | 4bcad62542aeb44cae38a907d8b5a8604115ada2 |
| SHA256 | b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33 |
| SHA512 | 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6 |
\??\pipe\LOCAL\crashpad_3984_NLNDLWUZWPXNICES
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8749e21d9d0a17dac32d5aa2027f7a75 |
| SHA1 | a5d555f8b035c7938a4a864e89218c0402ab7cde |
| SHA256 | 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304 |
| SHA512 | c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 17df4f3a6f4eb9aff24bee223e564abd |
| SHA1 | b49226f36a0a6f619c1c6fe488b89a3e8c89e13b |
| SHA256 | db53039940f5912cbb57103dbb118e80db5274681d9fb25a14c12f1433ddf77a |
| SHA512 | 6735475a6f279ef7d91fd0b86c0651f5839014f401f464be9917b502088377c79d5022bc598fcb09f25827aecd46b962e6d8f04578034a4d0459cfbe8aa92ac6 |
memory/3940-32-0x0000000002400000-0x0000000002401000-memory.dmp
memory/3940-31-0x0000000000400000-0x000000000062F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 42f50ab55d67a8aec533cd8848be2204 |
| SHA1 | 07f28ae65dd717838832df1a8e2f493511a458b1 |
| SHA256 | 160085ae703be76b660ccc6d8e0a58500f3a79c24086d3daae39088b22843509 |
| SHA512 | b31fe79169bebd7caa00eb587ff4550fe3e4c99bdd2ab74b268bb5b4c341411a56cf65f7355a533b53ecdf4a3535f567561d15a93c5f05940ae7fcee5d50c6dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c263edc2ef76c98b665a79e8af3270ec |
| SHA1 | 408af22d7b0257fe1e0f7609dba10a648dfc1a0f |
| SHA256 | 24f9b962298c35b887b9e579b98623c3cad4001c1d38a63ce83dc8e3ef93aa8e |
| SHA512 | 45b476b4d20597d5b3c3dc8e343e00f23ebb6ee28567b14d500845934ecd4bcbe0101f03532765da7973b87c636a4a02ea59a233d0d6a1ec0957c69bfd9d06aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | caede4976772475f9d0d2146dc5961a5 |
| SHA1 | 590144ded2cdcbc6c88b91100e26a8f14b8aa897 |
| SHA256 | 5b2c4ead63e25b67f5abfa50ff79dde170409bc3946221bda980d42a3ca9cde0 |
| SHA512 | e104064bfebcc3b764fc849b592f74435798326f93cd639dbffcb9d9e69176a6f22dbf41652d8a538d328d4980c4c420cd109544d4e42a69f8e3f65461664fa3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cb9fc229bc5eae8dee60c6c9cbbdd608 |
| SHA1 | 8abfa98810ea02e65562581c91f117a736917bbf |
| SHA256 | 68307cb85c8ab75c415d6dee3f59f6a4a70b584abf69cab143a59e1770b6042f |
| SHA512 | f5232a0cedd911539d87d173c3961a95ffed20f6aa40b41f6af64945ad57b944a22df51f3d3cf33578edc43b0a80d90bead09efa937de90c8703ceafcba7c728 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win7-20240903-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bg.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Installer.log | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts.ico | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-bho.dll | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\background.html | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| File created | C:\Program Files (x86)\hosts\hosts-helper.exe | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-bg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\RunDll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\hosts\hosts-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 2536,0335B568980546179F1B97EA3D61CA11,619FBD8A30D64455947AE2C7AD7F925A,2D8F34B5D60F427D898E693B9E9D0A5F
C:\Windows\SysWOW64\RunDll32.exe
RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 2536,77E5F59F864048429292FC661D8ECDC4,3C9E69623C2245C384B95456025C4DFA,2D8F34B5D60F427D898E693B9E9D0A5F
C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
"C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064811}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"064A3653DDBA436CAE5998D01F93EF8BIE\", \"installer_verifier\" : \"12b812e04d5086cf282a3a378e89d5f4\" } }','2111-09-11 21:16:31');"
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"
C:\Program Files (x86)\hosts\hosts-codedownloader.exe
"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=064A3653DDBA436CAE5998D01F93EF8BIE /verifier=12b812e04d5086cf282a3a378e89d5f4 /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064811 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'
C:\Program Files (x86)\hosts\hosts-helper.exe
"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"
C:\Program Files (x86)\hosts\hosts-bg.exe
"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | api.opencandy.com | udp |
| US | 8.8.8.8:53 | downlite.net | udp |
| US | 172.98.192.37:80 | downlite.net | tcp |
| US | 8.8.8.8:53 | v2.irismediainc.com | udp |
| US | 172.98.192.37:80 | downlite.net | tcp |
| US | 8.8.8.8:53 | stats.weservstats.com | udp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| US | 8.8.8.8:53 | errors.weservstats.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nso87C7.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll
| MD5 | 9e4e850e12f2f4f869b2491dbbb17ceb |
| SHA1 | bd89581a89604b601c817ea680c2a224b46737f8 |
| SHA256 | 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6 |
| SHA512 | 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5 |
memory/1864-14-0x0000000000190000-0x0000000000191000-memory.dmp
memory/1144-17-0x0000000000200000-0x0000000000201000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso87C7.tmp\InstallerStuff.dll
| MD5 | bcbacda49fb2c44fee595cbc82036242 |
| SHA1 | a33356996c7b3e032693bb373bbde2acf72cc469 |
| SHA256 | 77ecf5896f33bbc002f00dd4742c00a20981bbc618563e49f34ea8f740da890d |
| SHA512 | 18c44cedb9b0fbd301ad9cbe5ebafe66d16380090baa41697f3224a5086313c61420730e8a5050fa7de31e2f47dbd21259d6758cf84557e0c34b901a93c4ddc0 |
\Users\Admin\AppData\Local\Temp\nso87C7.tmp\nsJSON.dll
| MD5 | 292aa9f95a7f081625056c497078159a |
| SHA1 | 72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1 |
| SHA256 | 18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5 |
| SHA512 | 87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910 |
memory/2536-28-0x0000000073EA0000-0x0000000073EAA000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso87C7.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
| MD5 | ca023e6709a718a4917df6f3f2c8bbf7 |
| SHA1 | f9b989d482562796c8c95d124e52bd9e4643d32e |
| SHA256 | 6df47c38d9452173201fb301c3a7225221d4cafeaf07a3edc1dae9ea6135b86d |
| SHA512 | 23e813a6ac93394102b9448a3b5b3e41cf7eeb7eb683edaaf56335bd4ff3ac45884c6e0e10c7c0a9d8cd7f472e58b45e57d32fdcac819659c22e3dd547ae4d03 |
\Users\Admin\AppData\Local\Temp\nsoA556.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nsoA556.tmp\InstallerUtils.dll
| MD5 | 156e15e3dfcc2f2ff2dbcc373fc11f53 |
| SHA1 | 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799 |
| SHA256 | 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693 |
| SHA512 | d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4 |
\Users\Admin\AppData\Local\Temp\nsoA556.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
| MD5 | e92df8cf0d3988c26395a390df381024 |
| SHA1 | 2ad26f6562595e6e16cf2bb468213099a7583aa1 |
| SHA256 | c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1 |
| SHA512 | add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
memory/2820-79-0x00000000004B0000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log
| MD5 | 2aade1db6fa9a619eecc6f15ee93ed1d |
| SHA1 | 1c5085959dff58078b5447ac68481aaab24b5008 |
| SHA256 | 8e3a7f686ed6922320d92f0bd365eb6b91f2f97eb000070cc67013f4b9ca5777 |
| SHA512 | a000dcb0d01d85cac97777f6a01c0af8932ec1b3c60c9ca3f0c63d4570b814ae8d1e915a955fcde2d8c7aa658466219752d8212dfefb0bf15d39090a6a0a5ad2 |
memory/1864-193-0x0000000000190000-0x0000000000191000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log
| MD5 | 416a85023798baef3f80344a7401fae5 |
| SHA1 | b3dbba9dccef51de5d36a0a2fe26a1e59179634c |
| SHA256 | 634e44c76e71f5102db18e28371030909107f7ff6b111ec367a602d55de20a5b |
| SHA512 | 0bb5bc8ba3049e77c8f037fb516872d15d65cb2fa87d79c0ff39f90f83347d375fb783bd523d6358bd062e87806653c6c05a83e63d7791c1e45c6d716f04b547 |
memory/2820-268-0x00000000004B0000-0x00000000004B9000-memory.dmp
memory/1144-267-0x0000000000200000-0x0000000000201000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log
| MD5 | 88c338bf944d8e20ec513f9b8ea514a6 |
| SHA1 | b3c42f05549c649bb0eb241f78862e542f26036e |
| SHA256 | 1eb103a68c378906deb81cd058045bbaca0a5c8285e5cf10e5fcdde55a921e56 |
| SHA512 | 48c0bf2c4b87e3004b27a2984860576e8212dd71eac604113fbd69ab97c835d3db4fed8abbd713d76130ffbabed8d9da0a543af7ca3c740c1ee6a075f518dc7f |
\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log
| MD5 | 1d8ed9b89fe6772d4cfeedd0358edd73 |
| SHA1 | f36d00e85b1dd19e9593b4a2ce64dcf670d35aa8 |
| SHA256 | 9ec16df66924b7d09db16c7d535babf438d2cd4d11dc9c42e5f54b1be2a281ed |
| SHA512 | 9480c40fda41802f376f1540fb95d526f15e8978a5012c4b087bf1944ffb00fb690033820c0b37780640eec8eb49e5b3242023a7e6445b25bb0d35f38228dc29 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | db6715bdf5b2b5e760fff6f6879f20db |
| SHA1 | aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9 |
| SHA256 | 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f |
| SHA512 | e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64 |
memory/2820-422-0x0000000003D10000-0x0000000003D3D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png
| MD5 | 5fabc6d76523647c4b48b51fbd517408 |
| SHA1 | 4d009569658443968cbca3516949c9632cbd25ae |
| SHA256 | e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a |
| SHA512 | a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde |
memory/2820-518-0x00000000005B0000-0x00000000005C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CRNSISPlugins.dll
| MD5 | e95a1945663079496ac8f6374bf08d44 |
| SHA1 | b4b35eae891b2e06b1f559b12587b6ca54c3e82c |
| SHA256 | d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537 |
| SHA512 | e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat
| MD5 | 986cff55f4882532b426067f811d3c7b |
| SHA1 | 1b70a21835aab5c9c5d942d7f549c91dfd347ccd |
| SHA256 | 7a05a2f992edf572e7d6571359620958f9dfd48af674228bf719a319f3ccabd1 |
| SHA512 | ffbc95d67339e5e049d0d45e5744403b254794f66f02cc254685e91b2cd288cc8df79eacba3e58ec656934c9fdd3d62534f402c53a04567a6ff4f16bfec6360d |
memory/2152-558-0x0000000000400000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log
| MD5 | d38899fa5fde95065ae38410076285e0 |
| SHA1 | 7c183199d495d68f2f6906a702e5e00da9dc1df6 |
| SHA256 | 7061de1c9b359adc13b233348f41dcd06cc62ad64f05e48acee0423e656b8d71 |
| SHA512 | 8b9cba45747ba325130154d774afb5b5a8232acf543d87c9faa2243c406f7b95e7119c05fc973e3f5e911f73679b4c03c53747323fa0fef9f9c3c27ce704d6fd |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | 8ee8dfabbedf837a740ed2d1f19d6768 |
| SHA1 | f9462110b9623b63116387a3be9cf146845538c5 |
| SHA256 | 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1 |
| SHA512 | 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\ZipDLL.dll
| MD5 | 2dc35ddcabcb2b24919b9afae4ec3091 |
| SHA1 | 9eeed33c3abc656353a7ebd1c66af38cccadd939 |
| SHA256 | 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1 |
| SHA512 | 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png
| MD5 | 12e783f1b55f54b719444e958d0f654e |
| SHA1 | b147828f4af4fb86da89b0219ea7ff2da1d84a1c |
| SHA256 | 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1 |
| SHA512 | c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png
| MD5 | 68447a995095517de966faaaa441320d |
| SHA1 | 4229b0c045b7bfd1546cdc1f4e38c68135326fba |
| SHA256 | f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c |
| SHA512 | f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf
| MD5 | d9714eb9c7ca8d6f12da011cb85a91b9 |
| SHA1 | 083b561967c9354264d1eea9fb5c7e0bbe41e81b |
| SHA256 | 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499 |
| SHA512 | 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd
| MD5 | aae23d78c89bb64103e8d668bff80223 |
| SHA1 | c0903224a450ec3b506ede665b2fd8624f94aaf6 |
| SHA256 | 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f |
| SHA512 | 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js
| MD5 | 260967b62a302147d44c771cdc3d2c9b |
| SHA1 | fb83a8ccd8facac7c9edba98f6ce04274de8e903 |
| SHA256 | 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae |
| SHA512 | 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest
| MD5 | ba60b7b3decd2b1e30e55e4301e20de4 |
| SHA1 | 61ee703b552a8826fe1086ecc5abee4d45bd92c8 |
| SHA256 | 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b |
| SHA512 | 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js
| MD5 | deab4dc957c13108352c4f014b242353 |
| SHA1 | bc63ae0c5744a1ad67821937873d1829ed64bb06 |
| SHA256 | caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c |
| SHA512 | d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul
| MD5 | 275186e0a6d4ddabbf8bc8d1b00add5e |
| SHA1 | e4b57588e9be7de99e4b057801977f3614bcbf9f |
| SHA256 | 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2 |
| SHA512 | d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html
| MD5 | fb162e226ced64d0b4d6e53ed9f82eb9 |
| SHA1 | 2b1d6ab496785d96ddcfc712a942a0d1de8ef018 |
| SHA256 | 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140 |
| SHA512 | 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul
| MD5 | 68e04f0a85d4cb05c54f268e5e59fdc9 |
| SHA1 | 2a465323fb0d697226d481be9c599f94d62fd150 |
| SHA256 | d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6 |
| SHA512 | 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js
| MD5 | aaba4db5965550fa33599a2888151785 |
| SHA1 | fb472dd90e55164f05774d9778e97a644ed2628d |
| SHA256 | b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44 |
| SHA512 | 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js
| MD5 | a5be5ea81e0b1653d3fa31600a0a36e0 |
| SHA1 | dacb7a24b99dfb9dd4541b00e4241db7df7a219d |
| SHA256 | ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4 |
| SHA512 | 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js
| MD5 | 311200eb1ab011b88c0e9545a4d2d049 |
| SHA1 | d22bf13518c77d46e45d556adf6244a251ccd3a1 |
| SHA256 | 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545 |
| SHA512 | bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul
| MD5 | a82c0de0f37da22a6e07ff2077e8f318 |
| SHA1 | ae361ae3f52c2f7240c6275a6c40166796107c30 |
| SHA256 | d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172 |
| SHA512 | c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js
| MD5 | 80297932a5645e651b2bc05c65cb8cf6 |
| SHA1 | dfb36a890b134fc09bb003c583f93c978e717f7c |
| SHA256 | 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d |
| SHA512 | f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js
| MD5 | b4a678cc9885730cd03de0d100bdcc25 |
| SHA1 | b0771a929a9624c256b45124e6f0c999707380e8 |
| SHA256 | 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29 |
| SHA512 | 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js
| MD5 | 0587e06fa0fb578c220245ddb95f7411 |
| SHA1 | 52df8780d25418d6fb90725c9816080e01bc5024 |
| SHA256 | 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f |
| SHA512 | 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js
| MD5 | b1d1b15628eeab4bd8ef82bea8b9110f |
| SHA1 | 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd |
| SHA256 | 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5 |
| SHA512 | 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js
| MD5 | a92e9ce9e1e0ad01baa684c419ebbb8f |
| SHA1 | 850271a386aff13b2d2f16d3e70778cc8a655519 |
| SHA256 | a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a |
| SHA512 | 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js
| MD5 | e7ae2f5a14532b1b645d14bc04e4a12f |
| SHA1 | 592ba96aa9d7e448fe67e92228442f9312c1ae32 |
| SHA256 | 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67 |
| SHA512 | 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js
| MD5 | 769dbc56827458c72b7ad8098c91e7f7 |
| SHA1 | e8dbd8c650c6e35e064bee32e93200f713ea94d8 |
| SHA256 | 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5 |
| SHA512 | 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js
| MD5 | 9844f60e1179aea762ef53ec0d542fa3 |
| SHA1 | 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0 |
| SHA256 | dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5 |
| SHA512 | d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js
| MD5 | 9fc11c16a573da4dba7764fc111a50cc |
| SHA1 | 4035d7a0a8383e1b93d64fc161e3274d5f428ae3 |
| SHA256 | 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7 |
| SHA512 | 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js
| MD5 | eec92acbcfa9d28b43b64aecc9e6c1ee |
| SHA1 | d4253a3cd8810d575e1100c58f088d70e063889f |
| SHA256 | 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f |
| SHA512 | 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js
| MD5 | ef2e8bca169a0e83e6e1a1daaee07c4e |
| SHA1 | a78279e9bd75e866a18f36cafdc4e4385d88610d |
| SHA256 | 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673 |
| SHA512 | 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js
| MD5 | 3e9a68cfaeb26b1bf7b39037a5670d38 |
| SHA1 | b6633a830be19b218af576417d0fec7ab5dff435 |
| SHA256 | 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18 |
| SHA512 | d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js
| MD5 | 60fd9774d8bb9d6eac945da719e68428 |
| SHA1 | 6f04d94ad0c566f23f432d3457e8116c0f97c119 |
| SHA256 | 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a |
| SHA512 | 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js
| MD5 | fd3f295f1c17b33d7a80103564a7f221 |
| SHA1 | 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28 |
| SHA256 | cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb |
| SHA512 | d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js
| MD5 | d84f78673765cd850eb1600fa60bfeb1 |
| SHA1 | bbf3b8f1a8c03b4733b326b9a36d02bb55902620 |
| SHA256 | dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915 |
| SHA512 | 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js
| MD5 | 44bd338a01fc265a1f48feb6109cffd3 |
| SHA1 | 21a16911d1a82b1ad847b7a9c94f95127eefca60 |
| SHA256 | 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6 |
| SHA512 | 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js
| MD5 | 58bb6d11d1eaf46767cc60de67cd9454 |
| SHA1 | d7c575929c2d14b8cc155879069fab443c44eb3a |
| SHA256 | 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1 |
| SHA512 | 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js
| MD5 | 1f7e4557cc0450b1b59f088534a972a9 |
| SHA1 | 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd |
| SHA256 | 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec |
| SHA512 | 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js
| MD5 | 7f67b1f11066759f19de77335aa9e162 |
| SHA1 | 5c689fbf820dded68beb78a0695569ea6b7a9e5d |
| SHA256 | 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d |
| SHA512 | 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js
| MD5 | 7188f8b638a00a897acf7d6db9381c8b |
| SHA1 | 8394559d7791715741cf8f1dadebe7b7ad15132b |
| SHA256 | 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d |
| SHA512 | dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js
| MD5 | 8a07017e0756e912aa9fe2fa7f722456 |
| SHA1 | ecd41edeea92e2e00f2b518afb1410bce30792bb |
| SHA256 | 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953 |
| SHA512 | 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js
| MD5 | 2cbb07727f1ad5480752694ba113854a |
| SHA1 | 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674 |
| SHA256 | db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40 |
| SHA512 | 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js
| MD5 | aee13ba60482e203c4bfc871339b624d |
| SHA1 | a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba |
| SHA256 | cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913 |
| SHA512 | 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js
| MD5 | 780b66c8196bd869af8eac63d695d9c9 |
| SHA1 | c02d465ce06fdc40e8adba0e463fa3b609fdf56a |
| SHA256 | aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486 |
| SHA512 | 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js
| MD5 | bad0c2449513ec4ed9ca13eb55591aa8 |
| SHA1 | e260a391e5dc7913ab3b81fe8da607ee43fe45df |
| SHA256 | e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779 |
| SHA512 | a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js
| MD5 | e8a80e409e40199e3309e5d37dfcfeaf |
| SHA1 | b74ce420ab51a7af5901cc2f17b3ba19ff2b847d |
| SHA256 | 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9 |
| SHA512 | 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js
| MD5 | a1cd4406d7577807a698aa3995046192 |
| SHA1 | 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57 |
| SHA256 | 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7 |
| SHA512 | 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js
| MD5 | 81b4df8409320d739e70e9d4cc4c62f7 |
| SHA1 | 7f5e03ed6d5d66fb9a0d052761731d302df21eca |
| SHA256 | 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08 |
| SHA512 | c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js
| MD5 | ce25d7dd7d7e34dc5b92d25861cc2947 |
| SHA1 | 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880 |
| SHA256 | d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5 |
| SHA512 | cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js
| MD5 | e377ef2d419e60d15b422da1295201fe |
| SHA1 | 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02 |
| SHA256 | 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17 |
| SHA512 | cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js
| MD5 | 60c4db63eb127e64d24f7e9f37e43efb |
| SHA1 | dc799abfd6c2538d0b37e85936e9b80bac02badd |
| SHA256 | c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581 |
| SHA512 | 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js
| MD5 | de002d9604f09b376b85159f289b75a3 |
| SHA1 | 5c6c4ad17b914118f387863ee5982aa52ac34c09 |
| SHA256 | 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce |
| SHA512 | a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js
| MD5 | 7d8a2c2c54f33325eb30368eba7564df |
| SHA1 | 72e5449067e0c85242cb28c8069cabd547908d50 |
| SHA256 | 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed |
| SHA512 | 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html
| MD5 | cbdf4e688981915b95a3741d0c9d5fe5 |
| SHA1 | e4f188d057f04638443eab966002e7feb63bf61a |
| SHA256 | af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c |
| SHA512 | 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css
| MD5 | 36ab40a4b899472d25a3c872a7f9ad4d |
| SHA1 | c29870d67d954de9c5c32783ce28cf7f77d13ec1 |
| SHA256 | 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664 |
| SHA512 | 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css
| MD5 | 4bd957ddde2bb2e537060afcf55f1f72 |
| SHA1 | d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c |
| SHA256 | f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f |
| SHA512 | cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png
| MD5 | 752c26453dc2fc989ed46f5920328edb |
| SHA1 | a064ccc009ee36c20dd5a8aeeab1a335bf82bda2 |
| SHA256 | 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb |
| SHA512 | b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | e2236f4df18b245c4428767eb7001bd8 |
| SHA1 | d091f299951ca8ade7bf03ae84ca3ca1ab2307b2 |
| SHA256 | 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e |
| SHA512 | 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | c1d9bb540a5cf2b8e335311c247bff92 |
| SHA1 | ac2dc11f16ec71ffbeee862afd72a41787e6980d |
| SHA256 | 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a |
| SHA512 | d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | 6aeaaedda1949deb7c40b09ddfd7ed09 |
| SHA1 | f3d35bd0edb197845b96cfda824c96cf77e79a7f |
| SHA256 | 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc |
| SHA512 | 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | c0228d656c703062404bb811a2358892 |
| SHA1 | fa32581dfd2ffb9386c8bed36bbca46363d5c996 |
| SHA256 | d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2 |
| SHA512 | 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | 96217006f4ed6618c41c27ddc4410a91 |
| SHA1 | 391cf6d7bd90476855736cb1cc22d857c56e2e0b |
| SHA256 | 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f |
| SHA512 | fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | 062e75c38b5a59b16287e1ee8685cd44 |
| SHA1 | 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5 |
| SHA256 | b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e |
| SHA512 | 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154 |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | 8b017e3910261cb0c9d914a6abac5382 |
| SHA1 | 5e4400946760495478a72bd89bba9e88b37af589 |
| SHA256 | 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0 |
| SHA512 | 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e |
C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp
| MD5 | db6aedf26ae4c857fc7580611882669a |
| SHA1 | fa53a2e301e3bf024159c99e40c8d72e86bc68b9 |
| SHA256 | 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06 |
| SHA512 | 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2340 wrote to memory of 4776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4032 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4032 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4032 wrote to memory of 3808 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
memory/3808-0-0x0000000075680000-0x000000007568A000-memory.dmp
memory/3808-2-0x0000000075680000-0x000000007568A000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:35
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 400 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 400 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 400 wrote to memory of 548 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |